Filed under: Mikrotik— Tags: bridge filter, Mikrotik bridge, mikrotik dst-nat, redirect — Silicon Care / Pune~:) @ 2:13 PM
- FUN with Mikrotik BRIDGE Series#1. Filter PPPoE Requests – Part#1
Disclaimer! This is important!
This post is related to a solution designed specific to cater some local manipulation requirement therefore you may continue to read it as an reference purpose only !
Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.
Please donot think that I am an expert on this stuff, I am NOT certified in anything including Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.
So , please don’t hold me/my-postings to be always 100 percent correct. I am human being , I do make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others
Scenario & Requirements:
We want to connect Network A & B using Mikrotik Bridge so that we can transparently intercept some traffic for control & redirection purposes. Example we want to make sure that any dns traffic that is traveling from A to B or B to A should be redirected to Mikrotik DNS for manipulation purposes. Also we would like to Block ICMP traffic travelling between both networks.
We are using Mikrotik 2011UiAS-2HnD model.
Port-1 is connected with Network A and Port-2 is connected with Network B.
# BRIDGE Configuration
First we will do Bridge configuration & add ports in it,
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether1 add bridge=bridge1 interface=ether2 /interface bridge settings set use-ip-firewall=yes
As showed in image below …
# DNS Configuration
Now setup Local DNS server
/ip dns set allow-remote-requests=yes servers=184.108.40.206 # Now we will add static DNS entry for our requirements /ip dns static add address=220.127.116.11 name=aacable.wordpress.com
As showed in image below …
# DNS Redirection
Firewall NAT configuration to redirect DNS traffic travelling via BRIDGE interface to Mikrotik local DNS for manipulation purposes
/ip firewall nat add action=redirect chain=dstnat comment="Redirect DNS Traffic via BRIDGE to local DNS - tejas" dst-port=53 in-interface=bridge1 protocol=udp to-ports=53
# ICMP Filteration
Firewall Filter configuration to block ICMP protocol
/ip firewall filter add action=reject chain=forward comment="Block ICMP Rule in BRIDGE - tejas" in-interface=bridge1 protocol=icmp reject-with=icmp-network-unreachable
Result of testing NSLOOKUP from user PC. [Before vs After]
Result of testing ICMP & PING from user PC.
Linux is amazing
however Mikrotik is handy most of the times