Access control with Mikrotik Proxy

Good morning network gurus!

I thought I’d ask here if what I have in mind is possible, before wasting a week of my time on it, and getting nowhere.

I’m the admin of a network of 50-60 computers, sharing a DSL connection of 6Mbps/512kbps. As you can imagine, the traffic is not so busy, as their tasks on the Internet are minimal; not even emails, as we have an internal mail server.

However, I’ve been asked by management to restrict certain obvious time wasters, such as facebook, twitter, ebay, miniclip etc…

I know that my mikrotik firewall is capable (in a crude way) to filter out such things using proxy, and I have already tested a couple of things with a good level of success. Now I know that the general consensus is “your mikrotik is not a webfilter, get over it!”, yet the blocking that I need is so minimal, that I cannot justify a €500+ investment on something like Kerio or whatever, just to block like 7 sites at most from my network.

My few questions are:

• Can I make the proxy transparent, and handle all port 80 traffic without having to set the machines to point to it?
• How much load would such a system put on a routerboard? Would I be better off to pop a new license into a dedicated PC?
• Would I be able to do filtering exceptions for certain IP’s on the network that DO need Facebook access?

Mind that I don’t need people to tell me how to do it - discovering it is part of the fun. I just want to know if I’m able to go around it, so I don’t waste a week on something pointless.

Any alternative not-so-expensive suggestions would also be welcome.

Thank you.

Can I make the proxy transparent, and handle all port 80 traffic without having to set the machines to point to it?

Yes, but clients will go out with router public IP address (for HTTP resources).
Simple /ip firewall nat action=redirect can catch all traffic and redirect it to proxy.

How much load would such a system put on a routerboard? Would I be better off to pop a new license into a dedicated PC?

I do not see any problem for 50-60 clients (transparent proxy without caching).

Would I be able to do filtering exceptions for certain IP’s on the network that DO need Facebook access?

Yes, /ip proxy access allows exceptions.

Exactly what I needed to hear.

Thank you muchly!

Hi again.

I’m testing it, and it works like a dream, although I’ll probably move it to a PC based one for better resources.

Final question … is it possible for me to create my own “denied” page, instead of the generic mikrotik one?

I’ve already done it successfully with hotspot pages .. don’t know if it’s possible with proxy pages.

Yes, it is possible, run

/ip proxy reset-html

reset-html page will appear at /file print, download it and add information you need.

Perfect. Thanks once again.

reset-html doesn’t seem to be an option on v3.5 on mipsle.

curiously, I can find it on v3.3 on x86.

you probably mean v5.5

reset-html is available v4.x/v5.x

Nope .. I mean 3.5

Unfortunately the box I have (RB532A) doesn’t allow me to go further than v3.x.

The other box (a x86) is running 3.3, and I can see reset-html fine.

scratches head

yes, it does, use Netinstall and you will be able to upgrade to v5.5

email support if you need help, or run into trouble

Ah ok.

Thanks a lot for your constant help

I know my way around netinstall.