Hello there,
I have used to block some webpages, but now users have found a way how to pass the firewall with “TOR browser”..
Can someone help me to block it?
Find a list of known TOR edge IP addresses, then create an IP address list with those addresses.
Then make rule #1 in the forward chain = drop packets dst-address-list=TOR_ROUTERS
Then Update the list frequently because it changes.
Bro, how to find EDGE ip’addresses? and.. i used to read a post in mikrotik and i followed their steps
http://wiki.mikrotik.com/wiki/How_to_Detect_and_Block_TOR_Browser_traffic
but no effect, seems they are old ips or ?
Thanks
Yes, that article has some useful information, and is exactly the solution you want, except that the address list must be very out of date indeed - the author states that they are using ROS version 3.x
Here’s a site that claims to have a constantly-updated list of tor nodes.
https://www.dan.me.uk/tornodes
You’ll have to parse that somehow - the easiest way to do it pseudo-manually is to copy/paste into excell, using | character as field delimiter, and then having a collumn which = concatenate(“add list=tornodes address=”,a1) and then copy/paste the values into terminal window after typing /ip firewall address[enter]
Yuck - if you know anything about scripting, (I don’t think Mikrotik scripting is going to be useful for this) with php, perl, etc, you could probably automate this a little more.
THanks for your post bro!
I see there are million ip’s in the list, are they all TOR BROWSER ips? if i put all of them in address list mikrotik will block tor’s traffic for sure?
is there any way to create commands for all these ips and put in mikrotik ?
or should i create manually /ip firewall / add blla blla and put the ip manually ?
Thanks
Like I said, copy/paste the IP list into excell, then make sure excell splits the data into columns using the | character.
Then create a new column which uses concatenate() function to combine the standard “add address-list=tor address=” with the contents of the leftmost column. Slide that formula down the column (click the little black square at the bottom-r of the cell when you have it selected) and then drag the selection to the end of the list. This will apply the formula for all rows.
Then copy the cells which now show the ROS commands…
Go into Mikrotik, delete the TOR list and then manually type /ip firewall address [enter]
Then paste the results from excell.
Again - you might find a better source for this data or else write a perl/php/python/etc script to automate this task.
Your posted site actually contains a link to IP only list 
You can also fetch > https://www.dan.me.uk/torlist/ > for a list of ips only, one per line - updated every 30 minutes. Ideal for constructing your own tor banlists.
Append that with something like this - http://wiki.mikrotik.com/wiki/Using_Fetch_and_Scripting_to_add_IP_Address_Lists (not sure if working on current versions). Add to scheduler and you are done!
Cool. There’s the answer.
(I didn’t actually study the TOR site list too carefully myself because I’m not actually interested in blocking TOR myself - heck, I’m likely to be someone who USES it.) 
It’s only evil if you use it to hide criminal activities…
Keeping the boss’s middlebox from snooping on web browsing habits - or keeping the NSA out of your web browsing, that’s the kind of use for me - not to go get access to illegal things on the “deep web”
(unrelated- I had my router’s IPv6 firewall connections screen open, and just saw a udp packet sent to google on port 443.
Weird)
Yes me don’t wanted to change the topic but just noting that:
If you try Hotspot Shield you would notice that you have high SENT and RECEIVING but you are not using internet.
It’s wired too.
Hi guys
Thanks for your posts!
i’m trying to make a php script to create me firewall commands automatically just to upload the list of ips
but if i block all these ip’s are u sure that “TOR browser will die totally” ?
also.. i think users are using Free VPN connections to bypass our firewall that we created.. is there a possible way to block any port or something that will “DROP” all vpn connections?
Thanks.
If you wanna have script to add TOR’s IP’s you should see “emils” Post in above.
about other VPN and software like free gate… I’m not sure you’ll be able to make it…
Bro, you didn’t understand me,
i asked you how to block “VPN tunnel traffic”?
for example users find free VPN in google and go to “my network place” 2.“Create new connection” and there are two options like PPPoE and VPN .. so they chose vpn and use free vpns to connect and pass our firewall..
my question is : how to block VPN tunnel traffic in mikrotik ???
THanks
whatever port number and protocol the VPN uses - make a firewall rule that blocks it.
If the user is motivated enough, and skillful enough, then you’re fighting a losing battle. They can always switch to different ports and use protocols like SSL because you cannot simply “block all SSL”
It’s better to have a policy and if the user violates policy, block them from your network.
I think no one cares as me in this situation. I tried to block them. no luck. sometimes it’s good to block it in internet cafe but because of loosing customers ( 
) I didn’t go further. I think you can block them in your domain via some group policy or your computers firewall. but it’s really easy to bypass that.
Probably the most reliable way is to intercept DNS, use a server that has policies, and won’t give the IP address of domains that you want. DNS is unencrypted, so you could still do packet inspection to match (and drop) DNS on unstandard ports. You can map all dns to your “policy-based” server, or ONLY allow dns to that server…
yup, I heard of it. but didn’t try it. But e.g If i block facebook this way I think users can open it via it’s IP of website, ha?
I just put https://173.252.88.66/ into my browser. It gave me a certificate warning, and then forced me to the host by name anyway, so I’m betting facebook won’t work if you took away the DNS… Turn off DNS in your computer and type in that IP address and see if it works… (now I’m curious)
Any user smart enough to use the hosts file / direct IP address is going to be smart enough to get around anything you do, and will most likely consider it to be a challenge and will go out of their way to defy your filters on purpose - just like climbing a mountain.
Ban this one user, or accept the fact that they’re surfing facebook against the rules. Let the filtering capture 99.9% of your users, and live an easier life.