H
H
HawK2016-07-29 12:14:49
Mikrotik
HawK, 2016-07-29 12:14:49

How to bypass the blocking of the Rostelecom provider for https sites entered in the register of prohibited sites?

For MikroTik, there is an effective way to bypass Roskomnadzor blocking . The only drawback of this method is that https sites do not open, so you have to mark https traffic and route it through the gateway of another provider.
What is the Rostelecom blocking mechanism for https sites? How can I bypass blocking https sites on Mikrotik without using third-party VPNs and proxies?

Answer the question

In order to leave comments, you need to log in

6 answer(s)
H
HawK, 2017-01-24
@HawK3D

Everything turns out to be very simple. As with http, the provider's DPI intercepts subscriber requests and sends fake responses from the server. In the case of https, the protected content cannot be spoofed, so a fake packet is sent with the RST flag. By disabling such packets, we get real responses from the server:
/ip firewall filter
add action=drop chain=forward disabled=no in-interface=pppoe protocol=tcp src-port=443 tcp-flags=rst packet-size=40 ttl=equal :120
PS A lot of packets fall under this rule, and no problems were found, but for more accurate processing, you can set additional conditions, in my case packet-size=40 and ttl=equal:120 (for windows systems) and ttl =equal:56 (respectively for *nix systems) and now the rule counter is incremented only when accessing prohibited https sites. A rule with a value of ttl=56 sometimes works unnecessarily, and no problems were noticed. I looked at the ttl values ​​in fake packets from the provider and reduced them by 1 in the rules.

R
res2001, 2016-07-29
@res2001

Blocking, apparently, is carried out by the domain name (IP address) of the entire site. You can't get around without a VPN or proxy.

L
Lindon_cano, 2016-07-29
@Lindon_cano

No VPN or proxy.

R
Ravil Shaimardanov, 2016-08-02
@ravil666

I use Rostelecom, with a white ip, through chrome I go where I want with the help of ordinary blocking crawlers. I can not understand the essence of the question?

S
sergeoy, 2017-02-22
@sergeoy

Minimum cost and profit with this: altvpn.com/57a6551c822c4.html

D
Der AlSem, 2017-07-18
@DerAlSem

Are the instructions still up to date? tech4fun does not open (the database, or something has fallen), I looked in the Google cache. What I have:
1. Without setting - the warning.rt.ru page
2. With the addition of the first rule (fixed on warning.rt.ru), the page disappeared, instead of it ERR_CONNECTION_RESET
3. With the addition of a line about https - nothing has changed.
Что я делаю не так? :)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question