dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1985
share rss forum feed

jim_p_price7

join:2005-10-28
Henryetta, OK

[Equipment] Rewrite destination in Mikrotik bridge?

Hey guys, sorry if this is a rehash, I searched a bit and didn't find anything that directly applied.

Here's what I want to do.

All of my customer traffic flows through an RB1200 bridge before hitting my load balancer where it might take the trip out through one of 8 different lines. The purpose of the RB is to collect usage stats which are sent to an SQL server via Netflow.

I want to find a way to sandbox someone in a "Your service is suspended because you are behind on your bill" kind of thing. I did see a way to do this if the Mikrotik was a NAT router, but not with a transparent bridge.

I know I can match the source IP of a CPE against a list in Router OS. But seeing as how the RB is a bridge, is there a way to somehow rewrite the destination as an IP address of a webserver that would deliver that message? In other words, all destinations lead to my web based nastygram?

Thanks in advance.


Rhaas
Premium
join:2005-12-19
Bernie, MO
You can set the bridge to use the IP firewall under "/interface bridge setings"

I've never tried it but I dont see why you wouldnt be able to Dst-nat the traffic if the device in front (upstream) of it is capable of routing the packets.
--
I survived Hale-Bopp!

jim_p_price7

join:2005-10-28
Henryetta, OK
Thanks for the quick answer, Rhas. I've already enabled IP firewall to provide QOS for VOIP traffic, so I'll try your suggestion.

Appreciate the quick reply! If anyone else has more detailed examples of how to do this in Router OS I'd love to hear them!


Rhaas
Premium
join:2005-12-19
Bernie, MO
Here is what I have:
add action=jump chain=forward comment="DC/Non Pay Users" disabled=no jump-target=DC_USERS src-address=10.201.0.0/16
 
All of my disconnected/non pay users get an ip address out of the 10.201.0.0/16 range. The above rule forces all of their traffic into the DC_USERS chain.

add action=accept chain=DC_USERS comment="" disabled=no dst-address=66.211.40.15 dst-port=80 protocol=tcp
add action=accept chain=DC_USERS comment="" disabled=no dst-port=53 protocol=udp
add action=drop chain=DC_USERS comment="" disabled=no
 
We allow traffic to 66.211.40.15 which is my webserver where the 'contact billing' page exists.
We also allow DNS traffic.
Lastly we drop all other traffic.

add action=dst-nat chain=dstnat comment="DC/NonPay Users" disabled=no dst-port=80 protocol=tcp src-address=10.201.0.0/16 to-addresses=66.211.40.15 to-ports=80
add action=dst-nat chain=dstnat comment="DC/NonPay Users" disabled=no src-address=10.201.0.0/16 dst-port=53 protocol=udp to-addresses=74.91.66.2 to-ports=53
 
In the nat page we dstnat port 80 traffic from 10.201.0.0/16 to our webserver ip.
We also redirect DNS to our DNS server at 74.91.66.2.

For the webser the trick is you have to use IP base site (name aliasing wont work). You also need to setup the 404 page to be the index page of the site as well.

--
I survived Hale-Bopp!

jim_p_price7

join:2005-10-28
Henryetta, OK
Thank you!

jim_p_price7

join:2005-10-28
Henryetta, OK
reply to Rhaas
So I messed around using your suggestions and made some progress, but I'm stuck on the whole dst-nat thing. I think its because my RB1200 is being used as a transparent bridge. I've verified that traffic is jumping to my non-pay chain, and I can allow hits to my website, DNS, and drop the rest. But dst-nat in the NAT tab has no effect - the counters don't move. BTW, I do have "use IP Firewall" enabled on the bridge.

I did some reading and learned that I can do dst-nat in the bridge tab, but I can only rewrite MAC addresses, not IP's.

Any thoughts?


Rhaas
Premium
join:2005-12-19
Bernie, MO
I can see the dstnat rules on my transparrent bridge increment. However I'm on the same layer 2 network as my web server so I'm getting some funkyness right now.

Can you post your dstnat rules and what ip pool range you are using for your dc/non pay customers?
--
I survived Hale-Bopp!


Rhaas
Premium
join:2005-12-19
Bernie, MO
reply to jim_p_price7
Hmm, seems as though this will not work through a transparrent bridge.

I tried the dstnat rule on my bridge that sits between my edge/bgp router and my core router and I could see the Syn/Ack begin to take place however the full handshake was never completed:
08:39:22.630032 IP xxx.bpsnetworks.com.3339 > host-66.211.40.15.bpsnetworks.com.http: S 3511203765:3511203765(0) win 16384 <mss 1460,nop,nop,sackOK>
        0x0000:  4500 0030 ba4f 4000 7d06 4137 4a5b 4d04  E..0.O@.}.A7J[M.
        0x0010:  42d3 280f 0d0b 0050 d148 b7b5 0000 0000  B.(....P.H......
        0x0020:  7002 4000 aa84 0000 0204 05b4 0101 0402  p.@.............
08:39:22.630092 IP host-66.211.40.15.bpsnetworks.com.http > xxx.bpsnetworks.com.3339: S 2140628834:2140628834(0) ack 3511203766 win 65535 <mss 1460,sackOK,eol>
        0x0000:  4500 0030 560f 4000 4006 e277 42d3 280f  E..0V.@.@..wB.(.
        0x0010:  4a5b 4d04 0050 0d0b 7f97 6762 d148 b7b6  J[M..P....gb.H..
        0x0020:  7012 ffff 047b 0000 0204 05b4 0402 0000  p....{..........
08:39:22.632425 IP xxx.bpsnetworks.com.3339 > host-66.211.40.15.bpsnetworks.com.http: R 3511203766:3511203766(0) win 0
        0x0000:  4500 0028 ba51 0000 7e06 803d 4a5b 4d04  E..(.Q..~..=J[M.
        0x0010:  42d3 280f 0d0b 0050 d148 b7b6 d148 b7b6  B.(....P.H...H..
        0x0020:  5004 0000 8e45 0000 0000 0000 0000       P....E........
 
 

Moving the same rule to the core router worked.. I'll take a look at it more later on and see if I can tell what is happening.

--
I survived Hale-Bopp!

jim_p_price7

join:2005-10-28
Henryetta, OK
Thanks, glad to know I wasn't going crazy. I too saw the syn/ack traffic spike briefly in the stats, but not fully completed. Looking forward to what you find out - feel free to PM if you want, and I appreciate your brain power on this.

jim_p_price7

join:2005-10-28
Henryetta, OK
reply to jim_p_price7
I finally solved my need and hope this follow-up is useful to anyone else trying to implement a non-payment page using a transparent Mikrotik bridge.

I couldn't use dst-nat to rewrite the destination address; that won't work with a bridge. So what I did was enable the web proxy and redirect HTTP requests to it from subs with matching IP's in my non_pay address list.

Then I added a single access rule in the proxy (set action = deny) with a redirect to my non-payment page.

Problem solved.


Rhaas
Premium
join:2005-12-19
Bernie, MO
Glad you got it working. I tried a couple of times over the weekend and couldn't come up with a solution that worked through the bridge.
--
I survived Hale-Bopp!