Layer7 blocking

Zmer · January 21, 2020, 1:42pm

Sorry for my English… I have a problem with blocking by Layer 7. I made rules in layer7(example below) and mangle rules and filter rules (see below). When computer has DNS router 192.168.1.1 it’s working prefect, but if computer has google DNS (8.8.8. Mangle working, counters show what they count packages, but filter rules counters 0. What i did wrong? I used that doc for tuning 6-9 page. Thank you. https://mum.mikrotik.com/presentations/US17/presentation_4241_1496042977.pdf
1 Porn “^.+(porn).*$”
Mangle rules
/ip firewall mangle>
1;;; Porn
chain=prerouting action=mark-connection new-connection-mark=porn_conn
passthrough=yes layer7-protocol=Porn protocol=udp connection-mark=no-mark
dst-port=53
2 chain=prerouting action=mark-packet new-packet-mark=porn_packet
connection-mark=porn_conn
/ip firewall filter
1 ;;; Porn deny
chain=forward action=drop packet-mark=porn_packet
2 chain=input action=drop packet-mark=porn_packet

normis · January 21, 2020, 1:46pm

There is no protocol “porn” and such rule can’t work. Indecent websites have no word “porn” in their packets.
This filter is not for website blocking. Most websites use HTTPS/SSL and you can’t filter by keywords.

Zmer · January 21, 2020, 1:54pm

I didn’t quote all L7 rules 1 of 3 rules on screenshot

normis · January 21, 2020, 2:01pm

My answer still stands. These words will not be found in packets, so you will not stop any websites.

Layer7 is to stop protocols based on matches in their communications. It is NOT FOR KEYWORDS IN WEBPAGES.

Also, these rules will probably stop your router from operating, since they are very CPU intensive if used in this manner.

Zmer · January 21, 2020, 2:10pm

I’m not professional sysadmin but they working and that document shows how block youtube and facebook https://mum.mikrotik.com/presentations/US17/presentation_4241_1496042977.pdf
It’s working when local computer use router as dns server.

Layer7
● Layer7-protocol is a method of searching for
patterns in ICMP/TCP/UDP streams
● On trigger Layer7 collects next 10 packets or
2KB of a connection and searches for the pattern
in the collected data
● All Layer7 patterns available on the Internet are
designed to work only for the first 10 packets or
2KB of a connection.
9
Correct implementation
● /ip firewall mangle
add action=mark-connection chain=prerouting protocol=udp
dst-port=53 connection-mark=no-mark layer7-
protocol=youtube new-connection-mark=youtube_conn
passthrough=yes
add action=mark-packet chain=prerouting connectionmark=youtube_conn new-packet-mark=youtube_packet
● /ip firewall filter
add action=drop chain=forward packet-mark=youtube_packet
add action=drop chain=input packet-mark=youtube_packet
(and same set for facebook)

normis · January 21, 2020, 2:29pm

One highly likely possibility is that Google DNS supports encrypted DNS which many people use (supported in Chrome and Firefox). Like I said, any encrypted traffic will not contain readable words, so this filter will not work.

Zmer · January 21, 2020, 4:58pm

One question, why it working when on local machine DNS 192.168.1.1 (router)?

Sob · January 21, 2020, 5:40pm

If that would be because of encrypted DNS (search for “DNS over HTTPS” if you want more info), it depends on used browser. Mozilla’s plan for Firefox was to use some predefined servers. Chrome was planning to keep using the same server, but upgrade from standard readable DNS to encrypted DoH, if server supports it. So it could be the answer, RouterOS doesn’t support it, but 8.8.8.8 does.

Btw, I remember old joke from when internet was much smaller, a fake advertisement: “For sale, backup of whole internet! 896 DVDs (or version without porn, 5 DVDs)” In other words, blocking porn yourself is just huge waste of time, you’ll block something like 0.0001% of it.