Blocking web page

someone2 · August 15, 2020, 4:21pm

Hello
There are some ways for blocking a web page but i want to know which one is the best and most reliable?
For example l7 protocol is resource intrsive and it is not suggested in wiki mikrotik
Web proxy is another way but disabling web proxy is needed for router security as it is in wiki mikrotik( securing router)
Tls host is only for https and i dont know if it can be used for blocking http web pages.

pe1chl · August 15, 2020, 4:49pm

The best way is not to do it!

toxicfusion · August 16, 2020, 4:36pm

MikroTik webproxy is secure if properly configured. Although doesn’t work for SSL.

Suggestion is to use web based DNS filter.

I use ‘dnsfilter.com’

creatin · August 16, 2020, 10:49pm

I have a Huawei B715 LTE modem which has web filtering included, if I enable it for a specific website by simply entering domainame.com, that site will be blocked in seconds, why does it have to be so complicated with Mikrotik?

reinerotto · August 17, 2020, 6:02am

mikrotiks first of all are routers. All other functionalities are addons, usually good enough for average requirements.
However, for (ad-)blocking I use an openwrt-device. Which has many more possibilities.

pe1chl · August 17, 2020, 8:51am

Because you have not envisioned all the possible ways to circumvent that block, both intentional and unintentional. It is easy to “offer a block function”, it is much more difficult (more like: impossible) to make one that works all the time.

creatin · August 18, 2020, 10:28pm

It is working for all http and https addresses on Huawei, Mikrotik should offer a simple or simpler way to block access to web pages.

rooted · August 19, 2020, 12:04pm

It won’t work if it’s DNS based by someone simply specifying an alternative DNS, it won’t work otherwise by bypassing via VPN.

toxicfusion · August 19, 2020, 1:50pm

True, but moot point based on system/desktop security… If domain environment, can disable users from changing TCP/IP settings and installing 3rd party software.

Otherwise, to OP - Suggest using 3rd party solution or hardware, such as HTTP proxy inline on your network.

neutronlaser · August 19, 2020, 4:51pm

Use transparent DNS.

pe1chl · August 19, 2020, 5:10pm

Won’t help when users use DoH or DoT. You can block DoT but it will become impractical to block DoH.
(just like it is impractical to block all VPN options)

And then we are not even talking about the implications of blocking a website.
E.g.: You may want to block Facebook (e.g. to reduce the amount of time wasted inside a company keeping track of Facebook friends), but then you also block all “login using your facebook account” sites!
You may face similar issues when trying to block other sites that are part of a big conglomerate, e.g. Youtube blocking may affect functionality of unrelated other Google services.

May advise remains: The best way is not to do it!
Find other ways of making the users not access the webpage you don’t want them to access.