Block all wesites except one

uumar · October 16, 2019, 6:16pm

Hello

i have a mikrotik router installed in a hospital, the hospital uses a hospital management systme software from the cloud. i want to block all internet browsing except to that one site (Cloud Hospital Management System).

Any idea on how to do his please?

msatter · October 16, 2019, 6:25pm

In the menu IP Routes Routes you see the WAN with 0.0.0.0/0 and if you can change that only traffic to that addres will be routed. So not usingdo not create default Route in the Wan setup put define your own.

mkx · October 16, 2019, 6:28pm

Two firewall rules: first one allows connections to hospital’s management system … second one drops all other connections.

It’s not this simple really, there are several connections and protocols which support connections to hospital’s management system, so when defining filter rules one has to take them all into account.

JohnTRIVOLTA · October 16, 2019, 7:03pm

Or just do source nat for specific destination address only !

uumar · October 16, 2019, 9:53pm

Can you be more explicit please. Maybe show some example.

Thanks

uumar · October 16, 2019, 9:55pm

Can you post the rules?

uumar · October 16, 2019, 9:56pm

Example?

JohnTRIVOLTA · October 17, 2019, 3:04am

Disable or delete the gobal nat rule first, after that you can add:

/ip firewall nat add chain=srcnat dst-address=AAA:BBB:CCC:DDD action=masquerade out-interface=WAN\

AAA:BBB:CCC:DDD - replace with CHMS(Cloud Hospital Management System) ip address
for out-interface=WAN replace WAN with actual wan interface name

If you have other networks, you must define src. addresses also in this rule and do not delete the global rule and define src. addresses exception in it!

Sob · October 17, 2019, 8:20am

Come on, “blocking” something by not really blocking it, but instead just letting packets go out with wrong source address, it’s not what I’d call good solution. Sure, it won’t work, because packets will be either dropped by something on the way, or even if not, target won’t know where to send responses, so mission will be accomplished. But wouldn’t it be better to really block it on your router?

Simple example (assumes that there’s default firewall rule that allows established connections):

/ip firewall address-list
add address=<hostname> list=allowed
/ip firewall filter
add action=reject chain=forward dst-address-list=!allowed reject-with=icmp-admin-prohibited

You can add other hostnames if required. But the main question is whether even that will be enough, because the site can have other dependencies (external scripts for example) and if it’s something dynamic (random hostnames for some CDN), there’s no easy way how to allow them.

uumar · October 21, 2019, 4:47pm

the web url has a /
example www.*****.com/****

therefore i cant get the ip address of the URL

msatter · October 21, 2019, 5:54pm

RouterOS does not work with domains nor with URL. That you can use domains is a extra build into RouterOS.

You have to state the IP address.

The basics are that the internet is using only IP addresses and domains makes it easier to use it instead of typing IP adresses.

Anumrak · October 22, 2019, 12:27pm

Hey. You can create address list with a domain name. The IP addresses will appear after domain name resolves in your address list as a dynamic records. Use this address list name with a “logical not” function of firewall. Like:

ip firewall filter add action=drop chain=forward in-interface=your_lan_interface(or interfaces of interface list) dst-address-list=!your_site_address_or_address-list
! - means not.
Make sure this rule is above normal forwarding rule.
Also the address list will always keep the domain addresses up to date with help of your dns servers in your Tik dns settings.

normis · October 24, 2019, 4:42am

Yes, you can resolved domain names, but the original poster is asking about allowing a specific path on that domain (a URL). This will not work. RouterOS can’t do that.

anav · October 24, 2019, 1:40pm

I seem to be following you everywhere this morning (so I am behind in my schapps consumption too).
Are you saying that the resolving domain in address list is not possible in MT RouterOS OR
that the Ops question is not solvable AT ALL using MT equipment??

It seems a pretty legitimate type of request in this day and age of everyone using cloud services???

Anumrak · October 24, 2019, 1:57pm

i want to block all internet browsing except to that one site

I think he meant blocking Internet browsing pretty clearly.

anav · October 24, 2019, 3:00pm

Okay so there is no way to only limit internet browsing via firewall rules, IP route rules, src-nat - dst-nat rules ?

In other words it is not possible to limit a network to a cloud address for work via browsers.

Are you supposing that the only way to do this is use a dedicated app for this software on PCs for example and dont load any browsers on the PC?

What ways would work and what would one need?

Sob · October 24, 2019, 4:19pm

Yes and no. You can forget about allowing only individual urls, because nowaways you have to assume that everything uses https. So far it’s possible to filter by hostname with tls-host, but soon it will go away too. You’re left with just IP addresses. You can use address list to resolve hostnames to addresses, and it can be enough in some cases. If you know that you only need access to www.example.com, it’s easy (look at my previous post). If the website uses few other static hostnames to download stuff from (scripts, images, …), add them to list and it will work. But if it’s unpredictably using seemingly random addresses like xc-1sd-aasdj.adas.ad.asd.somecdn.tld, it’s difficult to do anything with that.

This whole thing would be better done somewhere else and on different level. Not on router and not with IP addresses. Especially in a place like hospital, I’d rather not give anyone there direct access to internet, only to some proxy server that would see hostnames and would be able to filter by them. It would still not solve the problem with unpredictable CDN addresses, but at least it would be easier to allow whole somecdn.tld. And most importantly, it could log all requests, so admin would be able to see what are users trying to do. And deal with trouble makers.

anav · October 24, 2019, 4:47pm

Blah blah blah some external proxy vomitage…
So to connect through the internet to cloud based software/server, a credible institution requiring adequate security, should provide access to said software to a plethora of ‘dummies’ basic users via Servers specially dedicated to this service?

How does this service get to the internet, through a router?

So when this server traffic hits the MT router, what rules would apply?

I am useless for most things MT and even worse at technical solutions involving other equipment but lets give the OP some hope please!!

Sob · October 24, 2019, 7:35pm

From what I see, OP’s description is sort of vague. OP also skipped my previous helpful post, so we don’t know how much would that solution not work. It’s even possible that it could be enough, external dependencies were not brought in by OP (it’s just that it’s pretty common thing to have).

Anumrak · October 25, 2019, 10:38am

Let the topic starter choose one of the options and then he can apply again if he wants to complicate his scheme.