I open a new thread for not reopening a old. I need to block all internet traffic except some URLs, I configure the firewall rules indicated in this thread:
that send me the Mikrotik Support, and don’t works. I can block all traffic in one computer, but the exceptions don’t works. Do you see any issue in my firewall configuration?:
Thank you, but I don't like this option, I don't need to activate a HotSport service, I only need to block the internet access at some computers of the actual network, and add some exceptions. This computers are connected in different switch (Not Mikrotik) in the network, I can't activate HotSpot only in their ethernet connections.
as on OP:
… action=drop chain=forward … protocol=tcp … src-port=443
this do NOT BLOCK DNS
instead the OP treath outocoming traffic like is incoming:
/ip firewall filter
… drop … forward … src-address-list=!WebsPermitidas src-port=443
must be dst, destination address list and destination port!!!
How is it useless? I provided an alternate firewall rule that blocks all forwarded from a single IP that is not in the the address list. This would include any forwarded DNS requests.
So folks just live to be arrogant and rude I suppose…
Excuse me, I try some options and I don't copy the correct rule (In the thread send by the Mikrotik Support blocking all websites except some special ones the solved answer are "src-port" and "src-address-list"....¿why?...we don't know)
Send by the Mikrotik Support???
I do not see anyone inside that topic from mikrotik support,
and also that rule is useless for block outgoing connection,
becaue if any computer on your network try to contact (for example) www.google.com
the computer estabilishing outgoing connection with destination www.google.com,
not the opposite,
is not www.google.com that instaurate connection vs your internal devices (only then would it be the source).
@2frog, you are arrogant and you do not know neither how DNS works
these rules:
do not block DNS, mostly UDP, i see rarely TCP DNS requests.
the rule block only TCP, all other type of traffic, like QUIK (Quick UDP Internet Connection) is allowed and,
for example, using chrome permit to still reach all sites that use QUICK.
before saying arrogant to the king of the arrogant, first look at what you wrote…
@anav, if done correctly, it can block all traffic to the destination IP, it can block everything, https, ping, ftp, everything.
The OP want a method for block all except (fr example) www.islonline.es
adding the FQDN (@cmartin not the “URL”, is another thing) to address-list cause routeros to add the solved IP to address-list
Blocking all outgoing traffic (destned) except the traffic directed to own LAN, RouterBOARD, DNS and allowed address-list, can do what the OP ask.
Please don’t make the language an obstacle to understanding, I’m not English.
I understood both times what you wrote,
but that doesn’t change what I wrote:
No post within the topic was created by a support user,
It is useless because it considers the remote site as the source of a new connection, instead of considering the PC as the source of the connection.
It wrote about URL, but on address-lsit can not be set URL, only IP or DN, this is absurd: "add address=your-webpage list=“Permited URL”
Usually when a new connection is maded from PC to remote server (ignoring NAT and other frills):
chain: forward
protocol: tcp
src-address: 10.45.9.105
src-port: like random
dst-address: resolved www.islonline.es
dst-port: 80 or 443