Working with 3/4G.
I have just had to put a hap lite in to be a client to a Vodafone 4g wifi modem and bring that connection back into my network via Ethernet. All works really well but wondering if anyone has any experience with firewall rulesets and or application filtering to block big data use such as MS/Apple updates, apple iCloud backups etc etc. I've been thinking about just some big IP range drops for the big companies such as Apple and MS and AWS but thought maybe there is a better way. Anyone.
I'd be interested in that also. Our DSL at home drops out every 15-20 minutes, when we pull traffic through it, so I run PPTP sessions over the DSL, AND over a 4G dongle back to SYD3, then run OSPF/MPLS/VPLS over the top with a 2 second timeout on the OSPF on the DSL PPTP session. Works well, but we chew through quite a bit of 4g data, so I ended up adding firewall rules so NFS traffic (how torrents come home) can't flow over the tunnel when coming over the 4G. Wouldn't mind also blocking Apple/MS/etc over there as well. I do outbound rate limit based on prefixes advertised from Apple's AS, to limit how badly our iDevices kill the internet at night when they're plugged in, but would be interested in what others are doing :) On 1 August 2015 at 18:35, Daniel Hoffman <daniel@hoff.id.au> wrote:
I have just had to put a hap lite in to be a client to a Vodafone 4g wifi modem and bring that connection back into my network via Ethernet.
All works really well but wondering if anyone has any experience with firewall rulesets and or application filtering to block big data use such as MS/Apple updates, apple iCloud backups etc etc.
I've been thinking about just some big IP range drops for the big companies such as Apple and MS and AWS but thought maybe there is a better way.
Anyone. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
Hi Dan, It's a bit tricky to do, because all routerOS firewall rules are stored with IP address rather than domain names (for speed, of course ;) but there are a couple of tricks that you can try to use: 1) web proxy - built-in web proxy service supports use of domain names in access control lists. You don't need to cache the requests, just pass-through proxy, but it does take up a bit of CPU and memory overhead which is in relatively short supply for mAP ;) 2) content filter in firewall - you can use 'content' attribute in firewall filter rules to detect and block target data. This IS very cpu intensive (as content uses regex match against packet payload data) but if you design the filter carefully, you can minimise the overall impact. For example, make an initial rule to 'permit established' so that packets that are part of an existing tcp session are immediately accepted, then make a rule that matches destination port 80 on outbound packets but only when it is the first packet of a stream (tcp-new) and then jump to a chain with further packet inspection. Then using content matching, you can look for hostnames or even full URLs inside the packet payload data - http header almost always fits inside the first packet of the web request, and so most of what you are looking for will be in there. It's not /usually/ the sort of job you'd use mAP for, but if it is only managing a low bandwidth link (like 3G/lte) then it may work OK for what you need to do! Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Daniel Hoffman Sent: Saturday, 1 August 2015 6:36 PM To: Public@talk.mikrotik.com.au Subject: [MT-AU Public] Working with 3/4G.
I have just had to put a hap lite in to be a client to a Vodafone 4g wifi modem and bring that connection back into my network via Ethernet.
All works really well but wondering if anyone has any experience with firewall rulesets and or application filtering to block big data use such as MS/Apple updates, apple iCloud backups etc etc.
I've been thinking about just some big IP range drops for the big companies such as Apple and MS and AWS but thought maybe there is a better way.
Anyone. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (3)
-
Damien Gardner Jnr -
Daniel Hoffman -
Mike Everest