Blocking facebook

azimut · March 9, 2017, 4:56pm

Hi everybody,
I try to blocking facebook page at Mikrotik RB951G-2HnD. I used google and I found many manuals but I can not blocking FB. Mikrotik use bridge for ether2-ether5. Eth1 is wan port and using Masquerade. Here is my scripts for blocking web page:
/ip firewall layer7-protocol> add name=facebook7 regexp=“^.+(facebook.com).*$”
and
/ip firewall filter> add chain=forward src-address=192.168.0.0/24 layer7-protocol=facebook7 action=drop
Can I ask you for help? Thank you. Azi

R1CH · March 9, 2017, 5:21pm

If you really must do this, the best way is to block Facebook’s IP range.

https://developers.facebook.com/docs/sharing/webmasters/crawler

tr00g33k · March 9, 2017, 5:30pm

I do this whit quit good results, like this:

 
 /ip fire address-list add list=Facebook address=facebook.com
 /ip fire address-list add list=Facebook address=facebook.de

and .ru => or whatever country you live in .ru => russia .de => germany etc

and after that:

/ip firewall filter add chain=forward src-address=LAN-Address dst-address-list=Facebook action=drop

This is quite good and simple solution, that works from 6.37.1 or something like this (when they addred dynamic address list updating)

msatter · March 9, 2017, 7:42pm

You’re not even close. Facebook has many names
https://forum.mikrotik.com/posting.php?mode=quote&f=13&p=586318

Jotne · March 9, 2017, 9:36pm

I think he is pretty close.

Just use the link in the post and add those name.

azimut · March 10, 2017, 12:56pm

HI thank you for your help. I find out my configuration was ok but I don’t restart routerboard. After routerboard was blocking fb page.
Regars, Azi

Temorizador · September 13, 2017, 2:20pm

tr00g33k:

I do this whit quit good results, like this:
 
 /ip fire address-list add list=Facebook address=facebook.com
 /ip fire address-list add list=Facebook address=facebook.de
and .ru => or whatever country you live in .ru => russia .de => germany etc

and after that:
/ip firewall filter add chain=forward src-address=LAN-Address dst-address-list=Facebook action=drop
This is quite good and simple solution, that works from 6.37.1 or something like this (when they addred dynamic address list updating)

Thank you very much for having worked perfectly, adding the website to block , dynamically added all the ips of the page in question and then with the rule in filter it is very easy to block an entire domain.

running on 6.40.3 RB951G, greetings from spain

I do not use it to block facebook, but if porn pages, I do not want them to see small children at home (or visitors or public wifi cafe ,ect ), obviously blocking all the pages is impossible, blocking the main ones that come out in the searches I’m still in it xd : - ))

But it is perfect to block a page in question as facebok or youtube in an office so that employees are not distracted

I personally do not work the block by layer 7: - ((((

greetings from Spain. and continue working people )
PD: my first post
Temorizador

aliguven · July 24, 2018, 1:33pm

IP > Firewall >Layer7 Protocols click + ,
write Name Facebook
write Regexp ^.+(facebook.com).*$
Address List click + ,
write Name yasak
write Address 192.168.2.20-192.168.2.254
Firewall Rule click + ,
Chain forward
in Advanced > Src. Address List choose yasak. in Layer7 Protocol choose facebook.
in Action> Action choose reject. in Reject with choose icmp admin prohibited.

Last İP > POOL 192.168.2.21-192.168.2.254. if you want facebook for some pcs, you can give the ip manuel and lower than 192.168.2.20.
if you want to add youtube etc. repeat 1 and 3. step.

normis · July 25, 2018, 1:24pm

that is bad advice and will:

not work properly
will slow down your router

AlainCasault · July 25, 2018, 3:08pm

MikroTik wrote a MUM presentation that gives excellent tips on that topic and others. Google “pdf” and “holy crusade”.

Basically, just drop dns requests containing key words (facebook, netflix and others). Simpler, faster, cheaper cpu wise.

Funny title but Yanis M. is quite the passionate guy

Regards,

Sent from Tapatalk

R1CH · July 25, 2018, 4:25pm

That doesn’t really work when browsers like Firefox will soon be defaulting to DNS over HTTPS.

evil · November 29, 2018, 3:07am

Hi
Does anyone know a solution for blocking FB that really works? I found some tips over the Internet, but not working.
@AlainCasault: can you please send me a link or something for your recommendation.
10x

vecernik87 · November 29, 2018, 4:29am

there is not really 100% working solution.
Closest is blocking with TLS-HOST because it works on HTTPS and does not consume too much CPU (at least not as much as L7 filtering which is useless anyway when FB works over HTTPS)

presentation: https://youtu.be/XkKj9rj4quQ?t=1511

/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.facebook.com action=reject

Please, keep in mind that many websites use facebook oauth login and with this, you will cripple them. Is it worth it? (That is just rhetorical question, I don’t expect answer.)

kapi2454 · December 18, 2020, 6:53pm

ip > DNS > static > +

name=facebook.com
address=127.0.0.1

Jotne · December 19, 2020, 10:31am

This does not prevent me from setting my own DNS in my host file. But if you at the same time redirect all DNS 53 to your server, it may help some.
But if I install DoH on my PC, I bypass this easily.