I’m trying to set up access to a bunch of sites and deny all others. I’ve gone the layer7 route, created the list and it kinda works. What I mean by that is if in filter rules i set drop traffic things work, and no sites on that list are allowed. But if i check inverse match (!) nothing works - not allowed, not blocked. My understanding is that by checking that, it should block all others not on that list, thus achieving my goal.
Am I doing something wrong or it just doesn’t work like that ?
The layer 7 firewall won’t work for encrypted https connections. You may spend a lot of time on this and not get a satisfactory result. Your best bet would be to find a different device that’s designed to do content filtering. Fortinet and Sonicwall maybe.
With Mikrotik, best you may get is applying layer 7 to DNS. Set up firewall to disallow DNS entries to external dns servers like google, opendns, etc. Or you can even use a firewall rule to re-address the dest-IP of the dns query to your own Mikrotik IP. Both Windows and Linux don’t seem to care if a DNS response comes from an IP that’s different from where the request was sent.
I may be wrong, but my guess is that L7 matcher probably does not wait for all 10 packets or 2kB of data. So if you’re looking for something that’s not there, once it’s not there in first packet, it does no longer matter if it would be e.g. in second one. So “not” with L7 is probably useful only for single-packet stuff like DNS. But again, I may be wrong, I didn’t test it.
I didn’t test this either (it seems wrong, but maybe it’s true), but it’s not what happens when you redirect DNS queries to router’s own resolver. It’s NAT, so it will make sure that reply packet sent to client will have the source address used by client’s request as destination.
I will test this regarding the first packets. It’s true I’ve set the filter on dst port 80/443 - i’ll try to filter others protocol too and see how that goes. Tbh dns would work too because if you can’t resolve you can’t access by name
You guys are great, I got it working by filtering dns traffic and using the l7. Requests are blocked so you can’t resolve sites not included in the regexp.
As a principle of course you are right but my users don’t have access to change the hosts file - i doubt they even know about it.
You adapt to your target audience, if you expect “resistance” buy a more advanced or specialized device ))
