Hi Good day!
I just want to ask if there is a way to block discord using address list then use the filter I have tried it but there is no traffic passing on the filter rule , tiktok and facebook is in the address list but discord is nowhere to be found , have anyone tried this? or there is another faster way?
One cannot block apps with MT…
thank you for the reply, do we have a work around?
Get an expensive router with expensive services and use their APP Patrol/control
Okay thank you so the simple answer is there is no workaround to block app in my mkt,
You ‘may’ be able to block some stuff via L7 rules:
https://help.mikrotik.com/docs/display/ROS/Layer7
May require some sleuthing to get all required domains blocked, and its not always going to be perfect. Easily worked around with something like a VPN.
Asking over and over won’t change the facts. MT doesn’t have DPI and ROS can’t decrypt SSL. Everything else is easily circumvented at this point, because traffic is encrypted now, including DNS. Even very expensive enterprise proxy/firewall solutions aren’t 100% effective these days (they do block most commercial VPN providers though).
L7 requires too much CPU on a fast connection. If the list for web blocking mentioned above was made using content in the firewall, AFAIK it only works with a browser connecting to said website via DNS. It will not work for apps, unless browser based.
For a partial solution, you would need to make your own list by using the app and blocking ranges used by discord from a whois. You will have false positives, and the block may be bypassed anyway at some point. Have fun trying…
Did you try blocking it on DNS-Level by e.g. creating a “mangle”-rule which will add IPs of corresponding DNS-Names (discordapp.com, discord.com, discord.gg, discord.app.com, discordapp.net) to an addresslist (call it “discord”) when called from a client and then block access to hosts listed in this address-list via Firewall-Rule?
I had time to waste and checked my theory - blocking the two ranges used by Discord at my location in raw, and no more Discord. Simple solution - the app loads with a blank screen. Using an address list (from content strings) doesn’t block the app completely even if the addresses are part of those ranges - no idea why, but new messages aren’t shown (there’s an error message after a while). It’s a chrome app over https…I learned something.
Obviously, the block is bypassed with a VPN. So there’s your workaround @achillesg…
If the “address list” requirement can be relaxed, I see a couple more options.
With the built-in DNS, it is possible to create domains that will return “NXDOMAIN”, and this can be applied to all subdomains. This will prevent resolution of all the discord URLs. With the built-in proxy (untested), it may be possible to have a deny-list of domains, including wildcards. In this case, this must be a non-transparent proxy to see the CONNECT messages for TLS, as SSL interception is not possible with Mikrotik.
As Moba wrote, there are plenty of ways to defeat or work around this.