"Ackchyually that's not DPI."
I saw this coming a mile away. Because Mikrotik does not provide any actual Deep Packet Inspection facilities, many would assume that it's impossible to get even close having DPI-like
functionality.
The problem with this is, the scope of this argument includes all network types and not just hotspots. However, if we change our scope to just Mikrotik-based networks, then it gets a little better.
By using other kinds of special firewall rules, you can redirect traffic to a service hosted on your own network that performs the DPI itself and then make a decision based on it. This could still work for the needs of a hotspot,
but the glaring problem is that this setup requires an external applicance to process traffic. You might say, "Why not redirect traffic over the VPN tunnel to the Deep Packet Inspector?" This
setup presents a new, even-worse problem. If all traffic travels through the VPN tunnel, then we lose performance on our hotspot and have indriectly solved our original problem because none of it can be inspected
by third parties. Therefore, this solution would be a waste to implement.
What if we limit our scope to just hotspots? Then, we would have no option of an external applicance as that falls outside the scope. What's left? My almost-DPI rules. Some people would still think these rules are akin to this video:
What if we went with the "Almost DPI" notion? Then, it would provide an experience similar to DPI, but not quite. This may or may not became a hinderance on the user experience. However, how much does it matter? As long as the right traffic gets redirected, it doesn't matter whether it's actually DPI or not. Still feeling triggered? Don't read any further.
Back to the firewall rules.
If you just want to install the DPI rules onto your own hotspot, download the file here. If you can't get the file to download in a browser, then try this in your computer terminal:
curl https://jghuff.com/blog/dpi/wAPDPIList.rsc -o wAPDPIList.rsc
Then, go to Files->Upload File and select it. Then, run the scipt and it will automatically install
everything you need. There is still one more step, and it's to create a static default route to your VPN interface with the routing mark "vpn." There are four main parts to these DPI firewall rules. They are the Filter rules, Mangle rules, L7 Application rules, and Address List rules. Most of the content is in the Mangle section, so let's check that out first. The first few lines are:
/ip firewall mangle
add action=mark-connection chain=prerouting comment="redirect Windows ports" \
connection-state=new dst-port=\
445,987,1311,1503,1512,1688,3074,3389,3702,5000,5355,5357,5358,5481,5905 \
new-connection-mark=vpn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=\
445,987,1311,1503,1512,1688,3074,3389,3702,5000,5355,5357,5358,5481,5905 \
new-connection-mark=vpn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-state=new dst-port=\
5985,5986,6516,6571,6602,6891-6901,7680,7777,8530,8531,8642,9080 \
new-connection-mark=vpn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=\
5985,5986,6516,6571,6602,6891-6901,7680,7777,8530,8531,8642,9080 \
new-connection-mark=vpn passthrough=yes protocol=udp
The first line directs the RouterOS device to move to the Firewall Mangle section. The next two lines block 15 ports that only Windows-related services use with both the TCP and UDP protocols. The
next two lines block even more Windows-related ports, and the only reason to have these first four rules is because one rule cannot have more than 15 ports specified. One port that is used by other services is 5555, which FreeCiv uses.
add action=mark-connection chain=prerouting comment="redirect Windows ports" \
connection-state=new dst-port=\
445,987,1311,1503,1512,1688,3074,3389,3702,5000,5355,5357,5358,5481,5905 \
new-connection-mark=vpn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=\
445,987,1311,1503,1512,1688,3074,3389,3702,5000,5355,5357,5358,5481,5905 \
new-connection-mark=vpn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-state=new dst-port=\
5985,5986,6516,6571,6602,6891-6901,7680,7777,8530,8531,8642,9080 \
new-connection-mark=vpn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=\
5985,5986,6516,6571,6602,6891-6901,7680,7777,8530,8531,8642,9080 \
new-connection-mark=vpn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="redirect Apple ports" \
connection-state=new dst-port=2197,5223 new-connection-mark=vpn \
passthrough=yes protocol=tcp
This rule redirects ports related to Apple services.
connection-state=new dst-port=2197,5223 new-connection-mark=vpn \
passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting comment="apply connection marks" \
connection-mark=vpn new-routing-mark=vpn passthrough=no
This rule helps save CPU processing power by condensing the connection marks applied into a routing mark for all packets in a given connection.
connection-mark=vpn new-routing-mark=vpn passthrough=no
add action=jump chain=prerouting comment=\
"redirect specific traffic marked by tls - *.apple.com" jump-target=tls \
protocol=tcp tls-host=*.apple.com
add action=jump chain=prerouting comment=*xbox*.com jump-target=tls protocol=\
tcp tls-host=*xbox*.com
add action=jump chain=prerouting comment=*a-msedge.net jump-target=tls \
protocol=tcp tls-host=*a-msedge.net
These rules start the TLS matching system. They match packets based on their detected TLS hosts, a feature only present if it is unencrypted.
I included three domains to match against, although they will match many in effect because of the regex used.
Why have action=jump? That's because this TLS matcher system is actually slightly complicated and needs several special steps to "complete" each rule.
Additionally, we can't match against new connections only, as the TLS host option in packets is only present in connections which would
be classified as already active. To help solve this problem and to present an explicit "connection closed" error to the client,
we'll need to add another rule later to send a TCP rejection packet. However, this rule has to be in the Firewall Filter section so it won't be covered right now.
"redirect specific traffic marked by tls - *.apple.com" jump-target=tls \
protocol=tcp tls-host=*.apple.com
add action=jump chain=prerouting comment=*xbox*.com jump-target=tls protocol=\
tcp tls-host=*xbox*.com
add action=jump chain=prerouting comment=*a-msedge.net jump-target=tls \
protocol=tcp tls-host=*a-msedge.net
add action=return chain=tls comment=\
"return packets if the hosts are already added" dst-address-list=\
tls_dst_host
This rule brings connections back to the prerouting chain if the TLS host has already been put
in the list of hosts to be redirected by default.
"return packets if the hosts are already added" dst-address-list=\
tls_dst_host
add action=add-dst-to-address-list address-list=tls_dst_host \
address-list-timeout=2h chain=tls
This rule adds the TLS host to which the client is connecting to a list to be redirected.
address-list-timeout=2h chain=tls
add action=mark-connection chain=tls new-connection-mark=tls_disconnect \
passthrough=yes
This rule marks all connections which reach the tls chain with tls_disconnect. This is only temporary, as these connections will immediately
be shut down by the special TCP reject rule in Firewall Filter.
passthrough=yes
add action=return chain=tls
This rule simply returns the rule-matching process back to the prerouting chain.
add action=mark-connection chain=prerouting dst-address-list=tls_dst_host \
new-connection-mark=vpn passthrough=yes
This rule redirects all hosts which are on a list created by the previous rules.
new-connection-mark=vpn passthrough=yes
add action=mark-connection chain=prerouting comment=\
"redirect known Windows update/telemetry servers" connection-state=new \
dst-address-list=windows_telemetry new-connection-mark=vpn passthrough=\
yes
add action=mark-connection chain=prerouting connection-state=new \
dst-address-list=windows_update
new-connection-mark=vpn passthrough=yes
These rules match destinations against a pre-set list of banned hosts. Here's the list which I got from here:
"redirect known Windows update/telemetry servers" connection-state=new \
dst-address-list=windows_telemetry new-connection-mark=vpn passthrough=\
yes
add action=mark-connection chain=prerouting connection-state=new \
dst-address-list=windows_update
new-connection-mark=vpn passthrough=yes
/ip firewall address-list
add address=13.68.87.47 list=windows_update
add address=13.68.87.175 list=windows_update
add address=13.68.88.129 list=windows_update
add address=13.68.93.109 list=windows_update
add address=13.74.179.117 list=windows_update
add address=13.78.168.230 list=windows_update
add address=13.78.177.144 list=windows_update
add address=13.78.179.199 list=windows_update
add address=13.78.180.50 list=windows_update
add address=13.78.180.90 list=windows_update
add address=13.78.184.44 list=windows_update
add address=13.78.184.186 list=windows_update
add address=13.78.186.254 list=windows_update
add address=13.78.187.58 list=windows_update
add address=13.78.230.134 list=windows_update
add address=13.83.148.218 list=windows_update
add address=13.83.148.235 list=windows_update
add address=13.83.149.5 list=windows_update
add address=13.83.149.67 list=windows_update
add address=13.83.151.160 list=windows_update
add address=13.86.124.174 list=windows_update
add address=13.86.124.184 list=windows_update
add address=13.86.124.191 list=windows_update
add address=13.91.16.64 list=windows_update
add address=13.91.16.65 list=windows_update
add address=13.91.16.66 list=windows_update
add address=13.92.211.120 list=windows_update
add address=13.107.4.50 list=windows_update
add address=13.107.4.52 list=windows_update
add address=13.107.4.254 list=windows_update
add address=20.36.218.63 list=windows_update
add address=20.36.218.70 list=windows_update
add address=20.36.222.39 list=windows_update
add address=20.36.252.130 list=windows_update
add address=20.41.41.23 list=windows_update
add address=20.42.24.29 list=windows_update
add address=20.42.24.50 list=windows_update
add address=20.44.77.24 list=windows_update
add address=20.44.77.45 list=windows_update
add address=20.44.77.49 list=windows_update
add address=20.44.77.219 list=windows_update
add address=20.45.4.77 list=windows_update
add address=20.45.4.178 list=windows_update
add address=20.54.24.69 list=windows_update
add address=20.54.24.79 list=windows_update
add address=20.54.24.148 list=windows_update
add address=20.54.24.169 list=windows_update
add address=20.54.24.231 list=windows_update
add address=20.54.24.246 list=windows_update
add address=20.54.25.4 list=windows_update
add address=20.54.25.16 list=windows_update
add address=20.54.89.15 list=windows_update
add address=20.54.89.106 list=windows_update
add address=20.62.190.184 list=windows_update
add address=20.62.190.185 list=windows_update
add address=20.62.190.186 list=windows_update
add address=20.185.109.208 list=windows_update
add address=20.186.48.46 list=windows_update
add address=20.188.74.161 list=windows_update
add address=20.188.78.184 list=windows_update
add address=20.188.78.185 list=windows_update
add address=20.188.78.187 list=windows_update
add address=20.188.78.188 list=windows_update
add address=20.188.78.189 list=windows_update
add address=20.190.3.175 list=windows_update
add address=20.190.9.86 list=windows_update
add address=20.191.46.109 list=windows_update
add address=20.191.46.211 list=windows_update
add address=23.103.189.125 list=windows_update
add address=23.103.189.126 list=windows_update
add address=23.103.189.157 list=windows_update
add address=23.103.189.158 list=windows_update
add address=40.67.248.104 list=windows_update
add address=40.67.251.132 list=windows_update
add address=40.67.251.134 list=windows_update
add address=40.67.252.175 list=windows_update
add address=40.67.252.206 list=windows_update
add address=40.67.253.249 list=windows_update
add address=40.67.254.36 list=windows_update
add address=40.67.254.97 list=windows_update
add address=40.67.255.199 list=windows_update
add address=40.69.216.73 list=windows_update
add address=40.69.216.129 list=windows_update
add address=40.69.216.251 list=windows_update
add address=40.69.218.62 list=windows_update
add address=40.69.219.197 list=windows_update
add address=40.69.220.46 list=windows_update
add address=40.69.221.239 list=windows_update
add address=40.69.222.109 list=windows_update
add address=40.69.223.39 list=windows_update
add address=40.69.223.198 list=windows_update
add address=40.70.224.144 list=windows_update
add address=40.70.224.145 list=windows_update
add address=40.70.224.147 list=windows_update
add address=40.70.224.148 list=windows_update
add address=40.70.224.149 list=windows_update
add address=40.70.229.150 list=windows_update
add address=40.77.18.167 list=windows_update
add address=40.77.224.8 list=windows_update
add address=40.77.224.11 list=windows_update
add address=40.77.224.145 list=windows_update
add address=40.77.224.254 list=windows_update
add address=40.77.226.13 list=windows_update
add address=40.77.226.181 list=windows_update
add address=40.77.226.246 list=windows_update
add address=40.77.226.247 list=windows_update
add address=40.77.226.248 list=windows_update
add address=40.77.226.249 list=windows_update
add address=40.77.226.250 list=windows_update
add address=40.77.229.8 list=windows_update
add address=40.77.229.9 list=windows_update
add address=40.77.229.12 list=windows_update
add address=40.77.229.13 list=windows_update
add address=40.77.229.16 list=windows_update
add address=40.77.229.21 list=windows_update
add address=40.77.229.22 list=windows_update
add address=40.77.229.24 list=windows_update
add address=40.77.229.26 list=windows_update
add address=40.77.229.27 list=windows_update
add address=40.77.229.29 list=windows_update
add address=40.77.229.30 list=windows_update
add address=40.77.229.32 list=windows_update
add address=40.77.229.35 list=windows_update
add address=40.77.229.38 list=windows_update
add address=40.77.229.44 list=windows_update
add address=40.77.229.45 list=windows_update
add address=40.77.229.50 list=windows_update
add address=40.77.229.53 list=windows_update
add address=40.77.229.62 list=windows_update
add address=40.77.229.65 list=windows_update
add address=40.77.229.67 list=windows_update
add address=40.77.229.69 list=windows_update
add address=40.77.229.70 list=windows_update
add address=40.77.229.71 list=windows_update
add address=40.77.229.74 list=windows_update
add address=40.77.229.76 list=windows_update
add address=40.77.229.80 list=windows_update
add address=40.77.229.81 list=windows_update
add address=40.77.229.82 list=windows_update
add address=40.77.229.88 list=windows_update
add address=40.77.229.118 list=windows_update
add address=40.77.229.123 list=windows_update
add address=40.77.229.128 list=windows_update
add address=40.77.229.133 list=windows_update
add address=40.77.229.141 list=windows_update
add address=40.77.229.199 list=windows_update
add address=40.79.65.78 list=windows_update
add address=40.79.65.123 list=windows_update
add address=40.79.65.235 list=windows_update
add address=40.79.65.237 list=windows_update
add address=40.79.66.194 list=windows_update
add address=40.79.66.209 list=windows_update
add address=40.79.67.176 list=windows_update
add address=40.79.70.158 list=windows_update
add address=40.91.73.169 list=windows_update
add address=40.91.73.219 list=windows_update
add address=40.91.75.5 list=windows_update
add address=40.91.80.89 list=windows_update
add address=40.91.91.94 list=windows_update
add address=40.91.120.196 list=windows_update
add address=40.91.122.44 list=windows_update
add address=40.125.122.151 list=windows_update
add address=40.125.122.176 list=windows_update
add address=51.103.5.159 list=windows_update
add address=51.103.5.186 list=windows_update
add address=51.104.162.50 list=windows_update
add address=51.104.162.168 list=windows_update
add address=51.104.164.114 list=windows_update
add address=51.104.167.48 list=windows_update
add address=51.104.167.186 list=windows_update
add address=51.104.167.245 list=windows_update
add address=51.104.167.255 list=windows_update
add address=51.105.249.223 list=windows_update
add address=51.105.249.228 list=windows_update
add address=51.105.249.239 list=windows_update
add address=52.142.21.136 list=windows_update
add address=52.137.102.105 list=windows_update
add address=52.137.103.96 list=windows_update
add address=52.137.103.130 list=windows_update
add address=52.137.110.235 list=windows_update
add address=52.142.21.137 list=windows_update
add address=52.142.21.140 list=windows_update
add address=52.142.21.141 list=windows_update
add address=52.143.80.209 list=windows_update
add address=52.143.81.222 list=windows_update
add address=52.143.84.45 list=windows_update
add address=52.143.86.214 list=windows_update
add address=52.143.87.28 list=windows_update
add address=52.147.176.8 list=windows_update
add address=52.148.148.114 list=windows_update
add address=52.152.108.96 list=windows_update
add address=52.152.110.14 list=windows_update
add address=52.155.95.90 list=windows_update
add address=52.155.115.56 list=windows_update
add address=52.155.169.137 list=windows_update
add address=52.155.183.99 list=windows_update
add address=52.155.217.156 list=windows_update
add address=52.155.223.194 list=windows_update
add address=52.156.144.83 list=windows_update
add address=52.158.114.119 list=windows_update
add address=52.158.122.14 list=windows_update
add address=52.161.15.246 list=windows_update
add address=52.164.221.179 list=windows_update
add address=52.164.226.245 list=windows_update
add address=52.167.222.82 list=windows_update
add address=52.167.222.147 list=windows_update
add address=52.167.223.135 list=windows_update
add address=52.169.82.131 list=windows_update
add address=52.169.83.3 list=windows_update
add address=52.169.87.42 list=windows_update
add address=52.169.123.48 list=windows_update
add address=52.175.23.79 list=windows_update
add address=52.177.164.251 list=windows_update
add address=52.177.247.15 list=windows_update
add address=52.178.192.146 list=windows_update
add address=52.179.216.235 list=windows_update
add address=52.179.219.14 list=windows_update
add address=52.183.47.176 list=windows_update
add address=52.183.118.171 list=windows_update
add address=52.184.152.136 list=windows_update
add address=52.184.155.206 list=windows_update
add address=52.184.212.181 list=windows_update
add address=52.184.213.21 list=windows_update
add address=52.184.213.187 list=windows_update
add address=52.184.214.53 list=windows_update
add address=52.184.214.123 list=windows_update
add address=52.184.214.139 list=windows_update
add address=52.184.216.174 list=windows_update
add address=52.184.216.226 list=windows_update
add address=52.184.216.246 list=windows_update
add address=52.184.217.20 list=windows_update
add address=52.184.217.37 list=windows_update
add address=52.184.217.56 list=windows_update
add address=52.187.60.107 list=windows_update
add address=52.188.72.233 list=windows_update
add address=52.226.130.114 list=windows_update
add address=52.229.170.171 list=windows_update
add address=52.229.170.224 list=windows_update
add address=52.229.171.86 list=windows_update
add address=52.229.171.202 list=windows_update
add address=52.229.172.155 list=windows_update
add address=52.229.174.29 list=windows_update
add address=52.229.174.172 list=windows_update
add address=52.229.174.233 list=windows_update
add address=52.229.175.79 list=windows_update
add address=52.230.216.17 list=windows_update
add address=52.230.216.157 list=windows_update
add address=52.230.220.159 list=windows_update
add address=52.230.223.92 list=windows_update
add address=52.230.223.167 list=windows_update
add address=52.232.225.93 list=windows_update
add address=52.238.248.1 list=windows_update
add address=52.238.248.2 list=windows_update
add address=52.238.248.3 list=windows_update
add address=52.242.97.97 list=windows_update
add address=52.242.101.226 list=windows_update
add address=52.242.231.32 list=windows_update
add address=52.242.231.33 list=windows_update
add address=52.242.231.35 list=windows_update
add address=52.242.231.36 list=windows_update
add address=52.242.231.37 list=windows_update
add address=52.243.153.146 list=windows_update
add address=52.248.96.36 list=windows_update
add address=52.249.24.101 list=windows_update
add address=52.249.58.51 list=windows_update
add address=52.250.46.232 list=windows_update
add address=52.250.46.237 list=windows_update
add address=52.250.46.238 list=windows_update
add address=52.250.195.200 list=windows_update
add address=52.250.195.204 list=windows_update
add address=52.250.195.206 list=windows_update
add address=52.250.195.207 list=windows_update
add address=52.253.130.84 list=windows_update
add address=52.254.106.61 list=windows_update
add address=64.4.27.50 list=windows_update
add address=65.52.108.29 list=windows_update
add address=65.52.108.33 list=windows_update
add address=65.52.108.59 list=windows_update
add address=65.52.108.90 list=windows_update
add address=65.52.108.92 list=windows_update
add address=65.52.108.153 list=windows_update
add address=65.52.108.154 list=windows_update
add address=65.52.108.185 list=windows_update
add address=65.55.242.254 list=windows_update
add address=66.119.144.157 list=windows_update
add address=66.119.144.158 list=windows_update
add address=66.119.144.189 list=windows_update
add address=66.119.144.190 list=windows_update
add address=67.26.27.254 list=windows_update
add address=104.45.177.233 list=windows_update
add address=111.221.29.40 list=windows_update
add address=134.170.51.187 list=windows_update
add address=134.170.51.188 list=windows_update
add address=134.170.51.190 list=windows_update
add address=134.170.51.246 list=windows_update
add address=134.170.51.247 list=windows_update
add address=134.170.51.248 list=windows_update
add address=134.170.53.29 list=windows_update
add address=134.170.53.30 list=windows_update
add address=134.170.115.55 list=windows_update
add address=134.170.115.56 list=windows_update
add address=134.170.115.60 list=windows_update
add address=134.170.115.62 list=windows_update
add address=134.170.165.248 list=windows_update
add address=134.170.165.249 list=windows_update
add address=134.170.165.251 list=windows_update
add address=134.170.165.253 list=windows_update
add address=137.135.62.92 list=windows_update
add address=157.55.133.204 list=windows_update
add address=157.55.240.89 list=windows_update
add address=157.55.240.126 list=windows_update
add address=157.55.240.220 list=windows_update
add address=157.56.77.138 list=windows_update
add address=157.56.77.139 list=windows_update
add address=157.56.77.140 list=windows_update
add address=157.56.77.141 list=windows_update
add address=157.56.77.148 list=windows_update
add address=157.56.77.149 list=windows_update
add address=157.56.96.54 list=windows_update
add address=157.56.96.58 list=windows_update
add address=157.56.96.123 list=windows_update
add address=157.56.96.157 list=windows_update
add address=191.232.80.53 list=windows_update
add address=191.232.80.58 list=windows_update
add address=191.232.80.60 list=windows_update
add address=191.232.80.62 list=windows_update
add address=191.232.139.2 list=windows_update
add address=191.232.139.182 list=windows_update
add address=191.232.139.253 list=windows_update
add address=191.232.139.254 list=windows_update
add address=191.234.72.183 list=windows_update
add address=191.234.72.186 list=windows_update
add address=191.234.72.188 list=windows_update
add address=191.234.72.190 list=windows_update
add address=207.46.114.58 list=windows_update
add address=207.46.114.61 list=windows_update
add address=13.64.90.137 list=windows_telemetry
add address=13.68.31.193 list=windows_telemetry
That's a lot of addresses!
add address=13.68.87.47 list=windows_update
add address=13.68.87.175 list=windows_update
add address=13.68.88.129 list=windows_update
add address=13.68.93.109 list=windows_update
add address=13.74.179.117 list=windows_update
add address=13.78.168.230 list=windows_update
add address=13.78.177.144 list=windows_update
add address=13.78.179.199 list=windows_update
add address=13.78.180.50 list=windows_update
add address=13.78.180.90 list=windows_update
add address=13.78.184.44 list=windows_update
add address=13.78.184.186 list=windows_update
add address=13.78.186.254 list=windows_update
add address=13.78.187.58 list=windows_update
add address=13.78.230.134 list=windows_update
add address=13.83.148.218 list=windows_update
add address=13.83.148.235 list=windows_update
add address=13.83.149.5 list=windows_update
add address=13.83.149.67 list=windows_update
add address=13.83.151.160 list=windows_update
add address=13.86.124.174 list=windows_update
add address=13.86.124.184 list=windows_update
add address=13.86.124.191 list=windows_update
add address=13.91.16.64 list=windows_update
add address=13.91.16.65 list=windows_update
add address=13.91.16.66 list=windows_update
add address=13.92.211.120 list=windows_update
add address=13.107.4.50 list=windows_update
add address=13.107.4.52 list=windows_update
add address=13.107.4.254 list=windows_update
add address=20.36.218.63 list=windows_update
add address=20.36.218.70 list=windows_update
add address=20.36.222.39 list=windows_update
add address=20.36.252.130 list=windows_update
add address=20.41.41.23 list=windows_update
add address=20.42.24.29 list=windows_update
add address=20.42.24.50 list=windows_update
add address=20.44.77.24 list=windows_update
add address=20.44.77.45 list=windows_update
add address=20.44.77.49 list=windows_update
add address=20.44.77.219 list=windows_update
add address=20.45.4.77 list=windows_update
add address=20.45.4.178 list=windows_update
add address=20.54.24.69 list=windows_update
add address=20.54.24.79 list=windows_update
add address=20.54.24.148 list=windows_update
add address=20.54.24.169 list=windows_update
add address=20.54.24.231 list=windows_update
add address=20.54.24.246 list=windows_update
add address=20.54.25.4 list=windows_update
add address=20.54.25.16 list=windows_update
add address=20.54.89.15 list=windows_update
add address=20.54.89.106 list=windows_update
add address=20.62.190.184 list=windows_update
add address=20.62.190.185 list=windows_update
add address=20.62.190.186 list=windows_update
add address=20.185.109.208 list=windows_update
add address=20.186.48.46 list=windows_update
add address=20.188.74.161 list=windows_update
add address=20.188.78.184 list=windows_update
add address=20.188.78.185 list=windows_update
add address=20.188.78.187 list=windows_update
add address=20.188.78.188 list=windows_update
add address=20.188.78.189 list=windows_update
add address=20.190.3.175 list=windows_update
add address=20.190.9.86 list=windows_update
add address=20.191.46.109 list=windows_update
add address=20.191.46.211 list=windows_update
add address=23.103.189.125 list=windows_update
add address=23.103.189.126 list=windows_update
add address=23.103.189.157 list=windows_update
add address=23.103.189.158 list=windows_update
add address=40.67.248.104 list=windows_update
add address=40.67.251.132 list=windows_update
add address=40.67.251.134 list=windows_update
add address=40.67.252.175 list=windows_update
add address=40.67.252.206 list=windows_update
add address=40.67.253.249 list=windows_update
add address=40.67.254.36 list=windows_update
add address=40.67.254.97 list=windows_update
add address=40.67.255.199 list=windows_update
add address=40.69.216.73 list=windows_update
add address=40.69.216.129 list=windows_update
add address=40.69.216.251 list=windows_update
add address=40.69.218.62 list=windows_update
add address=40.69.219.197 list=windows_update
add address=40.69.220.46 list=windows_update
add address=40.69.221.239 list=windows_update
add address=40.69.222.109 list=windows_update
add address=40.69.223.39 list=windows_update
add address=40.69.223.198 list=windows_update
add address=40.70.224.144 list=windows_update
add address=40.70.224.145 list=windows_update
add address=40.70.224.147 list=windows_update
add address=40.70.224.148 list=windows_update
add address=40.70.224.149 list=windows_update
add address=40.70.229.150 list=windows_update
add address=40.77.18.167 list=windows_update
add address=40.77.224.8 list=windows_update
add address=40.77.224.11 list=windows_update
add address=40.77.224.145 list=windows_update
add address=40.77.224.254 list=windows_update
add address=40.77.226.13 list=windows_update
add address=40.77.226.181 list=windows_update
add address=40.77.226.246 list=windows_update
add address=40.77.226.247 list=windows_update
add address=40.77.226.248 list=windows_update
add address=40.77.226.249 list=windows_update
add address=40.77.226.250 list=windows_update
add address=40.77.229.8 list=windows_update
add address=40.77.229.9 list=windows_update
add address=40.77.229.12 list=windows_update
add address=40.77.229.13 list=windows_update
add address=40.77.229.16 list=windows_update
add address=40.77.229.21 list=windows_update
add address=40.77.229.22 list=windows_update
add address=40.77.229.24 list=windows_update
add address=40.77.229.26 list=windows_update
add address=40.77.229.27 list=windows_update
add address=40.77.229.29 list=windows_update
add address=40.77.229.30 list=windows_update
add address=40.77.229.32 list=windows_update
add address=40.77.229.35 list=windows_update
add address=40.77.229.38 list=windows_update
add address=40.77.229.44 list=windows_update
add address=40.77.229.45 list=windows_update
add address=40.77.229.50 list=windows_update
add address=40.77.229.53 list=windows_update
add address=40.77.229.62 list=windows_update
add address=40.77.229.65 list=windows_update
add address=40.77.229.67 list=windows_update
add address=40.77.229.69 list=windows_update
add address=40.77.229.70 list=windows_update
add address=40.77.229.71 list=windows_update
add address=40.77.229.74 list=windows_update
add address=40.77.229.76 list=windows_update
add address=40.77.229.80 list=windows_update
add address=40.77.229.81 list=windows_update
add address=40.77.229.82 list=windows_update
add address=40.77.229.88 list=windows_update
add address=40.77.229.118 list=windows_update
add address=40.77.229.123 list=windows_update
add address=40.77.229.128 list=windows_update
add address=40.77.229.133 list=windows_update
add address=40.77.229.141 list=windows_update
add address=40.77.229.199 list=windows_update
add address=40.79.65.78 list=windows_update
add address=40.79.65.123 list=windows_update
add address=40.79.65.235 list=windows_update
add address=40.79.65.237 list=windows_update
add address=40.79.66.194 list=windows_update
add address=40.79.66.209 list=windows_update
add address=40.79.67.176 list=windows_update
add address=40.79.70.158 list=windows_update
add address=40.91.73.169 list=windows_update
add address=40.91.73.219 list=windows_update
add address=40.91.75.5 list=windows_update
add address=40.91.80.89 list=windows_update
add address=40.91.91.94 list=windows_update
add address=40.91.120.196 list=windows_update
add address=40.91.122.44 list=windows_update
add address=40.125.122.151 list=windows_update
add address=40.125.122.176 list=windows_update
add address=51.103.5.159 list=windows_update
add address=51.103.5.186 list=windows_update
add address=51.104.162.50 list=windows_update
add address=51.104.162.168 list=windows_update
add address=51.104.164.114 list=windows_update
add address=51.104.167.48 list=windows_update
add address=51.104.167.186 list=windows_update
add address=51.104.167.245 list=windows_update
add address=51.104.167.255 list=windows_update
add address=51.105.249.223 list=windows_update
add address=51.105.249.228 list=windows_update
add address=51.105.249.239 list=windows_update
add address=52.142.21.136 list=windows_update
add address=52.137.102.105 list=windows_update
add address=52.137.103.96 list=windows_update
add address=52.137.103.130 list=windows_update
add address=52.137.110.235 list=windows_update
add address=52.142.21.137 list=windows_update
add address=52.142.21.140 list=windows_update
add address=52.142.21.141 list=windows_update
add address=52.143.80.209 list=windows_update
add address=52.143.81.222 list=windows_update
add address=52.143.84.45 list=windows_update
add address=52.143.86.214 list=windows_update
add address=52.143.87.28 list=windows_update
add address=52.147.176.8 list=windows_update
add address=52.148.148.114 list=windows_update
add address=52.152.108.96 list=windows_update
add address=52.152.110.14 list=windows_update
add address=52.155.95.90 list=windows_update
add address=52.155.115.56 list=windows_update
add address=52.155.169.137 list=windows_update
add address=52.155.183.99 list=windows_update
add address=52.155.217.156 list=windows_update
add address=52.155.223.194 list=windows_update
add address=52.156.144.83 list=windows_update
add address=52.158.114.119 list=windows_update
add address=52.158.122.14 list=windows_update
add address=52.161.15.246 list=windows_update
add address=52.164.221.179 list=windows_update
add address=52.164.226.245 list=windows_update
add address=52.167.222.82 list=windows_update
add address=52.167.222.147 list=windows_update
add address=52.167.223.135 list=windows_update
add address=52.169.82.131 list=windows_update
add address=52.169.83.3 list=windows_update
add address=52.169.87.42 list=windows_update
add address=52.169.123.48 list=windows_update
add address=52.175.23.79 list=windows_update
add address=52.177.164.251 list=windows_update
add address=52.177.247.15 list=windows_update
add address=52.178.192.146 list=windows_update
add address=52.179.216.235 list=windows_update
add address=52.179.219.14 list=windows_update
add address=52.183.47.176 list=windows_update
add address=52.183.118.171 list=windows_update
add address=52.184.152.136 list=windows_update
add address=52.184.155.206 list=windows_update
add address=52.184.212.181 list=windows_update
add address=52.184.213.21 list=windows_update
add address=52.184.213.187 list=windows_update
add address=52.184.214.53 list=windows_update
add address=52.184.214.123 list=windows_update
add address=52.184.214.139 list=windows_update
add address=52.184.216.174 list=windows_update
add address=52.184.216.226 list=windows_update
add address=52.184.216.246 list=windows_update
add address=52.184.217.20 list=windows_update
add address=52.184.217.37 list=windows_update
add address=52.184.217.56 list=windows_update
add address=52.187.60.107 list=windows_update
add address=52.188.72.233 list=windows_update
add address=52.226.130.114 list=windows_update
add address=52.229.170.171 list=windows_update
add address=52.229.170.224 list=windows_update
add address=52.229.171.86 list=windows_update
add address=52.229.171.202 list=windows_update
add address=52.229.172.155 list=windows_update
add address=52.229.174.29 list=windows_update
add address=52.229.174.172 list=windows_update
add address=52.229.174.233 list=windows_update
add address=52.229.175.79 list=windows_update
add address=52.230.216.17 list=windows_update
add address=52.230.216.157 list=windows_update
add address=52.230.220.159 list=windows_update
add address=52.230.223.92 list=windows_update
add address=52.230.223.167 list=windows_update
add address=52.232.225.93 list=windows_update
add address=52.238.248.1 list=windows_update
add address=52.238.248.2 list=windows_update
add address=52.238.248.3 list=windows_update
add address=52.242.97.97 list=windows_update
add address=52.242.101.226 list=windows_update
add address=52.242.231.32 list=windows_update
add address=52.242.231.33 list=windows_update
add address=52.242.231.35 list=windows_update
add address=52.242.231.36 list=windows_update
add address=52.242.231.37 list=windows_update
add address=52.243.153.146 list=windows_update
add address=52.248.96.36 list=windows_update
add address=52.249.24.101 list=windows_update
add address=52.249.58.51 list=windows_update
add address=52.250.46.232 list=windows_update
add address=52.250.46.237 list=windows_update
add address=52.250.46.238 list=windows_update
add address=52.250.195.200 list=windows_update
add address=52.250.195.204 list=windows_update
add address=52.250.195.206 list=windows_update
add address=52.250.195.207 list=windows_update
add address=52.253.130.84 list=windows_update
add address=52.254.106.61 list=windows_update
add address=64.4.27.50 list=windows_update
add address=65.52.108.29 list=windows_update
add address=65.52.108.33 list=windows_update
add address=65.52.108.59 list=windows_update
add address=65.52.108.90 list=windows_update
add address=65.52.108.92 list=windows_update
add address=65.52.108.153 list=windows_update
add address=65.52.108.154 list=windows_update
add address=65.52.108.185 list=windows_update
add address=65.55.242.254 list=windows_update
add address=66.119.144.157 list=windows_update
add address=66.119.144.158 list=windows_update
add address=66.119.144.189 list=windows_update
add address=66.119.144.190 list=windows_update
add address=67.26.27.254 list=windows_update
add address=104.45.177.233 list=windows_update
add address=111.221.29.40 list=windows_update
add address=134.170.51.187 list=windows_update
add address=134.170.51.188 list=windows_update
add address=134.170.51.190 list=windows_update
add address=134.170.51.246 list=windows_update
add address=134.170.51.247 list=windows_update
add address=134.170.51.248 list=windows_update
add address=134.170.53.29 list=windows_update
add address=134.170.53.30 list=windows_update
add address=134.170.115.55 list=windows_update
add address=134.170.115.56 list=windows_update
add address=134.170.115.60 list=windows_update
add address=134.170.115.62 list=windows_update
add address=134.170.165.248 list=windows_update
add address=134.170.165.249 list=windows_update
add address=134.170.165.251 list=windows_update
add address=134.170.165.253 list=windows_update
add address=137.135.62.92 list=windows_update
add address=157.55.133.204 list=windows_update
add address=157.55.240.89 list=windows_update
add address=157.55.240.126 list=windows_update
add address=157.55.240.220 list=windows_update
add address=157.56.77.138 list=windows_update
add address=157.56.77.139 list=windows_update
add address=157.56.77.140 list=windows_update
add address=157.56.77.141 list=windows_update
add address=157.56.77.148 list=windows_update
add address=157.56.77.149 list=windows_update
add address=157.56.96.54 list=windows_update
add address=157.56.96.58 list=windows_update
add address=157.56.96.123 list=windows_update
add address=157.56.96.157 list=windows_update
add address=191.232.80.53 list=windows_update
add address=191.232.80.58 list=windows_update
add address=191.232.80.60 list=windows_update
add address=191.232.80.62 list=windows_update
add address=191.232.139.2 list=windows_update
add address=191.232.139.182 list=windows_update
add address=191.232.139.253 list=windows_update
add address=191.232.139.254 list=windows_update
add address=191.234.72.183 list=windows_update
add address=191.234.72.186 list=windows_update
add address=191.234.72.188 list=windows_update
add address=191.234.72.190 list=windows_update
add address=207.46.114.58 list=windows_update
add address=207.46.114.61 list=windows_update
add address=13.64.90.137 list=windows_telemetry
add address=13.68.31.193 list=windows_telemetry
add action=mark-connection chain=prerouting comment="redirect devices which ma\
ke unencrypted requests for Apple/Windows hosts" dst-address=\
!192.168.0.0/16 layer7-protocol=Windows new-connection-mark=vpn \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-address=!192.168.0.0/16 \
layer7-protocol=Apple new-connection-mark=vpn passthrough=yes protocol=\
tcp
add action=add-src-to-address-list address-list=redirected_hosts \
address-list-timeout=15m chain=prerouting comment=\
"mark hosts that make dns connections to Apple/Windows hosts" dst-port=53 \
layer7-protocol=Apple protocol=udp
add action=add-src-to-address-list address-list=redirected_hosts \
address-list-timeout=15m chain=prerouting dst-port=53 layer7-protocol=\
Windows protocol=udp
These rules match unencrypted general traffic and DNS requests by using Layer-7 Application regex.
ke unencrypted requests for Apple/Windows hosts" dst-address=\
!192.168.0.0/16 layer7-protocol=Windows new-connection-mark=vpn \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-address=!192.168.0.0/16 \
layer7-protocol=Apple new-connection-mark=vpn passthrough=yes protocol=\
tcp
add action=add-src-to-address-list address-list=redirected_hosts \
address-list-timeout=15m chain=prerouting comment=\
"mark hosts that make dns connections to Apple/Windows hosts" dst-port=53 \
layer7-protocol=Apple protocol=udp
add action=add-src-to-address-list address-list=redirected_hosts \
address-list-timeout=15m chain=prerouting dst-port=53 layer7-protocol=\
Windows protocol=udp
add action=mark-connection chain=prerouting dst-address-list=!undirected_dst \
new-connection-mark=vpn passthrough=yes src-address-list=redirected_hosts
This is a helper rule with the L7 regex. It works by not redirecting sites visited to by "trusted" devices on the network, and "trusted" means they have not triggered any of the L7 regex
rules.
new-connection-mark=vpn passthrough=yes src-address-list=redirected_hosts
add action=mark-routing chain=prerouting comment="apply connection marks" \
connection-mark=vpn new-routing-mark=vpn passthrough=no
This rule is a repeat of another rule above. It applies the routing marks to any connection in which connection-mark=vpn.
connection-mark=vpn new-routing-mark=vpn passthrough=no
add action=add-dst-to-address-list address-list=undirected_dst \
address-list-timeout=1d chain=prerouting comment=\
"add \"trusted\" hosts to a trusted list" connection-state=new dst-port=\
80,443 protocol=tcp src-address-list=!redirected_hosts
This last Firewall Mangle rule adds "trusted" hosts to an address list where they can be further processed and have their sites visited also added to an address list.
address-list-timeout=1d chain=prerouting comment=\
"add \"trusted\" hosts to a trusted list" connection-state=new dst-port=\
80,443 protocol=tcp src-address-list=!redirected_hosts
/ip firewall filter
add action=reject chain=forward comment=\
"reset tcp connections which have just been marked with tls" \
connection-mark=tls_disconnect protocol=tcp reject-with=tcp-reset
This rule, in Firewall Filter, rejects all connections with the connection mark of tls_disconnect. This forcibly closes the TCP connection and makes the client create a new one, sent through the VPN instead due to its now-new
placement in an address list of hosts to be redirected.
add action=reject chain=forward comment=\
"reset tcp connections which have just been marked with tls" \
connection-mark=tls_disconnect protocol=tcp reject-with=tcp-reset
Wowie!
That's a lot of firewall rules. However, there are a couple of ways I can think of to expand these rules further:1. Add catchall TLS matcher rule(s).
To do this, I would add a rule that matches the TLS host for all detected TLS hosts and have that site added to the "trusted" address list. However, that could require adding in a new chain and a couple extra rules, and I don't feel like doing that right now.
2. Add more domain names to the premade address list.
This is the original solution I came up with before I made this entire list of "Almost DPI" rules. However, it presented a supersized problem, and it's that updating hundreds of domains created perpetual traffic from my hotspot of a speed about 125kb/s. If the hotspot is on 24/7 for a month, that's tens of gigabytes of data. That simply wasn't acceptable and I needed a fix. This may be an acceptable addition if there is some way to increase the TTL of the domains so that they are not updated as often.
One More Step!
To finish this off, you'll need to create the VPN tunnel in order to use it. RouterOS offers many good options, including OpenVPN, Wireguard, L2TP(/IPSec), SSTP, and maybe PPTP. There are
already many tutorials on how to create a VPN client in Mikrotik, so I'll leave that for you to do yourself. However, to actually use it, you'll need to make a static route. To do this,
go to IP->Routes in the GUI and select Add New. Choose a destination address of 0.0.0.0/0 and set the gateway to be the VPN interface. Then, in routing-mark, set it to "vpn." This method will only work in ROS version 6. In version 7, before you create the route, create a new routing table called "vpn." Then, add the static route in the table without specfying routing-mark because
you won't be able to. Now, in Rules, add a new one that has a routing-mark of "vpn" and have the action be to lookup in table "vpn."