Block site and allow it for specific IP address?

Term · February 10, 2018, 3:43pm

Hello,
I need to block social sites like facebook etc for all users but I need to allow sites for 10.65.0.101. Tried two rules but it didn’t work.

Tried this:

/ip firewall filter
add action=drop chain=forward comment="Block Social Sites" layer7-protocol=\
    "Social Sites" src-address=!10.65.0.101

Tried this too:
/ip firewall filter
    add action=accept chain=forward comment="Allow Social Sites" layer7-protocol=\
    "Social Sites" src-address=10.65.0.101
    add action=drop chain=forward comment="Block Social Sites" layer7-protocol=\
    "Social Sites"

Device with IP 10.65.0.101 can’t access to that sites. Mikrotik blocks Social sites for all IPs.
Any idea please?
Thank you.

Term · February 13, 2018, 1:13pm

bump

CZFan · February 13, 2018, 2:59pm

as far as my knowledge goes, social sites, i.e. facebook is encrypted (https) and router can’t see inside the packets

Term · February 13, 2018, 7:23pm

It works because no device can access to facebook after applying that rules. So it works but I need to allow that sites for 1 IP.

Sob · February 13, 2018, 8:46pm

We don’t know what you have in your “Social Sites” filter, but your rule works for both directions, so if you allow packets with 10.65.0.101 as source, it’s not enough, you also need to allow packets with 10.65.0.101 as destination.

LightNet · November 8, 2018, 7:57am

you must ad firewall rules at filter rules and allow scr also dst, and do you using simple queue with 7 layer protocol also set mangle rules ? because i used that rules to block https site
and this is my rules to allow an specific address

ex:
1st rule
chain: forward
scr: your specific ip
protocol: 6tcp
action: allow

2nd rule
chain: forward
dst: your specific ip
protocol: 6tcp
action: allow

don’t forget to drag and drop at above your block rules, if not this rule will not work

hope this solve your problem

LightNet · November 8, 2018, 7:59am

like this option bro, you can try this