Content Filter Options for Mikrotik

ErkDog · June 2, 2022, 12:15am

(I did a search for content filter on forum and google before writing this post. All the google results are for landing pages of companies that sell this service)

So, we’ve been using OPNSense on Protectli boxes for a while without too many problems. And a variety of content filtering options that are available for that platform.

I’m strongly considering switching to being a Mikrotik shop, especially with native Wireguard support. But the primary thing stopping me is a viable content filtering solution, whether it’s paid or not. I don’t care if it costs money, I’m not paying for it, end users are.

That being said, we’ve been using Sensei/ZenArmor on the OPNSense platform and it works pretty good for the most part.

What options are there for managed content filtering / etc, and does anyone know if either of them are any good?

Our requirements are as follows:

White/Black list IP Ranges and Domains
Category style content filtering, with multiple profiles, and a way to use the captive portal to elevate permissions beyond a default profile which is of course used by default if a person does not login to the captive portal. Blocking should function on a DNS Level / as well as an actual site/content level if possible. If I just wanted a DNS Based solution, there are TONS of those out there. Over the years we have used about 4 different ones, and they have been poor at best. Phishing / Malicious websites protection would be necessary including stopping 0-day phishing sites and malicious sites, etc.
A configuration for NOT requiring a portal login to use the default profile is required, so that our remote software and a small subset of websites -always- works without login. If I have to start explaining to people they have to open a browser and login or accept a splash page every so often, just so I can remote in, and help them figure out why they can’t use the internet, ohhh because you didn’t login to the portal, I will loose my mind, lol.
Config Backups to the service pulled form the Mikrotik would be nice, so I don’t have to hook our Mikrotik’s into multiple services and pay multiple people to manage each Mikrotik.
Notifications when a RouterOS upgrade is available would be nice but not required.

Thanks,
Matt

ErkDog · June 14, 2022, 12:11am

Does anyone have any thoughts?

reinerotto · June 18, 2022, 10:00am

Having done various “flavors” of custom DNS, similar to OpenDNS, for WISPs, not willing to pay royalties because of commercial use, I do not completely understand your requirements,
And your critics, that you used 4 different DNS based content filtering solutions, not being good enough.
Why is OpenDNS not good enough ?
Also, you are mixing up Captive Portal (CP) functionality with Content Filtering.
CP like coova-chilli (among the best) has nothing to do with Content Filtering, but both functionalities can be combined, of course.
As a note, I consider MTs CP not very well suited for above-average requirements, but that is another story.

ErkDog · July 28, 2022, 5:13am

reineretto,

DNS based content filtering is just not ideal for a multitude of various reasons.

The primary being that you have different levels of access required by different groups of people.

Employees, can’t go to hardly any websites but there are some categories / types that they need.

Supervisors which need more websites and categories and such.

Then owners which don’t want anything blocked for them.

There are very few providers that allow this type of different filtering inside a single organization and the ones that do, are prohibitively expensive.

There was a Mikrotik solution that I saw in my travels a couple of months ago, but I can’t remember the name of it for the life of me.

It hooked in and did content filtering, packet inspection, remote config tunnel, config backup and everything, and it was reasonably priced.

Thanks,
Matt

reinerotto · July 28, 2022, 6:30am

I did several variants of what you are talking about, however, on a commercial basis, either built into openwrt devices, OR server based.
Feel free to contact me on my adrs augustus_meyer at yahoo.de , for details.

anav · August 17, 2022, 11:12am

If you are an enterprise, spend the money to lock down the workstation access to must about anything is possible and is done big bucks!!
You can go relatively cheap pennies per day and do something like https://itexpertoncall.com/additional_info/moabpre.html
want to pay more go for https://axiomcyber.com/shield/

Add DNS based content filtering and be happy. Searching for content filtering holy grail on the cheap is a fools errand.

Adguard for example… FREE…

Default servers
If you want to block ads and trackers.
IPv4:
94.140.14.14
94.140.15.15
IPv6:
2a10:50c0::ad1:ff
2a10:50c0::ad2:ff

Family protection servers
If you want to block adult content, enable safe search and safe mode options wherever possible, and also block ads and trackers.
IPv4:
94.140.14.15
94.140.15.16
IPv6:
2a10:50c0::bad1:ff
2a10:50c0::bad2:ff

jvanhambelgium · August 17, 2022, 12:23pm

Looking at his opening-post don’t think his use-case is considered “Enterprise” ===> “I’m not paying for it, end users are”
If true content-filtering is required, Mikrotik is probably the wrong product.

rextended · August 17, 2022, 2:45pm

My question is only one, with the extreme, friendly, and versatlie use of VPN, DoT, DoQ, DoH, DDoS (eh…), ICMP tunnel, UDP hole punching, etc.

Why bother to do all this?

Throw out the money and buy an ultra-expensive product for deep package inspection, and MAYBE at that point, a little something, you can block it…

anav · August 17, 2022, 5:43pm

EXACTLY!!! Either you use an enterprise approach, with edge routers handling DDOS and COntent Filtering and barracuda routers handling all email needs etc.........
Or use available DNS free sites that provide some level of functionality and marry that to the two options I noted above for blocking access to bad sites and thats GOOD ENOUGH!
or
keep wasting your time.