Hi Everyone,
I would like to block specific port for range of IP Addresses…
That means, the ip address 192.168.0.200 to 192.168.0.220 don’t want internet access. How I can block port 80.
And also specific web addresses example: www.youtube.com, www.facebook.com and so forth.
Advanced Thanks
Joseph Thekkiniath
/ip firewall address-list
add list=no_HTTP address=192.168.0.200
add list=no_HTTP address=192.168.0.201
/ip firewall filter
add chain=forward src-address-list=no_HTTP protocol=tcp dst-port=80 action=drop
Blocking web sites via URL: http://wiki.mikrotik.com/wiki/How_to_Block_Websites_%26_Stop_Downloading_Using_Proxy
hi Fewi,
Thanks! Its working!!!
No other way to create range of address list? Instead of doing one by one.
For blocking www.youtube.com; www.facebook.com
Where I can put the ip range (ex: 192.168.0.180 to 192.168.0.199) no entertainment.
Advance Thanks
Joseph Thekkiniath
:for IP from=200 to=220 do={ /ip firewall address-list add list="no_HTTP" address="192.168.0.$IP" }
To limit who gets blocked by URL in the proxy, you need to adjust the line that actually redirects traffic to the proxy:
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
That redirects all traffic to tcp/80 (HTTP) to the proxy. To only apply that to 192.168.0.180 - 192.168.0.199, first make another address list, then add a qualifier to the proxy redirects that only fires for traffic sourced from that list:
:for IP from=200 to=220 do={ /ip firewall address-list add list="filtered_by_proxy" address="192.168.0.$IP" }
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 src-address-list=filtered_by_proxy action=redirect to-ports=8080
and of course remove the original proxy redirect line first.
for every complex problem… you know =)
/ip firewall address-list add list=no_HTTP address=192.168.0.200-192.168.0.220
Duh.
Hi Everyone,
I haven’t tried range of ips. Before I have confirm other options also.
Here how I can put the time schedule? At night it must be allowed…
Thanks
Joseph Thekkiniath
Refer to the filter manual for the available parameters.
Hi Everyone,
I didn’t come up with blocking www.youtube.com and www.facebook.com
for the range of ips (192.168.0.180 - 192.168.0.200)
And also, how I can create group of clients…
Thanks
Jose Thekkiniath
http://wiki.mikrotik.com/wiki/How_to_Block_Websites_%26_Stop_Downloading_Using_Proxy
That links shows to to block websites.
You create groups of clients via address lists as described in this thread.
What specifically is your question? The link and examples in this thread have all the configuration you need.
Hi
/ip proxy
set src-address: 0.0.0.0 ----??? what ip ???
set parent-proxy: 0.0.0.0:0 ---- ??? what ip ???
My network 192.168.0.0/24
No access website ip addresses would be 192.16.0.180 - 192.168.0.200
Thanks
Jose Thekkiniath
Look at the manual:
http://wiki.mikrotik.com/wiki/Manual:IP/Proxy#General
parent-proxy (Ip4 | ip6; Default: 0.0.0.0) IP address and port of another HTTP proxy to redirect all requests to. If set to 0.0.0.0 parent proxy is not used.
src-address (Ip4 | Ip6; Default: 0.0.0.0) Proxy will use specified address when connecting to parent proxy or web site. If set to 0.0.0.0 then appropriate IP address will be taken from routing table.
You don’t have a parent proxy, so leave that at 0.0.0.0 to disable the feature. If you want traffic to be sourced from a particular IP address on your router (so you can easily recognize it further upstream, for example) you set it here, if you don’t care or don’t need the feature you leave it at 0.0.0.0.
Hi
Is there any way to know the visiting websites of client machine
by Webproxy.
Thanks
Jose Thekkiniath
You can prove with OPEN DNS, is very easy and dont have to load de CPU of your Mikrotik with rules
Hi
I have tried and its working. But I want to block only specific range of ips
/ip firewall filter
chain=input action=drop protocol=tcp src-address-list=No Entertainment Webpage in-interface=ether4-Office LAN dst-port=8080
/ip firewall filter
No Entertainment Webpage=192.168.0.161-192.168.0.180
Note: ether4-Office LAN = My DHCP LAN 192.168.0.0/24
Other commands As you said. Now I could not access the site for all the ips.
Thanks
Jose Thekkiniath
Jose Thekkiniath
Have you found the solution to blocking websites on the specific range of IP address? I have been working on this, but seem not working at all…
Your help is really appreciated.
Try something more like:
/ip firewall address-list
add address=192.168.0.161-192.168.0.180 list=NoEntertainmentWebpage \
comment="Note that there are no spaces in the list name, these are users who are denied certain web pages."
/ip firewall filter
add chain=forward action=drop protocol=tcp dst-port=8080 src-address-list=NoEntertainmentWebpage in-interface=ether4-Office-LAN \
comment="Again no spaces in the names for the address list or the port. Port names can use '-' but address list names don't seem to allow it."
Once you’ve added that firewall rule you will also need to move it to the correct place in the chain.
thanks for your reply. My condition is like this.
I want to block this range of IP address 192.168.1.100 to 192.168.1.200 from being able to access the following contents:
www.facebook.com
porn*.com
tube*.com
sex*.com
Note that all other IP besides the range, can still access the above mentioned contents.
Thanks
MK webproxy will bypass with some programs like Ultrasurf 