Recommend way to block Ads with Mikrotik

RouterOS Beginner Basics
1

Hello,
are you using Mikrotik to block ads? I know there is i.e. Pi-hole but I’m afraid pages loading will work slower if there will be requests to raspberry.

Found https://stopad.hook.sh

Tried it but it seems to not work for me, maybe I skipped something.

IP - DHCP - Networks - added IP of my mikrotik to DNS

/ip firewall nat
 add action=redirect chain=dstnat dst-port=53 in-interface=bridge protocol=udp

checked all sites in stopad.hook.sh, wrote 127.0.0.1, added script to my mikrotik


## StopAD - Script for blocking advertisements, based on your defined hosts files
## For changing any parameters, please, use this link: https://stopad.hook.sh/
##
## @github    <https://github.com/tarampampam/mikrotik-hosts-parser>
## @version   2.3.0
##
## Setup this Policy for script: [X] Read [X] Write [X] Policy [X] Test

:local hostScriptUrl "https://stopad.hook.sh/script/source?format=routeros&version=2.3.0&redirect_to=127.0.0.1&sources_urls=https%3A%2F%2Fraw.githubusercontent.com%2Ftarampampam%2Fstatic%2Fmaster%2Fhosts%2Fblock_shit.txt,https%3A%2F%2Fraw.githubusercontent.com%2Fcrazy-max%2FWindowsSpyBlocker%2Fmaster%2Fdata%2Fhosts%2Fspy.txt,https%3A%2F%2Fadaway.org%2Fhosts.txt,https%3A%2F%2Fwww.malwaredomainlist.com%2Fhostslist%2Fhosts.txt,https%3A%2F%2Fpgl.yoyo.org%2Fadservers%2Fserverlist.php%3Fhostformat%3Dhosts%26showintro%3D0%26mimetype%3Dplaintext,https%3A%2F%2Fsomeonewhocares.org%2Fhosts%2Fhosts,http%3A%2F%2Fwinhelp2002.mvps.org%2Fhosts.txt,https%3A%2F%2Fhosts-file.net%2Fad_servers.txt&excluded_hosts=localhost";
:local scriptName "stop_ad.script";
:local backupFileName "before_stopad";
:local logPrefix "[StopAD]";

do {
  /tool fetch check-certificate=no mode=https url=$hostScriptUrl dst-path=("./".$scriptName);
  :delay 3s;
  :if ([:len [/file find name=$scriptName]] > 0) do={
    /system backup save name=$backupFileName;
    :delay 1s;
    :if ([:len [/file find name=($backupFileName.".backup")]] > 0) do={
      /ip dns static remove [/ip dns static find comment=ADBlock];
      /import file-name=$scriptName;
      /file remove $scriptName;
      :log info "$logPrefix AD block script imported, backup file (\"$backupFileName.backup\") created";
    } else={
      :log warning "$logPrefix Backup file not created, importing AD block script stopped";
    }
  } else={
    :log warning "$logPrefix AD block script not downloaded, script stopped";
  }
} on-error={
  :log warning "$logPrefix AD block script download FAILED";
};

I started script manually but I still see ads in websites.
Any idea?

2

No, I am using Pi-hole.

3

Where are you seeing ads??

4

ie letemsvetemapplem.cz, idnes.cz etc.

5

I never see ads on my MT router.
Do they popup in your Winbox??

6

I’m talking about pc browser, not mikrotik. Want to block ads in browsers via mikrotik

7

That is a browser problem. Fix it in your browser and also is a user problem, thus educate your users.
What next, automatically provide tissue paper when a PC user is going to sneeze??
I know, while we are at… howbout ask MT to cure cancer…

By the way, Type 2 Diabetes is DIY disease!!! Chew on that for a while!!!

8

You don’t understand me. I’m looking for similar solution like Pi-hole but for mikrotik. Some script.

Don’ want use adblock, ublock etc in my computers and mobile devices.

9

But that would put pi-hole out of business, a very ruthless move on the part of MT.
What is it exactly that pi-hole does then? If its not CPU intensive it sounds like something that should be coded in to the MT functionality??
Perhaps a feature request??

Quick research, is that they use a BASH list…anyway a pointer to a DB to check against adds.
Dont see why the MT couldnt check the same DB (ie not loaded onto the device) for DNS activies???

10

I made some tests with a pi-hole running with docker in my laptop and I don’t think any slowing will be significant. But I don’t have a place
right now where I can run a docker container reliably, and also I have a travel router where I like the scripted idea…

So thank you for:

You can see ads in websites for several reasons:

  • Your dhcp-server network in the router is giving them a DNS different from your router. You can check and solve this one in your router.
  • Your PCs are ignoring the DNS settings that the DHCP server provides. You can force them by firewalling / redirecting DNS request to the router
  • Some program/apps use their own web services to resolve or fetch apps using addresses
  • Not everything is covered by those scripts/dns entries

You need to check which one applies and solve it.

11

Hey, Term, have you been able to make any progress on solving this issue?
I’ve used the same script and added ~15,000 hosts to dns static settings to no noticeable effect.
I’ll try to check why it doesn’t work (it does resolve added dns to the ip adress I specified), but if you’ve had any insights since your last post - please share it.

12

I think pi hole is the best way to block ads. best $10 i ever spent. Check out this thread on reddit:
https://www.reddit.com/r/pihole/comments/ef7tjy/pihole_on_pi_zero_w_mikrotik_connected_via_usb/

13

@Term,

I use the IP-addresses provided by https://public-pihole.com/ and this work well (for me).

14

Update:
I understand now. A Pi Zero W is plugged into a MikroTik’s USB port to get power and also act like an ethernet card. The MikroTik is this person’s router, and they send DNS queries to this USB-to-Ethernet port. Very clever. I think I’ll just build or buy a small server. Would be cool if MikroTik had a package for this.

Can you expand on this more? I’m researching implementing Pi-hole and thought I would use a Raspberry Pi 4 Model B or something. The reddit link makes it seem like the hAP AC could be used? I want to use, I guess, a Pi-hole server and hand out its IP address to all my clients.

15

… every filter (dns, av, antispam … whatsoever) will slow down your secured application … EVERY !
… because you delegated sagacity to an entity with more discipline than you own by yourself … and thats a good thing … when it comes to computed routines :sunglasses:
… but it adds cpu-, asic-, whatsoever-related-time to decide…
.
suggestion:
change /etc/cron.d/pihole
from
.

#          standard crontab job error handling.
11 4   * * 7   root    PATH="$PATH:/usr/local/bin/" pihole updateGravity >/var/log/pihole_updateGravity.log || cat /var/log/pihole_updateGravity.log >/dev/null 2>&1

.
to
.

#          standard crontab job error handling.
11 4   * * *   root    PATH="$PATH:/usr/local/bin/" pihole updateGravity >/var/log/pihole_updateGravity.log || cat /var/log/pihole_updateGravity.log >/dev/null 2>&1

.
… for a more day-by-day-discipline … this is not (only) a joke

16

btw.
there tons of articles in this forum how to make use of anti-spam-, anti-phishing, - or country-code related community-lists with a MTik-board.
.
add a local anti-virus-proxy … and your’e good to go

17

Out of interest, how many hops and what roundtrip times are you seeing to the pihole servers you are using?

I initially used the public servers but found them very slow for my location - a traceroute would show many hops and 300ms+ roundtrip times from here in NZ. Also it was blacklisting some dropbox A records which caused me issues.

I found the free DNS servers at adguard to be very good
https://adguard.com/en/adguard-dns/overview.html. They seem to have more locations and the roundtrip is only 50ms. They also have some “family friendly” DNS servers which may interest some households.

While I have ordered a raspberry pi zero to use as a pi-hole/unbound, unless you are a techy that wants to have more control over blocklists, caching, privacy etc, simply using free public DNS servers would likely suffice for most home use internet setups.

18

just had an over-christmas-discussion with my colleagues over the topic …
.
just check !!
… even dns-filtering is a walrus-nipples-thing :
.
… ad-content is filtered … the loaded site(s) seems to be slow … because the content of interest is placed last … no effin pictures of socks inbetween :exclamation:
.
so everyone who’s lookin on it’s (screen) browser says: lame web-performance !
.
this a case for pestalozzi .. not for tesla ( while claude e. shannon is taking notes )

19

+1 for pi hole. Does the job perfectly.

20

I use Pi-hole and find that it works quite well. It doesn’t slow anything down. In fact, it speeds up browsing because I’m not pulling in as many ads.

I had it running on a Raspberry Pi Zero W and the performance was excellent. I saw far fewer ads on all of my devices, and not just via web browser. You can also block sites that host malware or are fraudulent if you want. Blocking things that track you is another possibility.

You can point your Pi-hole at whatever upstream DNS providers you like. It can also work with DNS over TLS or DNS over HTTPS if you want to do that. It can do DNSSEC too. It does some caching, so repeat queries may return faster for you, depending upon what other query caching you’re doing, etc. It doesn’t, by default, use a very large cache, so I wouldn’t say that caching is its best feature. Any queries for records pointing to ad servers are returned very quickly, and that will help things load more rapidly too.

I have actually switched to using a Raspberry Pi 3 b+ for Pi-hole. I wanted to do DNS over HTTPS, and I used the cloudflare proxy for this. Cloudflare has dropped support for old Raspberry Pis, so the Zero W was only able to run an older version of cloudflared. I ran into some problems with that older version, and I had a 3 b+ sitting around, so I just switched to that and am now using the current version of cloudflared.

My Mikrotik router is set to use my Pi-hole system for its DNS, and I also have it set to pass that out to client devices via DHCP. That gives me ad-blocking for things like smartphones.

There are a few things to be aware of. The blocklists are maintained on the Pi-hole server and will apply to any device using it for DNS. Users will therefore be unable to directly disable ad-blocking for a particular site; that would have to be done in Pi-hole. That hasn’t been a problem for me, but it could be depending on your users and how many of them there are.

Pi-hole also doesn’t currently do a great job of blocking youtube ads. Google does their own ad-serving and they’ve integrated it tightly enough with youtube that it’s very difficult to use DNS to block those ads. You would therefore still need an ad-blocking browser extension if you want to block all youtube ads.

You have to give some thought to your choice of which blocklists to use (just as you do with an ad-blocking extension in your browser). You can add a lot of lists and be very restrictive, but then you also stand more of a chance of breaking some sites. Or you can add few lists and it may not block all ads. I’ve taken a compromise approach and I use a fair number of blocklists, but only ones that shouldn’t require me to do a lot of adjustment (make exceptions so sites can work, etc.).

I still see some ads with Pi-hole. It’s not perfect. However, it blocks ads in more than just browsers, and it blocks does noticeably improve the experience of using a smartphone IMO. Blocking tracking and other data collection for my entire LAN is also very valuable to me.

As I mentioned, I’m doing DoH (DNS over HTTPS). This keeps my ISP from seeing my DNS queries. (They can still see your traffic if you’re not using a VPN, but they can’t harvest quite as much info as if you don’t encrypt your DNS queries.) Yes, this does shift your trust from your ISP to your DNS provider. In my case, I trust my DNS provider more than I trust my ISP. (I’m stuck with my ISP until maybe the new satellite systems give me an alternative.)

I found that setting up Pi-hole and getting everything the way I want it was fun. I already had the hardware, so I didn’t have to buy anything new to set it up. It was a nice little project and I feel it’s been quite useful.