I’m looking at the instructions given here:
http://wiki.mikrotik.com/wiki/User_talk:Ashish
and specifically this line:
/ip firewall filter chain=input in-interface= src-address=0.0.0.0/0 protocol=tcp dst-port=8080 action=drop
I understand the concept, but I am wondering about the “” interface - is that an actual IP address or an interface description like ?
Would make sense for it to be because the IP of the WAN port can dynamically change.
Thanks for any clarification you might have on this.
Correct, you would use the Ethernet interface connected to your WAN.
Yes, it’s the interface name (e.g. “ether1-gateway”) as you guessed. Given that most SOHO routers get the IP address for the external interface via DHCP, the interface name is generally more stable. For example
add action=drop chain=input comment="Drop anything else aimed at the router from outside" disabled=no in-interface=ether1-gateway
OK, been playing with this and have noticed that if the page I am trying to block (itunes) is already in the browser’s cache, the request goes through.
Is this expected behavior?
I am on a satellite internet connection and need to limit guests users’s activites that use large amounts of bandwidth.
Actually, upon further investigation, it isn’t just the fact that the page may be in the browser cache, it’s something else.
Can anybody explain why if you have a DENY on content :itunes in a transparent proxy access rule, it doesn’t work on www.itunes.com? Looks like that site does an immediate redirect to:
http://www.apple.com/itunes/?cid=OAS-US-DOMAINS-itunes.com
which also has :itunes in the URL, but it goes through anyway.
Other proxy blocks on :netflix, :youtube work as expected.
Thanks for any insight.