How Can I Show A Custom Message When Blocking Sites Using FireWall?

SysAdminRafi · November 13, 2016, 3:13pm

I am completely new in Mikrotik. I just want to ask nearly 5 questions. As you might feel annoyed so here I want to ask 2 questions. Hope you guys will help me to figure out these..

I configured Proxy on Mikrotik. I can redirect HTTP websites through the proxy. I can block websites through Proxy too. But the problem is I can’t block HTTPs websites like Facebook, Youtube etc. I know HTTPs might not be blocked by proxies. But I saw some articles over internet where I see some guys are saying it can be done through Mangle rules. I copied and pasted their rules. No one worked! So can anyone really give me any suggestion regarding this issue?
Is there any way to show custom message like “Sorry you can’t browse websites in office network” for firewall rules?

Thanks for your replies…

R1CH · November 13, 2016, 4:28pm

This can only be done if you install root CAs onto each device to allow SSL MITM. I don’t think Mikrotik has support for SSL MITM (for good reasons).

SysAdminRafi · November 14, 2016, 5:13am

Ok then can anyone tell me what is the way to block HTTPs websites and downloading .mp3 files from these sites? I guess it can be done through L7. What is the regex in this case?

janus20 · November 14, 2016, 8:37am

Hi,

To block download of .mp3 files from any browser you could do:

/ip firewall filter
add action=drop chain=forward comment="block .mp3 download" content=.mp3 log=yes log-prefix=block-dwd-mp3

Regarding blocking HTTPS sites like youtube, facebook…

first create a rule on layer7 protocol which contains websites you want to block:

/ip firewall layer7-protocol
add name="block fb-youtube" regexp="^.+(facebook.com|youtube).*\$"

create a rule in filter chain to deny traffic to layer7 “list”

/ip firewall filter
add action=drop chain=forward comment="deny fb or youtube sites alike" layer7-protocol="block fb-youtube" log=yes log-prefix=deny-layer7-list

Hope it helps.

kind regards,

SysAdminRafi · November 16, 2016, 5:42am

Hey Jesus, many thanks for your valuable reply. However can you please tell me how can I block all websites using L7? I guess I have to change only the regex for this issue. So what should be the regex for blocking all websites?

Well just curious to know what is this log - “log=yes log-prefix=deny-layer7-list”.

Many thanks again..

globalmedia · June 13, 2024, 3:56pm

Is it possible to identify in the logs what site was blocked?

rplant · June 14, 2024, 5:56am

Hi,

You can try using sni

search for tls-host in the following
https://help.mikrotik.com/docs/display/ROS/Common+Firewall+Matchers+and+Actions

Unfortunately, sni inspection is becoming unavailable with the advent of TLS 1.3, so is working less and less well.