hotspot block some user from entering websites?

David1234 · March 31, 2015, 12:26pm

Hello ,
wanted to know if I can limit user in the hotspot from entering websites\downloading .avi files ?
and let other user to be able to download everything?

for example -
in the hotspot :
user: danny won’t be able to enter facebook , and downloading avi files
user: david will be able to do everything (like admin)

Thanks,

boen_robot · March 31, 2015, 1:51pm

Using layer7 firewall rules, you can inspect HTTP content… But not HTTPS content, like Facebook.

The only things you can do with HTTPS content is either

Block the entire set of IPs that the domain is associated with… Which can sometimes have the side effect of blocking additional sites. Notable example is Gmail, Google drive and YouTube, all of which share the same set of IPs.
Drop any DNS queries that request the blocked site (or return a “fake” catch all site of yours that notifies about the block)… Which can be bypassed by users if they enter the IP and domain in their “hosts” file. Average users don’t know how to do that, but if they have a geek buddy to do it for them (which they’re likely to look for at that point…), said buddy will help them with it.

If matching only HTTP content is enough for you, then the way you can do per-user filtering is to first detect the user with the firewall, and then using a layer7 rule, detect if they’re accessing the particular thing you want to block, and block it if so.

To detect the user, set an address list on their profile with

/ip hotspot user profile set "danny's profile" address-list=limited

Then create a rule that would match HTTP content you want blocked, e.g. for AVI files I think the following should work:

/ip firewall filter layer7-protocol add name=avi regexp="[A-Z]+ \\S+\\.avi HTTP/\\d+\\.\\d+\\n"

After this is done, in the firewall, check the user’s address list, and on a match, jump to a custom chain where you check the content rules:

/ip firewall filter add chain=forward src-address-list=limited action=jump jump-target=limited-checks

In the custom chain, do

/ip firewall filter add chain=limited-checks layer7-protocol=avi action=drop
/ip firewall filter add chain=limited-checks action=return

David1234 · April 1, 2015, 7:18am

thank you for the help ,
but it’s seem very difficult to use ,because of layer7
I thought there will be a way using just firewall filter and mangle maybe

Thanks any way