In our company we want to block facebook page. So i decided to use layer 7 protocol. Iv put ^(.)(facebook)(.)$ as a regexp value and in firewall set this parameters.
Rule work perfectly BUT it block more page than facebook. And some page are available in chome and not in IE or firefox. Others are available in IE bud not in chrome… and so on… Facebook is blocked in all browsers
Oh thank you. Do u thing that will work what i did? I ping fb page and make that ip static record do dns. Then i make rules out of it. I did same for youtube and badoo.
And one more question. I need to block exe and msi files. Is it “save” solve it throu content?
Hi cbrown. I tested with your rules and it works. but now I want to block Youtube using the dst-address. but which ip should I use? I cannot get it working.
xMikes04, your regex layer7-protocol is ok but it should be used in dns requests
reject dns packets to any server with dst-port 53 and which hit the layer7-protocol
also fbcdn.net should be blocked
gmail.com (only for emails) yahoo.com (only for emails)
100.30.20.10 gregsowell.com
ports: 995, 465, 25, 110, and
ports: 8080, 8000 for only internal IP 192.168.1.101
i also have a L2TP+IPSEC VPN running on the same router right now…
everything else from inside the network should be blocked…
ETHER1 → WAN with Fixed IP
ETHER2 to ETHER5 → LAN Bridged Ports (IP RANGE: 192.168.1.150 - 192.168.1.250)
MASQUERADE → ENABLED
i am getting pretty confused with all this above conditions… all help in this is highly appreciated… please…help me!!!
Shifting from Pure Mikrotik Wireless to Firewall’s from Mikrotik as an additional service…hence facing hurdles…
sound like a company scenario, in such cases i recommend to allow http traffic only via a proxy server. it much easier to make a URL based to filter such stuff. For example: To block/allow only parts of the google services you need to intercept the encrypted https connection anyway. Some proxies can do that but you clients need to install and trust the the proxies certificate, otherwise the browsers will complain and show a warning and that’s absolutely correct because technical you’re doing a man in the middle “attack”.
I added these and its blocked, but i want to make an exception for some ip’s on the network, where can i put the addresses that i want to be able to access fb ?
I have been trying to block Facebook from our MikroTik router, but till now, I just can not manage. I have tried basically everything from blocking individual IP’s to changing the DNS to point to openDNS (which was configured to block social networks) to using the layer7 method. Nothing. I am a bit lost to be honest, and I am quite new with MikroTik.
We currently have have two WLAN networks configured, one is corporate and the other one is a guest network. The guest network is fire-walled, so that no one can access the corporate LAN.
well you can use squid to block fb but you have to use a modified version of squid to do it and you will need a box which can run it but once your setup and running it is smooth sailing, the dns blacklist and layer7 is unreliable so I use the ssl bumping to block fb at my work place I have set up two http/https redirect rules on the routerboard which is controlled via sheduling and set up filtering on the squid box based on acl which controls access. but ssl bumping is illegal even for Facebook in most cases, so consult with your legal folks at your company.
plz, I need these type of setup for our network. We want to block facebook for some staff from 9am(9:00 till 15hrs) but allow it for some systems, using their mac addresses to except them from the facebook blocking.
btw where u got thoose IPs?