Hi sir
I have Mikrotik rb2011 I’m still learning but I’ve managed to make most of my company needs
I’ve blocked Facebook and YouTube successfully but some users due to nature of their work need to use vpn clients such as psiphone these can override my firewall rules and open restricted sites
How I can make sure that my firewall restrictions is applied even when user use VPN client
The best way is to block via the address list
Since the layer7 protocol no longer works properly due to the HTTPS protocol
You have to copy and paste everything into “new terminal”
/ip firewall address-list
add address = www.facebook.com list = block-facebook
add address = facebook.com list = block-facebook
add address = login.facebook.com list = block-facebook
add address = www.login.facebook.com list = block-facebook
add address = fbcdn.net list = block-facebook
add address = www.fbcdn.net list = block-facebook
add address = fbcdn.com list = block-facebook
add address = www.fbcdn.com comment = www.facebook.com list = block-facebook
add address = static.ak.fbcdn.net list = block-facebook
add address = static.ak.connect.facebook.com list = block-facebook
add address = connect.facebook.net list = block-facebook
add address = www.connect.facebook.net list = block-facebook
add address = apps.facebook.com comment = www.facebook.com list = block-facebook
add action=drop chain=forward comment="BLOCK FACEBOOK" dst-address-list=block-facebook
BLOCK YOUTUBE
ip firewall address-list
add address=www.youtube.com list="Block youtube"
add address=googlevideo.com list="Block youtube"
/ip firewall filter
add action=drop chain=forward dst-address-list="Block youtube"
/ip firewall address-list
add address=www.youtube.com list="Block youtube"
Let me know if it works
But with VPN
But with VPN you can probably bypass this
You cannot do that in general. At least not when the corresponding traffic has already entered the VPN tunnel.
What you can do, is to force all to use only correct DNS. Then you can block DNS to facebook, youtube etc.
Or you can use third party DNS like openDNS that can block DNS.
But this does not prevent user from using VPN/Proxy+++
Eks:
https://nl.hideproxy.me/index.php#p745235
openDNS can block some of these site as well, but not all.
thank you all
Blocking is successfully done
If I’ve got it well I can’t control the user if he is using VPN Clinet
this is too cool, thank you, but after apply this rule within 2 days some google service did not work like as google dive, google translate, calendar etc, what will be the solution at next ?
re check your conditions make sure that you not block any of it
The problem is that you make a list of “youtube” servers and block traffic to that, but google may be using the same servers for google drive, calendar etc.
By blocking the youtube servers you also blocked those other services. That is the cost of “I need to block youtube”, live with it or stop blocking youtube.