How to block URL-s contains IP address (Proxy)

bennyh · May 17, 2018, 9:02am

I’d like to block in Mikrotik web proxy to the proxy clients use URL-s contains direct IP address of remote (web,ftp) servers. I want to allow only domain names, because i’d like to filter web access by DNS service.

Example:
Allowed by proxy: https://www.mikrotik.com
Blocked by proxy: https://159.148.147.196

msatter · May 17, 2018, 9:47am

I use the content filter in RAW to drop the direct IP traffic. You have to disable fast tracking for that direction or only engage fast tracking after 1100bytes. It was in a recent MUM presentation if I remember that correctly.
This is for a known IP and if you want to filter all direct IP address on port 80 you can use a regex.

bennyh · May 17, 2018, 9:55am

Could you show me the filter?
I dont want to block in forward chain. I only want to block between proxy and client, or proxy and remote host (http/ftp server). The direct connection is blocked. Almost everything have to go trough the webproxy.

bennyh · May 17, 2018, 1:13pm

Can the Layer 7 filter check the clients connections to the proxy? Maybe can somebody send me regexp code, to filter if a client sand an url to the proxy which url contains ip address and not domain name?

bennyh · May 18, 2018, 7:03am

Somebody?

bennyh · May 22, 2018, 7:49am

Any idea?

bennyh · May 23, 2018, 8:08am

Meanwhile, I made a proxy auto config script, wich check if hostname is IP address with very simple regexp:
“var ip_regexp=/\d+.\d+.\d+.\d+$/”

and check the logical value of this method call:
“ip_regexp.test(host)”

But would be better If I could block in the Mikrotik proxy or firewall, not on the client side.
Any idea?

reinerotto · May 23, 2018, 8:34pm

Yes: Use a full-featured proxy, like squid.

Your usage case is one more argument against using MT for hotspots
with above-basic requirements.
As in openwrt, I often integrated squid. Also to implement
your requested functionality

bennyh · May 24, 2018, 5:47am

Ha-ha, verry funny

Now I use an IPFire proxy, and I want to get rid of it, because I can use blocklists and safe DNS with the MT box (3011) what is strong enough to serve all of my users (30) and neither the IPfire cant do ssl intercept, so unnecessary a seperate proxy server, and because IPFire run on a very loaded Hyper-V server, I can save some memory and CPU resource.

There is a Layer7 filter, it really doesnt use for this? I am very unfamiliar with Layer7 filter and regular expressions. I tought, there is somebody who can help me.

reinerotto · May 24, 2018, 6:11am

Dump IPFire, install a small/old x86-PC running squid as local proxy within your network. This can do, what you want.
It is always strange, to read some questions, having already a supposed-to-work answer included

bennyh · May 24, 2018, 9:49am

This isnt the answer. I asked, how to do this with Mikrotik, you wrote how to do with other device/software. Thats the strange.

bennyh · May 28, 2018, 9:38am

Up?