Any friend can tell me how we can block website by IP address some of client we don’t allow to access youtube or facebook.

How to deny/allow website by IP address in RB750 router?

You could block by IP, but many sites like youtube have a slew of ip’s.

Use the “Content” option in the firewall to filter based on a keyword. “Facebook.com” or “Youtube.com”.

/ip firewall filter 
add chain=forward action=reject reject-with=tcp-reset protocol=tcp content="Host: www.facebook.com"

You could simply drop the traffic, but the TCP Reset option will immediately dump the client to an error screen, and not just leave the browser retrying the connection over and over.

Hi, As your comment we can block all in network. As I need I want to block by IP address. Some user I don’t allow to access website.

I’m confused. Did you solve the problem?

If my rule didn’t work as written, see http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter regarding how to write firewall rules. You can change it for your specific needs.

It sounds like piseth168 wants to filter by originating user as well as destination.

So the answer is half the solution needed, and just needs a src-address or src-address-list which covers the machines that you’re interested in limiting.

Dear tjc,

You thing is correct. Could you share me current configure?

regards.

http://wiki.mikrotik.com. You’d be surprised what’s there.

Specifically, see here: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list.
And Here: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

better block the website on the PC itself. You can do it by adding www.facebook.com on the host file.

This i how your host file should look like.

Copyright (c) 1993-2009 Microsoft Corp.

This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

This file contains the mappings of IP addresses to host names. Each

entry should be kept on an individual line. The IP address should

be placed in the first column followed by the corresponding host name.

The IP address and the host name should be separated by at least one

space.

Additionally, comments (such as these) may be inserted on individual

lines or following the machine name denoted by a ‘#’ symbol.

For example:

102.54.94.97 rhino.acme.com # source server

38.25.63.10 x.acme.com # x client host

localhost name resolution is handled within DNS itself.

127.0.0.1 localhost
::1 localhost
127.0.0.1 www.facebook.com
127.0.0.1 www.youtube.com




hope it help.

Hi
For permit access to some of web sites, you can do it by adding this commands

/ ip proxy set enabled=yes
/ ip proxy access add dst-host=facebook.com action=deny
/ ip proxy access add dst-host=*.facebook.com action=deny
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 src-address-list=webclients action=redirect to-ports=8080 comment=Transparent_web_proxy
/ip firewall address-list add list=webclients address=first_client_ip_address
/ip firewall address-list add list=webclients address=2nd_client_ip_address
/ip firewall address-list add list=webclients address=3rd_client_ip_address

This solution just gives you a false sense of security. It’s too easy to circumvent by going to https://facebook.com (because https is encrypted so you can’t read the host headers and it won’t get caught).

The best way to do this with mikrotik is to block based on content to port 53udp (DNS), this way it can’t even look it up. you should also transparently reroute all dns traffic to the mikrotik, so users can’t use their own dns settings and get around it.

Of course, they could edit their host file and still get to facebook. This is one bad limitation of mikrotik that cisco can easily do. Mikrotik can’t firewall based on url, but cisco can. That would be great if it could!!!

Otherwise, it’s impossible to block websites because of the https issue.

There’s always some way around any solution… The most surefire way, then, would be to only allow HTTP traffic through a proxy that you control.

Try with Layer 7 protocol

^.+(facebook.com).*$

it works for both http/https

That is a HORRIBLE thing to do. You will end up blocking LOTS of other websites! (I just tried it, and several websites that have a facebook button on them would not load, or woud halfway load). Any website that has facebook code built in (“like us on facebook, etc”). Those pages will load until they get to the facebook code, then they will hang while waiting for facebook to build the “like” link.

Actually this way worked for me…https traffic delivers an unreachable error while my squid handles the http part with a nice connection failed message

This is one bad limitation of mikrotik that cisco can easily do. Mikrotik can’t firewall based on url, but cisco can. That would be great if it could!!!

Guys, any news on the topic? Maybe there’s already a Feature Request for the firewall based url content filtering?