- FUN with Mikrotik BRIDGE Series#1. Filter PPPoE Requests – Part#1
- FUN with Mikrotik BRIDGE Series# Redirecting Traffic with Mikrotik Bridge – Part#2 < You are Here
Disclaimer! This is important!
This post is related to a solution designed specific to cater some local manipulation requirement therefore you may continue to read it as an reference purpose only !
Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.
Please donot think that I am an expert on this stuff, I am NOT certified in anything including Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.
So , please don’t hold me/my-postings to be always 100 percent correct. I am human being , I do make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others
Regard's Syed Jahanzaib~
Scenario & Requirements:
We want to connect Network A & B using Mikrotik Bridge so that we can transparently intercept some traffic for control & redirection purposes. Example we want to make sure that any dns traffic that is traveling from A to B or B to A should be redirected to Mikrotik DNS for manipulation purposes. Also we would like to Block ICMP traffic travelling between both networks.
Solution:
We are using Mikrotik 2011UiAS-2HnD model.
Port-1 is connected with Network A and Port-2 is connected with Network B.
# BRIDGE Configuration
First we will do Bridge configuration & add ports in it,
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether1 add bridge=bridge1 interface=ether2 /interface bridge settings set use-ip-firewall=yes
As showed in image below …
# DNS Configuration
Now setup Local DNS server
/ip dns set allow-remote-requests=yes servers=8.8.8.8 # Now we will add static DNS entry for our requirements /ip dns static add address=1.2.3.4 name=aacable.wordpress.com
As showed in image below …
# DNS Redirection
Firewall NAT configuration to redirect DNS traffic travelling via BRIDGE interface to Mikrotik local DNS for manipulation purposes
/ip firewall nat add action=redirect chain=dstnat comment="Redirect DNS Traffic via BRIDGE to local DNS - Zaib" dst-port=53 in-interface=bridge1 protocol=udp to-ports=53
# ICMP Filteration
Firewall Filter configuration to block ICMP protocol
/ip firewall filter add action=reject chain=forward comment="Block ICMP Rule in BRIDGE - Zaib" in-interface=bridge1 protocol=icmp reject-with=icmp-network-unreachable
Client Testing
Result of testing NSLOOKUP from user PC. [Before vs After]
Result of testing ICMP & PING from user PC.
Linux is amazing 🙂 however Mikrotik is handy most of the times 🙂
[…] FUN with Mikrotik BRIDGE Series# Redirecting Traffic with Mikrotik Bridge […]
LikeLike
Pingback by FUN with Mikrotik BRIDGE Series#1. Filter PPPoE Requests | Syed Jahanzaib Personal Blog to Share Knowledge ! — March 21, 2018 @ 3:23 PM
its common thing we dont want to use the bridges for that. we will just mangle or redirect the dns… please dont mind but now a days we need some new stuff like AdVance billing server in free with bad logins and dealer system with daily and monthly and also scratch card series… and one more thing i will need to ask you that in juniper many operators are doing that only one service name of pppoe is working multiple service name will not work only one will work… so how can we do this in mikrotik?…
and what about google and facebook peering or any good cache server for bandwidth multiplication…. because now a days gpon providers are giving high speed in cheap rates so can we struggle to fight with them to provide cheap rates services in high speed.
LikeLike
Comment by waqas hussain — March 21, 2018 @ 4:45 PM
a) To keep privacy of client, I really cannot disclose how I redirect dns traffic in some very specific situation. Example what if your client is connecting to ISP pppoe server and you want to intercept only dns traffic for some manipulation , how you will going to do this if the user isn’t connecting to YOUR local mikrotik, ? these posts are just for reference purposes, read them accordingly.
b) “Advance Billing in FREE”, really you mean free ? (any way we have customized reseller / dealer base billing server but that costs a lot as compare to some ready made billing)
c) Google peering have some pre requisites that no small operator can fulfill. therefore it is recommended to contact some big operators who already have CDN, and just route your cdn related traffic to them, they usually charge it per mb at very low cost.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — March 26, 2018 @ 9:39 AM
ether1 = LAN = 172.16.0.1
ether2 = WAN = 192.168.1.1
ether3 = Media = 10.10.10.1
PPPOE POOL = 10.0.0.10-10.0.0.254
Sir i want to give access of ether3 (Media) to all LAN users whether the pppoe dialup is connected or not. Please reply thanks.
LikeLike
Comment by Sultan Ali — May 19, 2018 @ 7:23 PM