Good afternoon you could help me how I can configure to block TIKTOK on a network by configuring the mangle in firewall filter. I manage to block the tik tok but there are some pages that do not open and google drive or the one drive does not open the files that share me when creating the rule
Hi, and welcome to the forum!
I had similar issues with other websites, with the same level of, er, success. Turns out that it’s pretty much impossible to block websites that sport the https prefix, and they have multiple IPs which you have to know to block each one, which 99.9% do. But not to worry…
I found NextDNS became my friend in this regard. They block stuff off at the DNS level. Works pretty well. You just need to configure the web dashboard and apply the IPv4/6 DNS addresses in your router and you’re set to go.
I suggest you have a look-see. Might be what you’re after.
Note: It works until application starts to embed DNS queries inside https traffic to bypasses your DNS.
3 Likes
Nowadays, from smartphone software to various operating systems, virtually all of them use DoH or DoQ by default, making any attempts to intercept DNS requests useless and futile.
And then, with a VPN that activates with a single click (or automatically), no one can do anything about it;
if the devices are connected, they connect as they please.
Then, if someone is willing to spend thousands of ¤ to buy professional equipment dedicated to this purpose, that's another matter entirely...
Agreed in most part…
For me, I find NextDNS does an outstanding job filtering websites and other crap (like ads). It’s good to have it working at router level. I wouldn’t be without it now.
Having said that, your point regarding VPNs is entirely valid. It’s where the likes of NextDNS fall down. But, tech being tech, probably not too far in the future someone will come up with a cunning plan to arrest the VPN issue.
In the meantime, parents in particular can only do what they can do. If the kids are young enough, they can monitor their devices and keep VPNs off. Just becomes more tricky in the teenage years.
If you have users that actively try to bypass your blocks, blocking is impossible.
If not, force users to use built in DNS server and add a static entry to null out tiktok.com
I forgot, a server doesn't just do that anymore; almost all of them are content distribution servers not connected to any particular company...
So by brutally blocking TikTiok's IPs (which bypasses the DNS issue, but not the VPN one), you're also blocking other services that serve other unexpected purposes...
@gabicho best what can done with ROS is to block common DoH DNS servers (there are lists that can be fetched into address list for blocking), block DNS ports to WAN for clients and block TikTok domains with own DNS server, maybe some list can be found which is maintained by someone that can be used as DNS adblock list.
Blocking IP addresses (except DoH IPs) is not advised here, as already pointed out above, it can block other sites (or their content) which uses same network (CDN for eg.) with same public IP. Such networks can have many public IPs for load balancing but they are not bound to FQDN used by particular site (they use reverse proxy to access site content).
Unfortunately all this will not be useful when network user uses VPN and DNS over it.
- Deny 443 and 80 ports on NAT
- Enable proxy on Mikrotik
- Configure WPAD in your network to automatically configure clients to use your proxy. That means to run
wpadwebsite with configuration script written in ancient dialect of JavaScript. - On proxy you could disable various domain names by a glob
Proxy: Proxy - RouterOS - MikroTik Documentation
WPAD: https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol
Before writing,
did you do any research (not with Artificial Deficiency)
or do you have any idea what you're writing about?
IPv6, HTTPS, etc?
Quote of the week or month. 
We have an image of the original programmer's notes 
:
https://upload.wikimedia.org/wikipedia/commons/5/57/Cuneiform_script.jpg
Just obsfucated code. Nothing fancy.
He stole the job from my ancestor... 
IPv6,
I haven’t tried this idea with IPv6. Most probably, it still should be possible if Mikrotik proxy supports IPv6
HTTPS
There is no problem with HTTPS if you only need to block anything by host.
Client uses CONNECT method ( CONNECT request method - HTTP | MDN )
CONNECT www.google.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.6456
Host: www.google.com
Proxy-Connection: Keep-Alive
Everything after it is, of course, encrypted. Proxy can’t do any MITM here, but since host is perfectly visible, Mikrotik proxy can deny it, and it works.
Do not simply read "S", but TLS1.3 (with ECH or not, not matter for now)...
RouterOS proxy is not so updated for IPv6 or TLS1.3, but when TLS1.3 is supported everywhere, then ECH is the problem...
Etc. Etc. Etc.
Same problem, do not support QUIK or HTTP/3...
How significant is the CPU performance impact when implementing Layer7 protocol filtering on MikroTik RouterOS devices, particularly for blocking high-traffic applications like TikTok? Are there specific RouterOS models or configurations where this becomes a critical bottleneck?
L7 filter is useless for encrypted traffic such is over HTTPS and QUIC.
1 Like
Still browser will use HTTPS if QUIC is blocked…
Regarding MITM proxies, yes they can run in containers or elsewhere on network but for HTTPS inspection proxy will need to decrypt and encrypt traffic with own certificate which needs to be then trusted in client OS/browser and this is not suitable for all scenarios, usually it is implemented like that if devices on network are managed or users are forced by some company policy to trust certificate used by MITM proxy.
P.S.
As I understand OP, topic question is for blocking by ROS provided features, not by ANY software feature which can inspect HTTPS and that can be run in container or elsewhere.
1 Like