i want to block the facebook in my internal network

RouterOS Beginner Basics
1

hi friends
some customer compained me that they want to block the facebook and orkut like social site
from our end.
these customer are connected to the access point (2.4)and all are using static internal ip
that are provided by us .
now i am not able to do that bcos if configure the firewall on radio(access point 2.4)then all client that are connected to that ap are not able to use facebook and other social sites .

kindy tell me what should to by giving me an example???

i am also submittng the diagram of my network
with regard
from suraj
diagram of network.JPG

2

If customers are assigned static IPs then it is so easy for you to add dropping rules through MT firewall, first of all your schema is a bit unclear but what I understood is that you need to block facebook for some clients knowing that these clients are assigned Static IPs, therefore collect the IPs you want to block and them to MT Firewall under Address List + add a filter Rule dropping facebook for instance to these specific clients, hope I was clear :slight_smile: and if any further help needed please post back.

3

hellow
do you mean that some ip addresses should determined then block the facebook just for the determined ips

4
5

thanks for your fast reply
but bad luck for me i tried too much but not succeed after all.

tell me any example that states how to restrict using from facebook for this ip 10.210.2.14/24

no nat
no hotspot
no pppoe server

simple rb 433 (access point )bridged accessspoint 2.4

and wds bridge for point to point ???

6

Try something like this.

/ip firewall filter add action=drop chain=forward content=facebook disabled=no src-address=10.210.2.14
7

thanks for fast reply
but it is not working any more
kindly post some specific codes

8

Check the order of your rules. Put the rule I gave you at the top and see if that works. You could have another rule accepting the traffic before it is suppose to get dropped.

9

Due to the nature of SSL, using Content=facebook isn’t always going to capture facebook traffic and has a fairly high false-positive rate (in theory you could be dropping packets for any webpage that uses facebook connect, or the “like this on facebook” button).

The only reliable method for blocking facebook with a mikrotik is to block at the DNS level.
Enable DNS server on the mikrotik, add invalid entries for facebook.com, the capture blacklisted users’ DNS requests. This only works if aren’t already providing a DNS server behind the mikrotik, and the mikrotik isn’t providing DNS caching already.

/ip dns 
set servers=<public DNS server1>,<public DNS server2> allow-remote-requests=yes

/ip dns static
add address=127.0.0.1 disabled=no name=facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=www.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=glib1.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=glib2facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=mail.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=dns.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns0.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns1.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns2.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns3.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns4.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns5.facebook.com ttl=5m

/ip firewall nat
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=udp src-address-list=DNSBlacklist to-ports=53
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=tcp src-address-list=DNSBlacklist to-ports=53

/ip firewall address-list
add address=<Client Static IP to be blocked> list=DNSBlacklist comment="Added to DNS block list on request of <Customer name>"

–CC_DKP

10

how fool i am :frowning:
thanks man it’s wirking
now the 10.210.2.14 can not access the facebook.early moring customer told me that they were not able to acces the facebook any more.
thanks

now i am finding more solutions.
hope you will help me :smiley:

11

Ever consider a different approach such as blocking any outgoing DNS request that contains facebook?

12

Why don’t you just drop all traffic to their network?

http://bgp.he.net/AS32934#_prefixes

Create an address list with all of those prefixes and drop the traffic in a firewall rule.

13

Yep and you could also setup web-proxy. There are many different ways to achieve this.

14

you can transparently inspect DNS requests. you can NOT transparently inspect https traffic - it’s encrypted

p.s. https://kproxy.com :frowning:

15

Hi all,
After i blocked traffic for facebook, a need to know how to redirect the request for facebook to another webpage, like myhomepage.com?
Can anybody help me in this issue?

16

so, how did you do blocking?

17

I’ve blocked facebook in this way:
[nnnn@xxxxx] /ip firewall layer7-protocol> pr det
0 name=“facebook” regexp=“facebook”
[nnnn@xxxxx] /ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; drop facebook
chain=forward action=drop src-address=0.0.0.0/0 layer7-p

i used layer7 protocol as with simple filter content it will affect many other websites who has facebook content

18

you can redirect only when using some proxy. L7 matches already established connection, you cannot redirect in the middle of connection

19

OK, I will try do it with proxy even i don’t have experience of using proxy, any help here is welcomed :slight_smile:
by the way many thnx Chupaka.

20

Hello,

I tried to block facebook and youtube and its working fine..

Is there a way… to unblock certain IP only lets say computer of my boss… hehe.. cause now he is included in the block

suggestion is highly appreciated

Thanks

Dex