Internet Limit

safiullahtariq · April 2, 2015, 4:49pm

Hello All,

I would like to get some help from you.

I have a router RB-750. There has been a request from my office.

I want to limit all internet excess to all PCs except gmail.com. But few executives MAC addresses are to be excluded from this limitation so that they can surf youtube and show us that they are Bosses

Any help regarding this is highly appreciated.

Regards,

Safiullah

jarda · April 2, 2015, 7:34pm

Couldn’t your bosses show their highness and pay some mikrotik training for you?

jarda · April 2, 2015, 7:36pm

Anyway. I would go by address lists based on ip and set firewall rules for that. You can link mac to ip by dhcp static assignment.

safiullahtariq · April 4, 2015, 9:21am

Thanks for your help.
I am not able to understand Mikrotik terminology thats why im quite confused.

How about this to stop internet:

/ip firewall filter rules

add chain=forward source-address-list=xxx-xxx action=drop

To allow

add chain=forward source-MAC-address=xxx-xxx action=accept

I am using winbox, i know this isnt the actual code, im just saying that will this approach be good ?

jarda · April 4, 2015, 10:01am

First accept rule with exclusions and then general drop for the rest.

ZeroByte · April 4, 2015, 4:18pm

For this project -
Enable http proxy
In the proxy rules-
Create a rule allow gmail.com
Create the second rule = drop everything
In firewall nat rules make a rule in dstnat that matches in-interface=lan dst-port=80 protocol=tcp action=jump jump-target=http_proxy_check
Add the rest of these rules with chain=http_proxy_check:
source mac address = mac of boss computer 1 , action = return
source mac address = mac of boss computer 2 , action = return
…
etc
…
last rule:
(no conditions) action = redirect to-ports=8080

This will force all computers except the boss macs to use the http proxy.

safiullahtariq · May 2, 2015, 7:04pm

I cant get this right.

This is what I did. Please help me… I have created an address list and bounded MAC addresses of normal users. So separating the normal users from managers wont be a problem.

The issue is, I can block TCP traffic but other services/internet e.g whatsapp are not blocked. I want to block everything except gmail and few other websites. Do you suggest that I go with layer7 protocol blocking ?
This is what I have done…

/ip proxy access
add dst-host=gmail action=allow
add dst-port=80 action=deny

/ip proxy
enabled: yes
src-address: ::
port: 8080
anonymous: no
parent-proxy: ::
parent-proxy-port: 0
cache-administrator: Administrator
max-cache-size: unlimited
max-cache-object-size: 2048KiB
cache-on-disk: no
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-path: web-proxy

/ip firewall nat
chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=8080 protocol=tcp dst-port=80 log=no log-prefix=

/ip firewall filter
chain=input action=drop protocol=tcp in-interface=WAN dst-port=8080 log=no log-prefix=“”

I can block web browsing but other services like teamviewer/whatsapp etc are not blocked.

Can anyone please suggest me something ?

Very Best Regards

Safiullah

safiullahtariq · May 8, 2015, 10:41am

Pleaae Help anyone…

ZeroByte · May 8, 2015, 12:21pm

Just add a firewall rule to the forward chain which allows all traffic from the boss computer MAC addresses (you may as well put this rule before the “redirect to proxy” rule) and then the last rule has no match criteria (matches all traffic) and action = drop.

Done.

safiullahtariq · May 21, 2015, 9:42pm

Thank you for your guidelines Brother

I was able to block internet and all other services like teamviewer etc.

This is what I did

/ip firewall filter
chain=input action=drop protocol=tcp in-interface=ether11 dst-port=8080 log=no log-prefix=“”

/ip firewall nat

chain=srcnat action=masquerade log=no log-prefix=“”

;;; Admin PC
chain=dstnat action=accept src-mac-address=xxxxxx log=no log-prefix=“”

;;; Admin Mobile
chain=dstnat action=accept src-mac-address=xxxxxx log=no log-prefix=“”

chain=dstnat action=jump jump-target=http_proxy_check protocol=tcp in-interface=ether11 dst-port=80 log=no log-prefix=“”

chain=http_proxy_check action=return src-mac-address=xxxxxxxx log=no log-prefix=“”

chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80 log=no log-prefix=“”

chain=dstnat action=redirect to-ports=8080 protocol=tcp log=no log-prefix=“”

chain=dstnat action=redirect to-ports=8080 protocol=udp log=no log-prefix=“”

Lets hope that this helps someone else too.

Regards,

Safi

jeffzack · July 30, 2015, 4:43am

safiullahtariq:

Thank you for your guidelines Brother

I was able to block internet and all other services like teamviewer etc.

This is what I did

/ip firewall filter
chain=input action=drop protocol=tcp in-interface=ether11 dst-port=8080 log=no log-prefix=“”

/ip firewall nat

chain=srcnat action=masquerade log=no log-prefix=“”

;;; Admin PC
chain=dstnat action=accept src-mac-address=xxxxxx log=no log-prefix=“”

;;; Admin Mobile
chain=dstnat action=accept src-mac-address=xxxxxx log=no log-prefix=“”

chain=dstnat action=jump jump-target=http_proxy_check protocol=tcp in-interface=ether11 dst-port=80 log=no log-prefix=“”

chain=http_proxy_check action=return src-mac-address=xxxxxxxx log=no log-prefix=“”

chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80 log=no log-prefix=“”

chain=dstnat action=redirect to-ports=8080 protocol=tcp log=no log-prefix=“”

chain=dstnat action=redirect to-ports=8080 protocol=udp log=no log-prefix=“”

Lets hope that this helps someone else too.

Regards,

Safi

hi, i need to the same thing as you, can you post your full config? thanks

Henrymark1990 · July 30, 2015, 11:14am

Thanks for your guidance. This might help to solve issue.