We have a mikrotik rb2011 board and we are using it as a hotspot solution for users in our network. My boss wants me to block all social media applications and sites from 08:00 am till 13:30pm everyday for some users. And I don’t want to use proxy feature in mikrotik to achieve that.The problem is that I didn’t manage to block the facebook app and the whatsapp app and google+ app and the users can access those sites from their cell phones using their apps.
I don’t know about the hotspot part, but generally you can either find address ranges used by given service and block access to them, or do your blocking using DNS.
The trouble with first one is that people want to block e.g. Youtube, so they find Google’s networks, block them and then they get terribly dissapointed, because they blocked all Google’s services.
DNS blocking may be more selective. First level is to set static DNS records in your resolver, pointing to either your server with info about blocking, localhost or some blackhole. But people will just configure their devices to use some other resolver. So next level, either block the “bad” DNS queries using L7 filter, or hijack all and force them to go to your resolver. And people will just get the address from elsewhere and connect anyway. Or they’ll find some proxy.
Even if you somehow manage to block access in your network, people will just use their mobile devices with own internet connections and play with any site they want, instead of working. So the whole blocking is kind of pointless.
Thanks for your reply. I did what you suggested about collecting the address of a certain site (facebook, whataspp, youtube, etc…) and then used a L7 rule to drop all traffic to this address list. the problem is that I successfully achived the dropping of all traffic to these site, but i didn’t manage to block these sites apps! I did some researsh about that, and I didn’t manage to find any solution to deny let’s say (whatsapp) only for a certain user.
My point was that you can’t win this war. Even if you completely lock down your network, it won’t force people to spend their work time by doing efficient work. But you can surely keep trying.
If you want to block something, install it to your device and watch what exactly it does. In other words, packet sniffer is your friend. You’ll see what DNS queries it sends, to what addresses or networks it connects, … If you catch it right, you can block it. It most likely won’t last forever, but at least for a while it can help.