Block IP Range (facebook)

RouterOS General
1

Hey there guys. I have a question regarding blocking facebook, youtube and such.

I m administrating network in one VOIP (Call center company). I have blocked some IP range of facebook, YT etc (guide I found somewhere on Google) and it’s working really well.

Only problem I have is that I want to let my company director can still use those services on his computer.

Is there a way to allow one PC (mac or IP) not to go through these restrictions ? Something like making his IP static and adding some rule to bypass the address list and the blocked ip ranges ? So basically I want those rules to apply to whole network and not to his computer.

Thanks in advance,
Aleksandar aka hyp3R

2

If you tell us how you’ve set your router up to block these sites, we might be able to help you?

3

Sorry, forgot about it.

Address list (under firewall):

/ip firewall filter
add action=reject chain=forward comment="deny Facebook" disabled=no \
    dst-address-list=Block-Facebook reject-with=icmp-network-unreachable
add action=reject chain=forward comment="deny Youtube" disabled=no \
    dst-address-list=Youtube reject-with=icmp-network-unreachable
add action=accept chain=output content="530 Login incorrect" disabled=no \
    dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=drop chain=input disabled=no dst-port=21 protocol=tcp \
    src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    disabled=no protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login \
    address-list-timeout=1d chain=input comment=remote_logins disabled=no \
    dst-port=20-23 protocol=tcp




/ip firewall address-list
add address=66.220.144.0/21 comment="Facebook block AS32934" disabled=no list=\
    Block-Facebook
add address=66.220.152.0/21 disabled=no list=Block-Facebook
add address=66.220.159.0/24 disabled=no list=Block-Facebook
add address=69.63.176.0/21 disabled=no list=Block-Facebook
add address=69.63.184.0/21 disabled=no list=Block-Facebook
add address=69.171.224.0/20 disabled=no list=Block-Facebook
add address=69.171.239.0/24 disabled=no list=Block-Facebook
add address=69.171.240.0/20 disabled=no list=Block-Facebook
add address=69.171.255.0/24 disabled=no list=Block-Facebook
add address=74.119.76.0/22 disabled=no list=Block-Facebook
add address=204.15.20.0/22 disabled=no list=Block-Facebook
add address=208.117.224.0/24 disabled=no list=Youtube
add address=208.117.225.0/24 disabled=no list=Youtube
add address=208.117.228.0/24 disabled=no list=Youtube
add address=208.117.229.0/24 disabled=no list=Youtube
add address=208.117.232.0/24 disabled=no list=Youtube
add address=208.117.233.0/24 disabled=no list=Youtube
add address=208.117.234.0/24 disabled=no list=Youtube
add address=208.117.238.0/24 disabled=no list=Youtube
add address=208.65.152.0/24 disabled=no list=Youtube
add address=208.65.153.0/24 disabled=no list=Youtube
add address=208.65.154.0/24 disabled=no list=Youtube
add address=64.15.112.0/20 disabled=no list=Youtube
add address=208.117.236.0/24 disabled=no list=Youtube
add address=74.125.96.0/19 disabled=no list=Youtube
add address=72.14.221.0/24 disabled=no list=Youtube
add address=84.53.128.0/18 comment=Redtube disabled=no list=Youtube
add address=87.248.192.0/19 comment=Youporn disabled=no list=Youtube
add address=216.155.128.0/19 comment=Redtube disabled=no list=Youtube
add address=208.73.208.0/21 comment=Redtube disabled=no list=Youtube
add address=66.55.140.0/23 comment=Redtube disabled=no list=Youtube

This is pretty much everything I’ve done. Now I want a certain user (my director) to bypass those rules and to be able to use any of those services.

4

create a new ‘whitelist’ address list, add your guy to that whitelist and then add a new filter rule to accept his connection. Make sure the whitelist rule is higher up in the order and it will then be accepted and skip the other rules.

The problem comes if someone figures you are doing it based on source Ip and then when the boss has gone home and he’s turned off his PC, they change their IP :slight_smile: But I guess you already got that covered, right? If not, consider locking his MAC address to that IP in the ARP table. Of course, if the bad guy then changes his MAC address as well…

5

So something like this:

 0   chain=forward action=accept dst-address-list=Director-Bypass




add address=192.168.0.235 comment=Vaso disabled=no list=Director-Bypass

Does this rule in address list has to be first in address list window ? Accept rule is first in filter list but do I have to make it first in address list too cause it seams I can’t drag it up ?

Also, do I need to add subnet mask to the ip address above ? I made his address static so I think it should work ?

6

Yes, except you’ve got dst-address instead of src-address, otherwise that should work. You are trying to match requests for access based upon the source of the request. In this case ‘Vaso’? The nat masquerade rule will automatically direct the traffic back to his PC. The rest of your blocking rules are testing for destination IP, which is still correct.

The address list has no importance of order. It only matches the name and the IP, it does not care where in the list it is. Just that it is there.

With the address list entry set to a /32 single IP, then yes, only that one IP will get through the block. If you do not enter a subnet mask, Mikrotik assumes you means /32.

if you slide the Director’s accept rule down the list of block rules, you can even make some types of sites blocked, those that are above his rule, but allow him to get to the remaining types, those below his rule. :slight_smile:

7

Exactly and thanks for pointing that out, I was thinking “Why did I put dst-address there”.

Yes, I want to make that address bypass it all so source address will do :slight_smile:.

Reason I can’t test it now is because I m home and office is not working at the moment so I m doing it remotely.

Once again, MikroTik forums are awesome as usual and I have to thank you for your help, really priceless.

Will inform you tomorrow if it works, but I m sure it will :0).

Thanks once again and wish you all the best!
Best wishes,
Aleksandar

8

If it works - don’t forget the karma :slight_smile:

If not, come back to us!

9

Karma added :slight_smile:, letting you know tomorrow!

Gonna get some rest, got a relief after solving this :slight_smile:.

Regards,
Aleksandar

10

Hi Guys, until yesterday this rules were working for me:

> add action = accept chain = forward src-address-List = Facebook_allow dst-address = 66.220.1.0/20
> add action = accept chain = forward src-address = Facebook_allow dst-address = 69.63.176.0/20
> add action = accept chain = forward src-address = Facebook_allow dst-address = 204.15.20.0/22
> add action = accept chain = forward src-address = Facebook_allow dst-address = 69.171.224.0/19 


> ip firewall filter add action = drop chain = forward comment = "Block Facebook" dst-address = 66.220.144.0/20
> Ip firewall filter add action = drop chain = forward  dst-address = 69.63.176.0/20
> Ip firewall filter add action = drop chain = forward  dst-address = 204.15.20.0/22
> ip firewall filter add action = drop chain = forward dst-address = 69.171.224.0/19

As you can see I made this rules to allow some user with privilege from accessing facebook and denying regular users. But now when everyone can access https:\facebool.com. Help!

11

I think that in your case HTTP facebook will work to, just as HTTPS do. Your rules are looking dst-addresses (facebook servers) and blocking the traffic (doesnt matter is it http or https, it will became matter e.g. if you are using web proxy). I think that you are not hitting the rules anymore, try to ping http://www.facebook from MKT or local computer and see what ip address is resolved, i am guessing that resolved ip is not from above ranges?

12

I think that in your case HTTP facebook will work to, just as HTTPS do. Your rules are looking dst-addresses (facebook servers) and blocking the traffic (doesnt matter is it http or https, it will became matter e.g. if you are using web proxy). I think that you are not hitting the rules anymore, try to ping > http://www.facebook > from MKT or local computer and see what ip address is resolved, i am guessing that resolved ip is not from above ranges?

Actually the ip resolved is 173.252.100.16 and I just checked http and shows me the same message :confused:

13

Didn't see that IP on your facebook IP address list. Anyway, I just want to share here how I setup my filtering and will use facebook as an example of the site to be filtered here since we're talking facebook as the subject.

My filter rule

1 ;;; block fb
chain=forward src-address-list=!fwall-x dst-address-list=fb
action=reject reject-with=icmp-network-unreachable

My Address list
IP addresses of facebook that I am curently blocking

LIST ADDRESS

0 fb 69.171.224.37
1 fb 69.171.242.11
2 fb 66.220.149.11
3 fb 66.220.158.11
4 fb 69.171.229.11
5 fb 69.171.224.53
6 fb 69.171.234.64
7 fb 66.220.146.94
8 fb 69.171.229.70
9 fb 66.220.149.88
10 fb 69.171.234.37
11 fb 69.171.234.21
12 fb 69.171.228.70
13 fb 69.171.229.74
14 fb 66.220.149.94
15 fb 69.171.228.74
16 fb 69.171.234.69
17 fb 66.220.146.101
18 fb 69.171.228.40
19 fb 69.171.224.64
20 fb 69.171.228.14
21 fb 66.220.147.88
22 fb 69.171.237.16
23 fb 69.171.237.32
24 fb 66.220.152.16
25 fb 66.220.158.70
26 fb 69.171.247.21
27 fb 69.171.224.36
28 fb 69.171.234.39
29 fb 69.171.228.72
30 fb 69.171.234.23
31 fb 69.171.237.20
32 fb 69.171.237.36
33 fb 69.171.229.18
34 fb 69.171.228.76

IP addresses of users that I want to have access to facebook

LIST ADDRESS

0 ;;; user1
fwall-x 192.168.1.11
1 ;;; user2
fwall-x 192.168.1.28
2 ;;; rdc
fwall-x 192.168.1.25


As you can see I've created two address-list group, one for facebook addresses that I'm blocking and one for users that I am allowing to access facebook.

I then added a filter rule that says, everyone that is trying to access facebook will be blocked except for the addresses listed in the address-list named fwall-x.

I'm doing it this way so I will only have a single rule on my filter list which is practically easier to manage/maintain. And if I want to remove or allow a user's access to facebook then I just have to add it to the allowed list. Also, if want to block additional facebook ip then I just have to add that ip address to the fb address-list group. Oh, don't forget that comment too as it will help you with identifying who has access to what.

Also, if you want to block the entirety of facebook this might interest you. Take note of the Network Resources section as you will see their assigned network block.

http://whois.arin.net/rest/customer/C02001848
http://whois.arin.net/rest/customer/C02107106
http://whois.arin.net/rest/customer/C02107153
http://whois.arin.net/rest/customer/C02156967
http://whois.arin.net/rest/customer/C02738182

Good luck!

14

Thanks!
I tried that but I still get server not found whenever I try to access :frowning: