How to block specific port for range of IP Addresses?

joseta · Fri Aug 20, 2010 5:36 pm

Hi Everyone,

I would like to block specific port for range of IP Addresses...

That means, the ip address 192.168.0.200 to 192.168.0.220 don't want internet access. How I can block port 80.

And also specific web addresses example: www.youtube.com, www.facebook.com and so forth.

Advanced Thanks
Joseph Thekkiniath

fewi · Mon Aug 23, 2010 5:54 pm

/ip firewall address-list
add list=no_HTTP address=192.168.0.200
add list=no_HTTP address=192.168.0.201
/ip firewall filter
add chain=forward src-address-list=no_HTTP protocol=tcp dst-port=80 action=drop

Blocking web sites via URL: http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxy

joseta · Mon Aug 23, 2010 6:49 pm

hi Fewi,

Thanks! Its working!!!

No other way to create range of address list? Instead of doing one by one.

For blocking www.youtube.com; www.facebook.com
Where I can put the ip range (ex: 192.168.0.180 to 192.168.0.199) no entertainment.

Advance Thanks
Joseph Thekkiniath

fewi · Mon Aug 23, 2010 6:56 pm

:for IP from=200 to=220 do={ /ip firewall address-list add list="no_HTTP" address="192.168.0.$IP" }

To limit who gets blocked by URL in the proxy, you need to adjust the line that actually redirects traffic to the proxy:

/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080

That redirects all traffic to tcp/80 (HTTP) to the proxy. To only apply that to 192.168.0.180 - 192.168.0.199, first make another address list, then add a qualifier to the proxy redirects that only fires for traffic sourced from that list:

:for IP from=200 to=220 do={ /ip firewall address-list add list="filtered_by_proxy" address="192.168.0.$IP" }
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 src-address-list=filtered_by_proxy action=redirect to-ports=8080

and of course remove the original proxy redirect line first.

Chupaka · Mon Aug 23, 2010 7:08 pm

:for IP from=200 to=220 do={ /ip firewall address-list add list="no_HTTP" address="192.168.0.$IP" }

for every complex problem... you know =)

/ip firewall address-list add list=no_HTTP address=192.168.0.200-192.168.0.220

fewi · Mon Aug 23, 2010 7:23 pm

joseta · Mon Aug 23, 2010 11:43 pm

Hi Everyone,

I haven't tried range of ips. Before I have confirm other options also.

Here how I can put the time schedule? At night it must be allowed...

Thanks
Joseph Thekkiniath

fewi · Mon Aug 23, 2010 11:45 pm

Refer to the filter manual for the available parameters.

joseta · Tue Aug 24, 2010 8:29 pm

Hi Everyone,

I didn't come up with blocking www.youtube.com and www.facebook.com
for the range of ips (192.168.0.180 - 192.168.0.200)

And also, how I can create group of clients...

Thanks
Jose Thekkiniath

fewi · Tue Aug 24, 2010 8:54 pm

http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxy
That links shows to to block websites.
You create groups of clients via address lists as described in this thread.
What specifically is your question? The link and examples in this thread have all the configuration you need.

joseta · Tue Aug 24, 2010 10:56 pm

Hi

/ip proxy
set src-address: 0.0.0.0 ----??? what ip ???
set parent-proxy: 0.0.0.0:0 ---- ??? what ip ???

My network 192.168.0.0/24

No access website ip addresses would be 192.16.0.180 - 192.168.0.200

Thanks
Jose Thekkiniath

fewi · Tue Aug 24, 2010 11:04 pm

Look at the manual:
http://wiki.mikrotik.com/wiki/Manual:IP/Proxy#General

parent-proxy (Ip4 | ip6; Default: 0.0.0.0) IP address and port of another HTTP proxy to redirect all requests to. If set to 0.0.0.0 parent proxy is not used.

src-address (Ip4 | Ip6; Default: 0.0.0.0) Proxy will use specified address when connecting to parent proxy or web site. If set to 0.0.0.0 then appropriate IP address will be taken from routing table.

You don't have a parent proxy, so leave that at 0.0.0.0 to disable the feature. If you want traffic to be sourced from a particular IP address on your router (so you can easily recognize it further upstream, for example) you set it here, if you don't care or don't need the feature you leave it at 0.0.0.0.

joseta · Tue Aug 24, 2010 11:38 pm

Hi

Is there any way to know the visiting websites of client machine
by Webproxy.

Thanks
Jose Thekkiniath

fewi · Tue Aug 24, 2010 11:41 pm

http://forum.mikrotik.com/viewtopic.php ... +proxy+log

Andr3s · Wed Aug 25, 2010 7:05 pm

You can prove with OPEN DNS, is very easy and dont have to load de CPU of your Mikrotik with rules

joseta · Wed Aug 25, 2010 8:07 pm

Hi

I have tried and its working. But I want to block only specific range of ips

/ip firewall filter
chain=input action=drop protocol=tcp src-address-list=No Entertainment Webpage in-interface=ether4-Office LAN dst-port=8080

/ip firewall filter
No Entertainment Webpage=192.168.0.161-192.168.0.180

Note: ether4-Office LAN = My DHCP LAN 192.168.0.0/24

Other commands As you said. Now I could not access the site for all the ips.

Thanks
Jose Thekkiniath

fabbygoh · Wed Oct 26, 2011 1:26 pm

Jose Thekkiniath

Have you found the solution to blocking websites on the specific range of IP address? I have been working on this, but seem not working at all....

Your help is really appreciated.

tjc · Thu Oct 27, 2011 6:09 am

/ip firewall filter
chain=input action=drop protocol=tcp src-address-list=No Entertainment Webpage in-interface=ether4-Office LAN dst-port=8080

/ip firewall filter
No Entertainment Webpage=192.168.0.161-192.168.0.180

1) You should not put spaces in the names.
2) That's the wrong syntax for defining an address list
3) You're mixing address lists and ranges which is a bit funky.
4) Do you really want this on the input chain? Unless the router itself is hosting the wbepage (or maybe acting as a proxy?) you probably want it on the forwarding chain.

Try something more like:

/ip firewall address-list
add address=192.168.0.161-192.168.0.180 list=NoEntertainmentWebpage \
  comment="Note that there are no spaces in the list name, these are users who are denied certain web pages."
/ip firewall filter
add chain=forward action=drop protocol=tcp dst-port=8080 src-address-list=NoEntertainmentWebpage in-interface=ether4-Office-LAN \
  comment="Again no spaces in the names for the address list or the port.  Port names can use '-' but address list names don't seem to allow it."

Once you've added that firewall rule you will also need to move it to the correct place in the chain.

fabbygoh · Thu Oct 27, 2011 6:50 am

thanks for your reply. My condition is like this.

I want to block this range of IP address 192.168.1.100 to 192.168.1.200 from being able to access the following contents:

www.facebook.com
porn*.com
tube*.com
sex*.com

Note that all other IP besides the range, can still access the above mentioned contents.

Thanks

sadeghrafie · Thu Oct 27, 2011 10:41 am

http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxy
That links shows to to block websites.
You create groups of clients via address lists as described in this thread.
What specifically is your question? The link and examples in this thread have all the configuration you need.

MK webproxy will bypass with some programs like Ultrasurf

sadeghrafie · Thu Oct 27, 2011 10:44 am

thanks for your reply. My condition is like this.

I want to block this range of IP address 192.168.1.100 to 192.168.1.200 from being able to access the following contents:

http://www.facebook.com
porn*.com
tube*.com
sex*.com

You should live in my country IRAN or you can connect to my router via PPTP and have it as Your DG, because all of these you mentioned are Filtered

We have a strong filtering. A certain website is available right now but it may be Filtered 10 second later

dunga · Thu Nov 17, 2011 1:21 pm

Hello,
I still ask how do someone create address-list without adding them one by one, Just as in having a host file in windows which is used to block some sites in each system.

Can someone create such a file and direct mikrotik to read from the file incase of both blocked or unblocked.

Thanks

Thu Nov 17, 2011 1:26 pm

you can connect to my router via PPTP and have it as Your DG, because all of these you mentioned are Filtered

+1 for taking a positive attitude at this

this joke made my day

sadeghrafie · Thu Nov 17, 2011 2:00 pm

you can connect to my router via PPTP and have it as Your DG, because all of these you mentioned are Filtered
+1 for taking a positive attitude at this this joke made my day

you're welcome. I always say "try to use sense of humor in the forum"

dunga · Tue Nov 22, 2011 2:23 pm

hello,
I still want to find out how to block a specific port for a particular ip address using mikrotik.

What I want to do is to block this ip from browsing the internet but can only chat. The Ip address is 192.168.0.201 only.

I have set put it in the address list and enabled a filter rule o it like this
ip firewall filter>
add chain=forward protocol=tcp dst-port=80 src-address-list=no_HTTP \
action=drop comment="Block Reception From Browsing" disabled=no
add chain=forward protocol=tcp dst-port=3128 src-address-list=no_HTTP \
action=drop comment="Block Reception Http port 3128" disabled=no

I am using web proxy and i redirect all traffic from port 80 to 3128 since my web proxy uses port 3128.

Upon using this yet, that system still browse the internet. Is there anything I am doing wrong?

Thanks

silvan · Mon Feb 02, 2015 11:14 pm

hey guys.... im using mikrotik too, any body knows how to block "youtube app" of mobile phones !>

umny · Fri Dec 28, 2018 11:02 am

Dear All
i want to deny teamviewer on mikrotik router but it can't
please kindly help thank you

Chupaka · Sat Dec 29, 2018 9:18 pm

i want to deny teamviewer on mikrotik router but it can't

What did you do for that? Did you block port 5938, for example?

How to block specific port for range of IP Addresses?

How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Re: How to block specific port for range of IP Addresses?

Who is online