limited and full internet rule

rajeshk · March 14, 2016, 7:27am

Hi i want to configure 3 rules on firewall no internet, limited internet, and full internet on selected ip range

ex: 192.168.0.10-192.168.0.50 full internet (allow all websites)
192.168.0.51-192.168.0.100 limited internet (allow few websites)
192.168.0.101-102.168.0.200 no internet (block all websites)

please help me…

Thanks in Advance

ShayanFiroozi · March 14, 2016, 5:59pm

Hi,
send your network diagram or ROS configuration , it completely depends on how your network configured , routed ? bridged ? your firewall rules and …

ZeroByte · March 14, 2016, 9:26pm

full internet is easy - do nothing different.

no internet is easy:
filter rule:
chain=forward
out-interface=wan
in-interface=no-internet-interface (e.g. ether3)
action=drop

partial internet is going to require transparent proxy to get the desired effectiveness:
enable the web proxy feature and configure the sites you want to allow and block the rest in that section (note that HTTPS sites cannot work with a transparent proxy - at least not the Mikrotik proxy feature)

then redirect http to port 8080, and block port 443:
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 in-interface=ether2 action=redirect to-ports=8080
(use the restricted LAN’s interface where I gave ether2 as an example)

/ip firewall filter
add chain=forward in-interface=ether2 out-interface=wan protocol=tcp dst-port=443 action=drop

ShayanFiroozi · March 14, 2016, 9:47pm

@ZeroByte

We can use IPs or L7 for detecting web sites domain name,although L7 is not a professional feature but in this case could be useful.

What you think about allowing some sites manully and drop the others??

Thank for your reply

ZeroByte · March 14, 2016, 9:56pm

True - but it is indeed very clunky - the proxy gives you much easier control over the websites - down to individual pages within a website - e.g. allows example.com/about.php but blocks example.com/forum.php - or blocks */forum.php - regex against the contents of the first few packets can lead to false positives and false negatives much more easily.

Lastly, it can’t match against SSL connections anyway - because the connection is encrypted before the host headers are sent/received.

I think the easiest method is to force DNS to use a policy-based DNS host like opendns.org where you at least have domain-level control over what gets resolved to IP addresses and what doesn’t. This works fairly well for the web which depends heavily on names.

ShayanFiroozi · March 14, 2016, 10:08pm

Thank you, and I just forgot to mention about your first answer of this post,he’s gonna control over hosts on a same subnet which are connected to the same interface,I think interface based rule doesn’t work here , he should use IPs , am I right??

ZeroByte · March 14, 2016, 10:14pm

Oh wow - I just glossed right over that part didn’t I? Whoops - my “bad practice” filter must’ve caught it…

@rajeshk - you really should put the different policies onto different interfaces - because any user could just put a static IP address on their computer from a range that has no restrictions and bypass your security.

ShayanFiroozi · March 15, 2016, 9:01am

Also if you can not separate your subnets , you can use Bridge firewall and force hosts to use a specific IP address , so if they change their IP address your router will drop their traffic , disadvantage of this method is that you have to set one-by-one MAC address with an IP address for each host in Bridge Firewall