We have an issue blocking HTTPS traffic using mikrotik. I would like to ask if the following is possible and please help me build the script.
The screenshot included is the HTTPS traffic that contains client hello for TLS 1.2:
1. if packet destination is port 443
Check if it contains the URL (using ip firewall mangle content) to be filtered (we are expecting that this is an exchange in certificates) , then mark the packet as "allowed"
2. if packet destination is port 80 (we are expecting a regular un-encrypted packet).
Using ip firewall mangle L7. We identify if the URL is allowed to traverse the network, if allowed then we mark the packet as "allowed"
3. if packet arriving/leaving is RELATED and is related to a established session that is marked as "allowed" then mark the packet as "allowed".
4. Using ip firewall filter.
Allow only traffic marked as "allowed". Discard the rest.
Our current problem is that, we cannot use DNS records for specific sites to be blocked because most of our clients like for example, google and youtube are hosted from the same IP address range. If we are going to block the IP from google then youtube will also be blocked.
We cannot also use L7 because it is already running at HTTPS and using the latest version of SSL certificates where the all the content including the GET/POST information is already encrypted.
I need this working without the assistance of transparent proxy. There should be no proxy running in the network as we are ISP that is not allowed to open any traffic for DPI or decryption.
try to update your router to 6.36.3
there is feature in firewall address which you can put the domain name in address list without being resolved and it will create a dynamic address list automatically. from there you may be able to drop or permit specific domain name without being known each and every ip address of that domain.
there is a new feature in RouterOS. you have to update your routeros to fully implement that to version 6.36.3
the feature is to add domain name in address list without the address being resolved. so it will create automatically dynamic address list and you can permit or drop specific domain name without being worried about the ip address
The new version of firmware that uses address list to filter/block sites is not working. Please check the above code if there is something wrong with it.
The trouble is that large scale services like http://www.google.com use an array of addresses to allow for load balancing and high availability by utilising Round-Robin DNS mechanism. This may be based on location, DNS server, client, request sequence, …
Traffic to any of these adresses won’t match the address-list and thus not match the rules. Clients using different name servers or different IPs in their hosts file will easily circumvent your rule.
The only way that I know of to reliably filter this kind of traffic is by using a transparant proxy, because this will actually sit in the middle serving the content.
Using transparent proxy would break the SSL connection. Is there a way to block this?
The SSL client hello contains unencrypted information about the website queried. Is it possible that during SSL client hello session, we follow the communication and whatever communication that originates from SSL client hello will be marked?
Not really. You can block all TCP/UDP 53 traffic to prevent the usage other DNS servers and just rely on your own. A low tech solution would then be to create static A record for the websites you want to block and redirect all traffic at 0.0.0.0.
More intelligent would be if Mikrotik would trigger the refresh/extension of the DNS-based address lists based on resolutions in the local DNS server and/or its cache. As far as I can see, this is currently not the case (it seems to be only triggered once, maybe refreshed at intervals - I don’t know).
Neither will stop the dude with an extremely large hosts file though.
Marking traffic seem a bit complicated for what you’re trying to achieve: block the traffic. Just use the L7 to identify traffic and add the IP to the block list (basically do what you’re trying to accomplish with the DNS-based address-list). But I wouldn’t consider it full proof and in some cases you’ll find the method to be rather course (e.g.: shared servers).
