My scenario

RouterOS General
1

Hello, in my particular setup, I manage five distinct user groups on a MikroTik Internet server. The first group is permitted to access only social media websites, while the second group can only access news websites. The third group is restricted to searching websites exclusively. The fourth group enjoys unrestricted access to all websites without any exceptions. On the other hand, the fifth group can access all websites except for abc.com and xyz.com. Furthermore, each group is allocated a specific IP address from the 10.0.1.1/24 range.

What issues can be identified in the provided settings according to the scenario I described?

nov/03/2023 02:24:03 by RouterOS 6.48.6

software id = 4HMU-WCSF

model = 750GL

serial number = 3B050234C0C5

/interface ethernet
set [ find default-name=ether2 ] name=LAN
set [ find default-name=ether1 ] name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=LAN lease-time=1h name=dhcp1
/ip hotspot profile
add dns-name=www.1.com hotspot-address=10.0.1.1 login-by=
mac,http-chap,https,http-pap name=hsprof1
/ip hotspot user profile
set [ find default=yes ] shared-users=unlimited
/ip pool
add name=hs-pool-2 ranges=10.0.1.2-10.0.1.220
add name=social-media-pool ranges=10.0.1.2-10.0.1.30
add name=news-sites-pool ranges=10.0.1.33-10.0.1.62
add name=search-engines-pool ranges=10.0.1.65-10.0.1.94
add name=allowed-sites-pool ranges=10.0.1.97-10.0.1.126
add name=blocked-sites-pool ranges=10.0.1.129-10.0.1.158
/ip hotspot
add address-pool=hs-pool-2 addresses-per-mac=unlimited disabled=no interface=
LAN name=hotspot1 profile=hsprof1
/ip hotspot user profile
add address-list=social-media address-pool=social-media-pool name=
social-media shared-users=unlimited
add address-list=news-sites address-pool=news-sites-pool name=news-sites
shared-users=unlimited
add address-list=search-engines address-pool=search-engines-pool name=
search-engines shared-users=unlimited
add address-list=allowed-sites address-pool=allowed-sites-pool name=
allowed-sites shared-users=unlimited
add address-list=blocked-sites address-pool=blocked-sites-pool name=
blocked-sites shared-users=unlimited
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US
up-port=1700
add address=eu1.cloud.thethings.industries down-port=1700 name=
“TTS Cloud (eu1)” up-port=1700
add address=nam1.cloud.thethings.industries down-port=1700 name=
“TTS Cloud (nam1)” up-port=1700
add address=au1.cloud.thethings.industries down-port=1700 name=
“TTS Cloud (au1)” up-port=1700
add address=eu1.cloud.thethings.network down-port=1700 name=“TTN V3 (eu1)”
up-port=1700
add address=nam1.cloud.thethings.network down-port=1700 name=“TTN V3 (nam1)”
up-port=1700
add address=au1.cloud.thethings.network down-port=1700 name=“TTN V3 (au1)”
up-port=1700
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=10.0.1.1/24 interface=LAN network=10.0.1.0
add address=192.168.1.1/24 disabled=yes interface=WAN network=192.168.1.0
/ip dhcp-client
add disabled=no interface=WAN
/ip dhcp-server lease
add address=10.0.1.130 client-id=1:18:A9:05:C4:BF:DB mac-address=
18:A9:05:C4:BF:DB server=dhcp1 use-src-mac=yes
/ip dhcp-server network
add address=10.0.1.0/24 comment=“hotspot network” gateway=10.0.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=facebook.com list=social-media
add address=twitter.com list=social-media
add address=instagram.com list=social-media
add address=cnn.com list=news-sites
add address=bbc.com list=news-sites
add address=nytimes.com list=news-sites
add address=google.com list=search-engines
add address=bing.com list=search-engines
add address=yahoo.com list=search-engines
add address=10.0.1.97-10.0.1.126 list=allowed-sites
add address=abc.com list=blocked-sites
add address=xyz.com list=blocked-sites
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=accept chain=forward dst-port=80,443 in-interface=LAN protocol=tcp
src-address-list=allowed-sites
add action=accept chain=forward dst-port=80,443 in-interface=LAN protocol=tcp
src-address-list=blocked-sites
add action=drop chain=forward dst-port=80,443 in-interface=LAN protocol=tcp
src-address-list=social-media
add action=drop chain=forward dst-port=80,443 in-interface=LAN protocol=tcp
src-address-list=news-sites
add action=drop chain=forward dst-port=80,443 in-interface=LAN protocol=tcp
src-address-list=search-engines
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
src-address=10.0.1.0/24
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
src-address=10.0.1.0/24
/ip hotspot user
add name=admin
add address=10.0.1.2 name=1 profile=social-media
add address=10.0.1.60 name=2 profile=news-sites
add address=10.0.1.70 name=3 profile=search-engines
add address=10.0.1.100 name=4 profile=allowed-sites
add address=10.0.1.130 mac-address=18:A9:05:C4:BF:DB name=5 profile=
blocked-sites
/ip route
add distance=1 gateway=192.168.1.1
/radius
add address=192.168.1.60 secret=atoqa service=ppp,hotspot timeout=3s
/radius incoming
set accept=yes port=1700
/system clock
set time-zone-name=Africa/Cairo
/system gps
set set-system-time=yes
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set WAN disabled=yes display-time=5s
set LAN disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
/tool user-manager database
set db-path=user-manager
/user aaa
set default-group=full interim-update=1m use-radius=yes

2

Impossible with your router, dont even think about it.
You will need to spend money on another device with yearly subscriptions and even then no guarantees.

3

Well, the requirements are not clear enough so I would not write “impossible”. It depends on what th OP is ready to accept in terms of manual setup work, both false positives / false negatives and maintainance work. I however agree that doing it only with the device listed in his configuration is “impossible” and that it probably is a waste of time.

If OP has a spare device to run external services, and if the ips of different groups of users are well known, and if he accepts to run multiple local DNS servers (pihole for instance) on this device and accepts to manage the list of domains himself (i.e. the list of allowed / blocked domains) and accepts to filter out DoH servers (I know that’s a lot of " if and if"), it coud be done as follows, only for the cost of powering the spare device + some scripting and configuration tasks.

  1. Have a cron job on the spare device to scrap regularly an up-to-date list of DoH servers and dig their respective IPs, connect to his Mikrotik device to add the list of IPs as an address-list
  2. Have a firewall rule on the Mikrotik device to reject any access to the DoH servers listed in the address list from all groups except group 4 (risk: false positives related to cdns on these IPs).
  3. Have multiple pihole instances listening on different ports on the spare device, each instance meant to be dedicated to a group of users
  4. Have dst-NAT rules for DNS/DoT to redirect DNS requests from clients to the local PiHole instance corresponnding to the group of the client
  5. For group 1 instance, have whitelist regex rules for each allowed social media website with wildcard for subdomains (good luck: you’ll also have to add cdns where scripts are located… and does the OP really want to forbid access to the urls linked in the posts/tweets, etc., so this should be probably be rewritten as a blacklist rule to the news/searchengines instead)
  6. For group 2 instance same as above for news (and again it should rather be a blacklist to search engines and social media)
  7. For group 3 instance, looks like the same as previous point but with search engines only but then I do not understand the purpose as once searched I guess the OP wants the users to be able to “visit” found websites… So the OP should rather re-write his requirement as a blacklist of news and social media instead
  8. For group 4. this should be a “standard DNS server”
  9. For group 5. this should be a standard DNS server with only blacklist regexps

So it “is possible”, but frankly… why doing this ? This is not scalable, requires maintainance and if users have full control on their own device they are able to configure a DoH server somewhere outside the network and use it instead without the OP even knowing about it.

4

Sorry Krall, disagree the requirements even with what you noted is not possible. Regex cannot be used anylonger to stop social media and websites layer7 as implemented on this router is dated.

5

But maybe requirement is to define fixed hosts in address list per some sites group and allow traffic only to them per hotspot client group. If that is the case it seems doable, just correct setup is needed. For eg. for each hotspot client group must be own address list and firewall rules are needed to just allow traffic from that list to sites group address list… Blocking will be per IP ofc, if all sites (all hosts on domain and subdomains per site, this needs DNS digging…) are resolved correctly in address list it should work.

6

I never wrote to use regexp on the router. I wrote to use multiple pihole DNS server instances, one for each group, each using different port, dst-NAT DNS requests to these instances, and use different “blacklist regexp” on each pihole instance to block forbidden websites…

Anyway.

Edit: @anav did you even read my previous post entirely? I don’t think so…

7

Expressing our gratitude to Mr. @anav, Mr. @kraal, and Mr. @optio for their contributions.

Does the judgment on the opinion change when the MikroTik server operates within an ESXi virtual environment alongside the Radius Manager system installed on an Ubuntu server with 7 CPU cores and 16 GB of RAM?