Adblocking on routeros

tefte · December 29, 2015, 1:38pm

Hello everyone !

finally today i try to get adblock option on one of my router and so far with no luck. Maybe someone can tell me what is wrong.

i made adblock.rsc file with..

/ip dns static
add address=127.0.0.1 name=localhost
add address=127.0.0.1 name=domain-.facebook.
add address=127.0.0.1 name=google.com
add address=127.0.0.1 name=.youtube.
add address=127.0.0.1 name=domain-youtube.com

and in terminal use commands

[admin@MikroTik] > /ip dns static remove [/ip dns static find]
[admin@MikroTik] > /import adblock.rsc
Script file loaded and executed successfully

however every of them still working

ConnectivityEngineer · December 29, 2015, 2:32pm

While you will need to tweak this to your liking - might try using the script below which pulls from the blocklister.gefoo.org lists

Keep in mind… Thousands of entries in the firewall CAN create a slow internet experience if Every Packet has to go through it.

To that end - might decide to edit the list to your liking

# create script to Download fresh list and replace old one
/system script add name="Download_Ads_List" source="/tool fetch url=\"https://blocklister.gefoo.org/ads" dst-path=ads.rsc; /import file-name=ads.rsc;"

# create schedule to run script weekly
/system scheduler add comment="Download_Ads_List" interval=7d name="DownloadAdsList" on-event=Download_Ads_List start-date=jan/01/1970 start-time=02:42:00

# add firewall rule once
/ip firewall filter add chain=forward in-interface=bridge-local connection-state=new protocol=tcp dst-address-list=ads_list action=reject reject-with=tcp-reset comment="Ad-block list drop"

No promises - on version 6 - on version 5 the aforementioned script should work - might need to reword for v6.x

ZeroByte · December 29, 2015, 2:48pm

This is a pretty effective solution - and IP address lists should process pretty fast (compared to a long chain of drop rules).

The only thing to be concerned about is if you trust a website to automatically tell your router who should be blocked.

EDIT: As long as the filter rule for new connections against the IP blacklist is after a rule which accepts established,related then this check will only happen on the first packet of each new outbound connection, which isn’t going to really impact performance much unless your computer gets infected with a botnet client and starts trying to rapidly scan large blocks of IP addresses at once.

As for your DNS solution, make sure that the users’ computers are actually using your Mikrotik’s DNS proxy.
You can force it with a dstnat rule:
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 in-interface=lan action=redirect

Also - if you’re running DNS proxy, make sure your filter’s input chain will block DNS queries from the outside world, or else the hackers will find you and your box will be used in DNS amp attacks later on.

ConnectivityEngineer · December 29, 2015, 3:11pm

Good Point ZeroByte

Joshaven has a great solution for some RBL’s - i run locally to verify myself - and the above solution works -
Needs to get tweaked for v6 i think however

Zorro · December 29, 2015, 7:58pm

used that in past and its Really work.
but few advices:

increase DNS memory (in its option) in case of Fat tables)
instead of hand-crafted or manually-imported sites lists - write scripts than download, parse and then import adblock lists from popular society/community-managed ones. personally i was prefer(for sentimental purposes, perhaps) P Lowe list http://pgl.yoyo.org/adservers/
not forget to block outgoing DNS traffic, that may BYPASS you DNS filtering. usual for Chrome browser and some OS-level things. ie add firewall rules that filter it from forwarding.
consider adding malware domains to blocklist aswell. like this list http://www.malwaredomains.com/ for example.

bottom line: its may become memory-consuming. for example Lowe+malware-domain - around 22k domains and around 17Mb RAM for DNS. yeah, lack of L1 and L2 cache , IMC/RAM bandwidth - make you router bit slower, but you already prepared to sacrifice bit of that, do you ?

tefte · December 29, 2015, 10:31pm

i tried ConnectivityEngineer script, had some problem with making .rsc file, but did it manually. after firewall rule adding i can see that everything is in its place but still no luck and nothing is blocked

Zorro · December 30, 2015, 11:31pm

probably firewall rules that prohbit dns forwarding THRU your router - made incorrectly?
or there was applications using multicast, p2p dns replacements/wrappers, which is unlikely, but not enteriely uncommon thing.

deejayq · January 3, 2016, 11:22am

i would try blocking packets to dns servers based on a l7 filter like this
/ip firewall layer7-protocol
add name=ads regexp=“facebook|google|youtube”