Hello.
I bought my first Mikrotik rb1100 and installed it in a small office. I was wondering how can I monitor all the users Web activity ( in what websites are they visiting, how many times they are visiting a website and for how long etc..). Should I be using the hotspot config .
Also how can I block certain websites for certain users and allow theme for others.
Would appriciate the advise and a step by step guide since I’m new to mikrotik.
Cheers.
I just went through this setup myself. If you complete newbie - it might be too much to handle.
But in a nutshell - it is done via Logging capabilities of Mikrotik. And there is 2 ways to approach. And you don’t get any kind of “reporting” with stats, etc out of Mikrotik. Mikrotik has all the tools to help you collect data. Visualizing/analyzing/reporting is on you (other software)
Reverse proxy. Enable reverse proxy(millions of tutorials) and log data. It will give you all HTTP (unsecured) traffic. You will be able to see exact URLs.
It’s nice because you can tell from URL what it is.
It’s bad because SSL (HTTPS) will not be there. And more and more sites use HTTPS
Forward packets to “Log” on firewall level. This will give you IP from and IP to info. So it’s very detailed. ALL activity will be captured.
It’s nice because every single packet is captured
It’s bad because:
a. You need to lookup IPs. For internal addresses it’s easy (I assume you know which PC uses which IP)
b. You need to lookup IPs. For external addresses pretty much impossible. You can use DNS lookups but it will give you s1.amazonses.com instead of www.someinterestingsite.com. There will be a LOT of IPs.
If you do not need the full url, you can logg DNS request, and you then see all site requested.
Alright, so how do you go about getting https traffic?
All I want is:
src-address/hotspot username | dst-address/website | timestamp
Surely there must be a way to track https URLs. not for one moment can I imagine that https URLs are untraceable.
Mac | dst url
That should be possible?
Can’t be done, unless you play “man-in-the-middle” with wildcard certificate, so that you can decrypt the traffic.
That’s because for any request / response flowing over the connection, a ssl socket is setup and used for communication. So all you CAN see is the dns / ip of other side, not the url, not the traffic.
edit: corrected language
We do use https://www.forcepoint.com/ as a man in the middle to examine all urls at our work.
To make this to work all computers need a digital certificate from forcepoint at our PC.
This is not some you can do if you does not have control over the equipment.
This you can do yourself, using squid proxy. However, it needs quite some expertise for correct setup.
However: Does forcepoint work with ALL domains ? (facebook, google …)
Just thinking about pinned certs …
What about SNI? Don’t most clients advertise the hostname via SNI outside of the TLS envelope? It maps to tls-host in Mikrotik, doesn’t it? Is there a way to monitor that?
Using squid: YES.
I did that for “Parental Control” , for a commercial product.
please i am facing a problem of controlling AD users after radius integration between windows server and mikrotikso i need to transfer users to user manager how can i do that please
Yes it does.
But there are some domains that are white listed like banking etc.
Also if you try to install an App on your computer that do releay on HTTPS, it will not work without being white listed.
Eks Ultrasurf ++