Block many websites

tasn · January 16, 2018, 12:08pm

Hello community,

I am in search of a solution to my problem and i would like to ask some questions before.
I would like to block access from my lan to a list of websites (around 1000) which i have in an excel file.

I know there are some ways to block websites like Layer 7 or Web proxy etc.
So my main question is if i can use a mikrotik device and how efficient will it be and which way you think would be better.

The other question is if i can somehow easily import the list i have to an excel file into the mikrotik device. Or do i need to make a script.

I don’t want the solution, i just want directions.

Thank you

normis · January 16, 2018, 12:16pm

L7 will kill your router, and is very inefficient. You can also block by IP address, that would be much easier and faster, if most of those websites have known list of fairly static IP addresses.

tasn · January 16, 2018, 12:29pm

Thanks Normis,

By ip you mean to block the ip addresses of websites in Firewall->Filter Rules right?

I ll try that

ivicask · January 16, 2018, 12:49pm

/ip firewall address-list
add address=facebook.com list=blocked_web
add address=youtube.com list=blocked_web
add address=whatever.com list=blocked_web
etc continue the list from your excel table

Add this to block them all.
/ip firewall filter
add action=reject chain=forward comment=“Block Web Sites”
dst-address-list=blocked_web reject-with=icmp-network-unreachable

Simple as that

pe1chl · January 16, 2018, 12:51pm

That is indeed very simple, but unfortunately it will not work correctly!
One IP address can handle multiple websites, so when you block this way you will block other sites as well.

ivicask · January 16, 2018, 12:58pm

Well than in that case you can do DNS block

/ip dns static
add address=127.0.0.1 regexp=facebook.com
etc

And in order to enforce Mikrotik as DNS so users cant use any other i use

add action=drop chain=forward comment=“BLOCK OTHER DNS SERVERS” disabled=yes
dst-address=!192.168.1.244 port=53 protocol=tcp
add action=drop chain=forward disabled=yes dst-address=!192.168.1.244 port=53
protocol=udp

Where 244 is IP of my mikrotik serving as DNS server.

normis · January 16, 2018, 1:00pm

New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST:

/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com

ivicask · January 16, 2018, 1:07pm

What about sites who dont use SSL?Or does sites SSL certificate needs to be named same name as site?How reliable that is?

normis · January 16, 2018, 1:10pm

Sites without SSL you can block in other ways already. And also, there aren’t many sites without SSL.
Can you name an example of a popular site that has SSL certificate issued for a different domain? I don’t think that is even possible.

sri2007 · January 16, 2018, 3:04pm

Hi!!! I believe that it can work by configuring your Mikrotik and your network to work with OpenDNS, in that site you can block anything, and really need to do extra things in the Mikrotik, as for example, denying any proxy communication, denying any VPN port, denying UltraSurf and doing a dst-nat to force any DNS request sent to a different server and redirect it to the OpenDNS server

tasn · January 16, 2018, 5:06pm

I have in mind OpenDNS but i would like first to try a more “mikrotik” solution.
The list does not contain very common websites like facebook google etc so most of them have only 1 ip.
I will try that and see if it suits me.

Btw

I tested it and it does not match any traffic. I tried some diffs of the command provided but couldn’t find sth working.

Anyway thank you all for your ideas - knowledge

AlainCasault · January 18, 2018, 12:51pm

MikroTik made a MUM presentation that might help you with that. Look for the title “my holy war against masquerade”. It helped me a lot!!

Sent from Tapatalk

Zacharias · January 21, 2018, 7:09pm

What do you mean by that? Can you give me an example of an IP Address that handles more than one Websites?

BartoszP · January 22, 2018, 9:58am

Read this: https://httpd.apache.org/docs/2.4/vhosts/examples.html
It should explain you a bit what virtual host for WWW is.
IMHO all hosting companies share one IP for many sites. There is no enough IP4 addresses to host each possible WWW site with it’s own address.

Zacharias · January 23, 2018, 9:27am

Thanks BartoszP

AlainCasault · January 25, 2018, 12:09am

Dito here!!

/ip firewall filter
add action=log chain=forward log-prefix="====================" protocol=tcp tls-host=*.facebook.com

Not matching anything. Normis, am I doing something wrong??

pe1chl · January 25, 2018, 9:22am

I think you need to apply those matchers in the mangle chain, to set a mark on the connection, and then use a filter in the forward chain to block packets for those marked connections.
This is because such matches operate on “peeking into a session” and by the time they identified the traffic, it has already passed through.
You cannot drop the actual TLS exchange, but you can drop the further traffic when you have marked the connection.

reinerotto · January 25, 2018, 1:40pm

ivicask gave the simplest and most complete solution to the problem. Also works for https-sites, of course.

TAD · August 16, 2018, 11:26am

mkx:

New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST:
/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com

Hi Normis i have tested this but Facebook stil open

chebedewel · September 7, 2018, 5:58am

Hi, try with this :

/ip firewall filter add action=reject chain=forward comment="Reject FB" protocol=tcp reject-with=icmp-network-unreachable tls-host=*.facebook.com

Same for v6 :

/ipv6 firewall filter add action=reject chain=forward comment="Reject FB" protocol=tcp reject-with=icmp-no-route tls-host=*.facebook.com