Soul Mikrotik against soulless ILV and the same provider
The article describes a way to gain access to resources mistakenly falling under the distribution of buns by Roskomndzor (hereinafter RKN). It is mistakenly caught. We are law-abiding citizens and do not go where our government agencies forbid us. So if you suddenly decide to use the method in order to go for some kind of “legally” blocked resources, the harsh sword of justice will probably fly above your head and I'm not to blame for this, because right now I warned you!
The problem arose unexpectedly when our central office moved to another place and as a result changed the provider. Employees in droves began to complain to me that they can’t access those sites where they previously had access. At the same time, from our other offices sitting on other providers, sites were still available.
For some time, because of the hassle of moving, I ignored the problem, but when the accounting department began to complain (do you also have the accounting department in importance after the management of the company?), I had to sort it out.
First of all, the suspicion fell on problems with MTU and MSS. But with them, fortunately, everything turned out to be in order. I struck a problem domain on the ILV database, also OK, the domain is clean. I opened the site through the gateways of other branches (3 different providers), it opens. But through our provider to the IP domain, even pings do not go. And then I guessed to break through the ILV IP problem domain. You already guessed that IP was in the database?
But where, then, is a redirect to a page indicating that this resource is blocked, etc. etc., you ask. And I asked. At first, I really tried to open several sites where before, when it was possible, we all looked for something to see or download. And making sure that there are no warnings about blocking on these sites, I called the provider.
The provider listened to me, admitted that there is a problem, but there are no warnings.
I sympathized with my situation, but refused to correct something. Like, we comply with the blocking requirement, but there are no notification requirements. On which we said goodbye.
Of course, I had a desire to get through with the provider, but laziness and lack of free time pushed this desire deeply. Approximately the same where I sent a provider in my heart with its Internet, to where the sun does not shine.
The problem had to be solved somehow. Our company uses Mikrotiki as gateways-routers, it doesn’t matter which ones, everyone has the same OS router. Having rummaged around Habré, I found some articles on how to bypass ILV locks, generating and loading ILV database in Mikrotik. At the same time, routing blocked traffic to those gateways where there are no locks. For the sake of interest, I tried this method. It works, but does not suit.
Firstly, the base volume of 60,000 ip (at the beginning of summer 2019), sent my Mikrotik to a deep coma. The CHR OS router with a large memory capacity and several cores felt slightly better, but made it clear that with such a conscientious attitude of the ILV to its duties, it would not last long.
Secondly, access was obtained to all blocked resources, including those that were blocked on “legal” grounds. That I, as a law-abiding citizen, also did not suit me.
But the very idea of directing traffic to permitted sites through those gateways where it is not blocked is stuck in my mind.
What can we do for this?
The first thing that comes to mind is to find out the ip of the resource and determine the gateway for it in routing for it. Not an option, a resource can have several ip and they can change, sometimes often. Tired of adding.
The second is to parse IP using Layer 7 in the firewall, putting them in the address list. Already better, but Layer 7 has an unpleasant feature. If there are several rules, then he begins to relate to the processor resources in much the same way as some wives relate to the salary of their husband. As a result, quarrels, scandals and other troubles begin in the family.
Directing all traffic through the remote gateway is also detrimental.
Fortunately, at the September MUM, one of the speakers revealed a terrible secret. It turns out that Mikrotiki has for some time learned how to parse an IP domain directly from its name in the address sheet, adding IP to the same sheet! Armed with the information I received, I finally solved the problem.
Below is an example solution:
1. We create in the firewall the address sheet with the desired domain.
2. In the Firewall \ Mangle, create a rule, chain: prerouting, advanced: Dst.Address list = our sheet name, action: mark routing, New Routing Mark = brand name
3. We go to IP \ Routes. Create a new default route. Dst Address = 0.0.0.0 / 0, Gateway = Gateway IP, Routing Mark = Your Brand
That's all. Now your Mikrotik will parse the ip of the desired domain to the address sheet that you came up with for this, mark the routes to this ip and send them through the gateway that you need. Do you have a backup gateway? Smile
It was done on firmware 6.45.5
Thanks for your attention.
The problem arose unexpectedly when our central office moved to another place and as a result changed the provider. Employees in droves began to complain to me that they can’t access those sites where they previously had access. At the same time, from our other offices sitting on other providers, sites were still available.
For some time, because of the hassle of moving, I ignored the problem, but when the accounting department began to complain (do you also have the accounting department in importance after the management of the company?), I had to sort it out.
First of all, the suspicion fell on problems with MTU and MSS. But with them, fortunately, everything turned out to be in order. I struck a problem domain on the ILV database, also OK, the domain is clean. I opened the site through the gateways of other branches (3 different providers), it opens. But through our provider to the IP domain, even pings do not go. And then I guessed to break through the ILV IP problem domain. You already guessed that IP was in the database?
But where, then, is a redirect to a page indicating that this resource is blocked, etc. etc., you ask. And I asked. At first, I really tried to open several sites where before, when it was possible, we all looked for something to see or download. And making sure that there are no warnings about blocking on these sites, I called the provider.
The provider listened to me, admitted that there is a problem, but there are no warnings.
I sympathized with my situation, but refused to correct something. Like, we comply with the blocking requirement, but there are no notification requirements. On which we said goodbye.
Of course, I had a desire to get through with the provider, but laziness and lack of free time pushed this desire deeply. Approximately the same where I sent a provider in my heart with its Internet, to where the sun does not shine.
The problem had to be solved somehow. Our company uses Mikrotiki as gateways-routers, it doesn’t matter which ones, everyone has the same OS router. Having rummaged around Habré, I found some articles on how to bypass ILV locks, generating and loading ILV database in Mikrotik. At the same time, routing blocked traffic to those gateways where there are no locks. For the sake of interest, I tried this method. It works, but does not suit.
Firstly, the base volume of 60,000 ip (at the beginning of summer 2019), sent my Mikrotik to a deep coma. The CHR OS router with a large memory capacity and several cores felt slightly better, but made it clear that with such a conscientious attitude of the ILV to its duties, it would not last long.
Secondly, access was obtained to all blocked resources, including those that were blocked on “legal” grounds. That I, as a law-abiding citizen, also did not suit me.
But the very idea of directing traffic to permitted sites through those gateways where it is not blocked is stuck in my mind.
What can we do for this?
The first thing that comes to mind is to find out the ip of the resource and determine the gateway for it in routing for it. Not an option, a resource can have several ip and they can change, sometimes often. Tired of adding.
The second is to parse IP using Layer 7 in the firewall, putting them in the address list. Already better, but Layer 7 has an unpleasant feature. If there are several rules, then he begins to relate to the processor resources in much the same way as some wives relate to the salary of their husband. As a result, quarrels, scandals and other troubles begin in the family.
Directing all traffic through the remote gateway is also detrimental.
Fortunately, at the September MUM, one of the speakers revealed a terrible secret. It turns out that Mikrotiki has for some time learned how to parse an IP domain directly from its name in the address sheet, adding IP to the same sheet! Armed with the information I received, I finally solved the problem.
Below is an example solution:
1. We create in the firewall the address sheet with the desired domain.
2. In the Firewall \ Mangle, create a rule, chain: prerouting, advanced: Dst.Address list = our sheet name, action: mark routing, New Routing Mark = brand name
3. We go to IP \ Routes. Create a new default route. Dst Address = 0.0.0.0 / 0, Gateway = Gateway IP, Routing Mark = Your Brand
That's all. Now your Mikrotik will parse the ip of the desired domain to the address sheet that you came up with for this, mark the routes to this ip and send them through the gateway that you need. Do you have a backup gateway? Smile
It was done on firmware 6.45.5
Thanks for your attention.
All Articles