How to block webpages by URL?

stdvb · November 28, 2024, 11:11am

The manual:
https://help.mikrotik.com/docs/spaces/ROS/pages/130220161/Layer7
states:

It is not recommended to use the L7 matcher for generic traffic, such as for blocking web pages. This will almost never work correctly and your device will exhaust its resources, trying to catch all the traffic. Use other features to block webpages by URL.

What are these “other features”? How to block webpage by URL? For example, how to block that page:

https://help.mikrotik.com/docs/spaces/ROS/pages/130220161/Layer7

?

holvoetn · November 28, 2024, 11:20am

Use external devices more suited for this type of action (and those usually come with a HEAVY price tag).
Not L7 filters on Mikrotik.

spippan · November 28, 2024, 12:27pm

one could use https://help.mikrotik.com/docs/spaces/ROS/pages/37748767/DNS#DNS-Adlist

and specifiy a local file where the unwanted domain/fqdn entries are listed

mkx · November 28, 2024, 1:12pm

You can’t block specific URLs (chosen between different URLs targeting same FQDN host or IP address). Generic reason is that there’s no guarantee that whole URL will fit single IP packet. And FW (L7 as well) works with IP packet granularity. So if one uses IP packets with MTU size of 40 bytes, then there are only 20 bytes for payload and the URL @OP used as example will be “fragmented” into at least 4 packets (URL is 65 bytes long). No way that L7 parser, built in ROS, matches anything.

And specifically the problem with httpS communication is that everything is encrypted, including complete URL [*]. And ROS can not decrypt contents so it can not match URLs.

So the best thing possible to do is something in line with suggestion by @spippan … but that only works for host names and only works if client uses plain DNS (either the one run by ROS itself or 3rd party … since plain DNS communication can be forwarded to another server). If client uses DoH, even this kind of solution doesn’t solve the problem at hand.

[*] With SSL and TLS up to and including v1.2, SNI field contains unencrypted host part of URL (so that server can select appropriate certificate before starting encrypted communication). With TLS v1.3, also SNI is encrypted. But even with unencrypted SNI one can not drop requests for specific URL.

anav · November 28, 2024, 2:36pm

Stand by computer user, when viewing unwanted information, place blindfold on computer user. No need for expensive routers.

jbl42 · November 30, 2024, 4:48pm

As other have explained you cannot block URLs on packet level where router L7 filters work.

It is possible if run a http(s) proxy and force users to use by blocking outgoing ports 80/443 if internal source IP is not from proxy.
The proxy works on http(s) instead of packet level and hence has access to destination URLs.

If you want to filter URLs in all cases, including TLS1.3 and plugging DoH and https based VPNs, you need a proxy terminating ssl/https and re-encrypting towards clients. With all clients having a certificate installed so they accept the connections although re-encrypted by the proxy. This is often called “Corporate MITM” and is what many Enterprise and Education networks do. And the only way to really lock things down.