hello dear,
i need urgent help i want to block porn sites
because my 2 clients caught by their parents 
i want to block only for them not for all.
plz help me.
my clients ip address are following.
1=192.168.1.29
2=192.168.1.63
a) that isn’t urgent. Mislabeling your topics to get attention is kind of rude, in my opinion.
b) search the forum. This is a FAQ.
c) use destination NAT to force them to use OpenDNS for DNS, and set up an account on OpenDNS for your router IP so that OpenDNS knows not to resolve domains that host pornographic content for those clients. Set up the destination NAT rules only for those client source addresses and it will not affect anyone else.
fewi thanks for reply and sorry for mislabeling.
i don.t want to use open dns
plz tell me configuration of mikrotik.
There isn’t one. You’re not going to be able to block porn sites manually by yourself. There is no magic button. You either need a proper content filter/proxy (no the built in one) or use DNS filtering.
fewi thanks for reply
thx thx thx thx
but i hear from some friends,
websites can block via proxy
Yes. But you need to manually list the patterns to block. Do you have the patterns that describe all or even most porn sites?
i am using this firewall filter rule
ip firewall filter add chain=forward src-address=192.168.1.29 content=porn action=drop
ip firewall filter add chain=forward src-address=192.168.1.29 content=sex action=drop
ip firewall filter add chain=forward src-address=192.168.1.29 content=adult action=drop
and i don,t know how to list the patterns.
Exactly - there is no such exhaustive list of patterns. It’s also more or less impossible to keep track of it yourself. Additionally, doing layer 7 inspection on all packets is going to absolutely wreck router performance.
Your only bet is to go with a large organization that does the porn filtering for you. You can either pay a lot of money to a company like Websense, or you can use OpenDNS’ free service.
thank u soooooooo much fewi…
i cannot afford websens
and
my isp provide me dynamic ip so i cannot use open dns
and u r most valuable member of this forum.
One of the scripts dealing with Dynamic DNS might get you started down the right path.
http://wiki.mikrotik.com/wiki/Scripts
I’ve never used OpenDNS myself so I’m not sure how you update anything. That being said, DHCP leases rarely change for most ISPs, it mostly only ever changes if you change out hardware or your lease expires after the box has been turned off for a long time. If however you are worried about that, you can have the router send you an e-mail with the new IP address should it ever change and you can manually update it.
You might also be able to write a script that will have the router try and resolve a DNS name off of OpenDNS, and if it fails, run an action of disabling the NAT rules Fewi mentioned to make sure the two clients can stay online.
you could simply add static dns entries for the sites you want to block and enter 0.0.0.0 as the dst ip, that would pretty effectively block any machine, thats using your Routerboards DNS server, access to those sites.
Of course if you have a clever masturbating co-worker whos looking at porno, he could simply specify a public dns server and get around it.