Hello.
I would like to block the users in my networks from accessing their private blogs in blogspot.com, since it turns out they are most of time spending there, and this angry the boss quite a bit.
Anyway I’ve tried the solution by adding blogspot.com to the address list, and then drop the traffic from it, but still - the subdomains are working.
How to achieve blocking it entirely ?
Look at DNS filters like Pi-hole.
Just add blogspot.com to adress list so its resolved to IP than block that in FW it should work regardless or DNS, unless they fireup VPN…
IP addresses can change. It is a nice way to keep chasing your tail …
Something like PI Hole or alternative capable of blocking DNS names seems to be the most practical solution.
VPN will not prevent this either. Then that also needs to be blocked ?
emh.. the blogspot is resolved, but it have subdomains which is the private blogs on network with 65.000 possible ip’s.
Like @holvoetn suggested a DNS-Server like Pihole is the most practical solution.
But if you want to use the Mirkotik-Device itself…
Try Blocking the Traffic via Layer7 (https://www.youtube.com/watch?v=mcJbY8dvDJc)
It’s not perfect… and Performace will suffer..
But it may solve your problem !
Basic Exemple :
/ip firewall filter
add action=add-dst-to-address-list address-list=blogspot address-list-timeout=none-dynamic chain=forward comment="Identify blogspot Servers (blogspot)" protocol=tcp tls-host=*blogspot*
add action=add-dst-to-address-list address-list=blogspot address-list-timeout=none-dynamic chain=forward comment="Identify blogspot Servers (blogger)" protocol=tcp tls-host=*blogger*
add action=drop chain=forward comment="Drop: All Traffic to blogspot-Servers" dst-address-list=blogspot
I read layer 7 filtering can be indeed quite performance hungry.
Wild question …
Would PiHole running in a docker container on ROS 7.1rc4 be less of a performance hit ?
I have it as a docker container on a Synology NAS. It has not too much processor impact, from what I can see.
Well, keep it running on your NAS ?
This is how I run it over here, Pihole on my 918+ NAS and running fine for years now.
DNS-traffic on the Mikrotik is intercepted and delivered to the Pihole in case some client has some hardcoded IP’s (eg. notoriously Google) and wants to resolve directly…
The remark was not for me but as an alternative to use a separate device to prevent using Layer-7 filtering.
Thank You very much guys that trying to help ! 
I appreciate all of the answers.
I am going to try this Layer 7, but what do You mean that it may be performance hungry ?
Will my router start to slow down or.. what shall I expect ?
( btw - tried the filter rules but they doesnt seems to works -no counters is triggered or the blogspot is blocked )
It means you will have to be smart with your Firewall-Rules!
If possible Post your Firewall config and i’ll make a suggestion
RB5009UG+S+IN with a Pihole-Container is a very nice Solution!!
Especially for SME’s who don’t have Servers and low requirements
like for exemple Restaurants, hairdressers, bakery’s ,shrink-Office, Kindergarten , etc..
A bit off topic,
but as soon as i get my 5009, i want to try and run a small 3CX-Server.
It would be an amazing solution to replace AVM Fritz.Box or other All-in-One Routers
/ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
2 chain=input action=drop connection-state=invalid log=no log-prefix=""
3 chain=input action=accept protocol=icmp log=no log-prefix=""
4 chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=1723 log=yes log-prefix="PPTP>"
5 chain=input action=accept protocol=gre in-interface-list=WAN log=no log-prefix=""
6 chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
7 chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
8 chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
9 chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
10 chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
11 chain=forward action=drop connection-state=invalid log=no log-prefix=""
12 chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
13 ;;; BLOCK FACEBOOK
chain=forward action=drop dst-address-list=block-facebook log=no log-prefix=""
14 ;;; BLOCK BLOGSPOT
chain=forward action=reject reject-with=icmp-admin-prohibited dst-address-list=BLOCK-Blogspot log=no log-prefix=""
15 ;;; BLOCK INSTAGRAM
chain=forward action=drop dst-address-list=BLOCK-Instagram log=no log-prefix=""
16 ;;; BLOCK Tik-Tok
chain=forward action=drop dst-address-list=BLOCK-TikTok log=no log-prefix=""
Good Evening,
Step 1: L7-Filtering (identifying Servers)
The best way usually to implement the L7-Filtering is in LAN -> Internet
In your Case it should be rule #13 and #14. (Before "BLOCK FACEBOOK")
/ip firewall filter
add action=add-dst-to-address-list address-list=blogspot address-list-timeout=none-dynamic chain=forward comment="\"Identify blogspot Servers (blogspot)\"" connection-state=new out-interface-list=WAN protocol=tcp tls-host=*blogspot*
add action=add-dst-to-address-list address-list=blogspot address-list-timeout=none-dynamic chain=forward comment="\"Identify blogspot Servers (blogger)\"" connection-state=new out-interface-list=WAN protocol=tcp tls-host=*blogger*
Step 2: Blocking Traffic from blogspot
You can Filter, aka Drop the blogspot Connection between "LAN -> Internet" or "Internet -> LAN" (or theoretically both)
Most people Block via the "Internet -> LAN" filtering.
If performance is an issus, you may want to look at blocking the Upload insteed ("LAN -> Internet")
Exemple : Block LAN -> WAN
/ip firewall filter
add action=drop chain=forward comment="Drop: Blogspot (LAN --> WAN) " connection-state=related,new dst-address-list=blogspot out-interface-list=WAN
Exemple : Block WAN -> LAN
/ip firewall filter
add action=drop chain=forward comment="Drop: Blogspot (WAN --> LAN) " connection-state=related,new in-interface-list=WAN src-address-list=blogspot
Step 3: integrate Block-List
If and only if performance is an issus,
It may help to only have 1 address-List for Facebook, Blogspot , instagram, tik-tok and Co.
And only use 1 Firewall-Rule to Block unwanted Services insteed of 5+
Thank You for spending time trying to help me!
Well.. I did this but still - the counters never triggers. Here a screenshot:
here for instance this blog, which is not affected by any way of the changes:
https://olympiacos-blog.blogspot.com
Thank you for the Link, it helped a lot !
Problem #1: L7-Filter rules
I tried to be smart and only have the L7-Filter check “New” Connection… This was a mistake!
/ip firewall filter
add action=add-dst-to-address-list address-list=blogspot address-list-timeout=none-dynamic chain=forward comment="Identify blogspot Servers (blogspot)" out-interface-list=WAN protocol=tcp tls-host=*blogspot*
add action=add-dst-to-address-list address-list=blogspot address-list-timeout=none-dynamic chain=forward comment="Identify blogspot Servers (blogger)" out-interface-list=WAN protocol=tcp tls-host=*blogger*
Problem #2: Firewall Block rules
I never hat to Block in both directions before, but here it is necessary.
If it helps a View of the Firewall i used :
O lords. I think it worked !
I am stupid. I just needed to move a bit higher the indentificators.
THANK YOU ConnyMercier !!! <3
No Problem!!
Maybe POST a Feedback in a couple of days!
I would like to know if you see any performance degradation with the new L7-Rules