Policy to block website in Mikrotik increase CPU

mukeshchaubey · September 5, 2019, 5:48am

Hi
Can you let us know what is the best way to block website .we are running ISP and traffic is 2Gbps+1G Peering with a number of customers is approx 2000 (public hotspot )+ home customer 2000 .we are using Mikrotik ccr 1072 and using third party Radius server for AAA .we have approx 100+ list of ip or website name which we want to block .but when we enable it .cpu utilization increase and slow internet browsing experience . I have gone through sum MUM video online at youtube .but that doesn’t help us.

Please share me one simple step or example of how to make policy.
Waiting for quick support .thanks

sebastia · September 5, 2019, 6:41pm

what is the /tool profile indicating?
could you share details on how the blocking works?

mukeshchaubey · September 6, 2019, 4:22am

find the policy how we are blocking

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block

/ip firewall address-list

add address=xmovies8.com list=DoT-block
add address=xmovies8.ru list=DoT-block
add address=xmovies8.tv list=DoT-block
add address=downloadhub.lol list=DoT-block
add address=downloadhub.ws list=DoT-block
add address=downloadhub.ind.in list=DoT-block
add address=downloadhub.wiki list=DoT-block
add address=downloadhub.biz list=DoT-block
add address=downloadhub.net.in list=DoT-block
…so on…
approx 100 such policy

let me know -is it the right way to block the websites or not

DummyPLUG · September 6, 2019, 5:20am

I found this method is not reliable when the TTL is just a few second, routeros didn’t update the ip fast enough for these domain and will not block them sometime.

mukeshchaubey · September 6, 2019, 7:47am

what is the /tool profile indicating?
could you share details on how the blocking works?

find the policy how we are blocking

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block

/ip firewall address-list

add address=xmovies8.com list=DoT-block
add address=xmovies8.ru list=DoT-block
add address=xmovies8.tv list=DoT-block
add address=downloadhub.lol list=DoT-block
add address=downloadhub.ws list=DoT-block
add address=downloadhub.ind.in list=DoT-block
add address=downloadhub.wiki list=DoT-block
add address=downloadhub.biz list=DoT-block
add address=downloadhub.net.in list=DoT-block
…so on…
approx 100 such policy

let me know -is it the right way to block the websites or not

I found this method is not reliable when the TTL is just a few second, routeros didn’t update the ip fast enough for these domain and will not block them sometime.

Please suggest me best practices to block. i have list of ip address detail - plz help me how to block .share me one sample. I am new in Miktortik field .
Thanks

mukeshchaubey · September 9, 2019, 10:51am

Hi

Please support me. How I can block the website so that my Mikrotik ccr 1072 CPU utilization remail normal.waiting for response

R1CH · September 9, 2019, 11:16am

Redirect DNS to local DNS and then filter at DNS server.

Note that blocking 100% is impossible.

pe1chl · September 9, 2019, 1:29pm

DNS over HTTPS that is now being introduced (enabled by default) in webbrowsers will end that possibility…

pe1chl · September 9, 2019, 1:34pm

Please show the entire forward chain. Are you using connection tracking? Is the rule placed after the “accept established/related” rule?
Note that such rules are expensive without connection tracking, because they have to be evaluated for each and every packet.

mukeshchaubey · September 10, 2019, 2:20am

Hi All
below are the configuartion I have done . let me know if more need to do or how to do ? thanks

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block

/ip firewall address-list

add address=xmovies8.com list=DoT-block
add address=xmovies8.ru list=DoT-block
add address=xmovies8.tv list=DoT-block
------------------100 such sites

mukeshchaubey · September 10, 2019, 8:51am

Hi All

share me any link where I can find best way to block websites but it should not increase the CPU and also work fine.

pe1chl · September 10, 2019, 11:45am

I’m afraid there is no such link!
When you “need to block websites” the best advise is to close down your network.
That will create the best overal happiness amongst users and administrators.

mukeshchaubey · September 10, 2019, 3:02pm

thanks for wonderful advice

Sob · September 10, 2019, 3:41pm

What’s the rest of your firewall rules?

mukeshchaubey · September 12, 2019, 10:51am

I am sharing sample of my router configuation --plz check and support me for any mistake there … currently i have done such configuration which has been enabled now in live network .some websites even get open (i have check that website ip are not getting changed ) .
2nd question :- will it work fine and configuration is correct

/ip firewall address-list

add address=abcd.com list=DoT-block
add address=xyz.ru list=DoT-block

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block log=yes

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=DoT-block new-routing-mark=block-website passthrough=yes

Thanks

Sob · September 12, 2019, 12:17pm

Your mistake is sharing only few rules, because the rest matters too. But the mangle rule does show the problem, you’re checking the list for every single packet. So of course it’s going to be slow. You need to check the list only for new connections, mark them and don’t check the list again, something like:

/ip firewall mangle
add chain=prerouting connection-state=new dst-address-list=DoT-block action=mark-connection new-connection-mark=block-website passthrough=yes
add chain=prerouting connection-mark=block-website action=mark-routing new-routing-mark=block-website

Or if you’re using firewall filter (it doesn’t make sense to have both), you need to check the list only once, which is best done when you start your firewall with:

/ip firewall filter
add chain=forward connection-state=established,related,untracked action=accept
add chain=forward connection-state=invalid action=drop

and then you add other rules after these, so only new connections will get to them.

mukeshchaubey · September 12, 2019, 4:24pm

Your mistake is sharing only few rules, because the rest matters too. But the mangle rule does show the problem, you’re checking the list for every single packet. So of course it’s going to be slow. You need to check the list only for new connections, mark them and don’t check the list again, something like:
/ip firewall mangle
add chain=prerouting connection-state=new dst-address-list=DoT-block action=mark-connection new-connection-mark=block-website passthrough=yes
add chain=prerouting connection-mark=block-website action=mark-routing new-routing-mark=block-website
Or if you’re using firewall filter (it doesn’t make sense to have both), you need to check the list only once, which is best done when you start your firewall with:
/ip firewall filter
add chain=forward connection-state=established,related,untracked action=accept
add chain=forward connection-state=invalid action=drop
and then you add other rules after these, so only new connections will get to them.

Thanks …extremely sorry for my mistake …I have noted for future post