i m novice in mikrotik, on this forum…i hope that this post is posted on the right place. I’m looking for options to block streaming from internet on my network, for the moment the best option that i found is with this :
The quote is too low and is a manner to block this service on my lan from internet. But I have two issues :
a ) With these L7 i don’t know why it’s apply on google, if i try to go google.com is impossible when this queue is enabled. Does anyone know why ? or how can i solve it ?
b ) this rule working for some streaming ( youtube, some local internet tv’s ) but not work for example in some porn webs or online streaming films, Does anyone other manner to block all the streminng ?
I create a transparent proxy and try to add block for download files, but this don’t work.
I agree some link or information about it, because my knowledge is limited, and i don’t know exactly, what i must do. It’s possible the problem of bloc streaming or files for encrypt sites connections with https ?
Nobody can help me ? may be we can found other solution.
I have a web proxy configure on Mikrotik and i must block all the streaming media but without block google or google captcha.., please Someone can offer me some kind of information ?
The reason that this is not working anymore although you may find articles from the past that direct you to do it this way:
Today most of the internet (including traffic to/from google) is encrypted (https).
You can no longer inspect traffic going through your router this way.
It’s best to just throttle individual users and let them choose if they want to try throttled streaming or regular browsing. As pe1chl says, most stuff is encrypted these days so ugly L7 hacks are just going to destroy your CPU for no benefit.
Thank you for the respond. Then, don’t have any option do decrypt this before user browser ? because i must block a several porn sites and others, is for the lan of school and i must protect the lan…
Use a DNS service that can do category blocking, e.g. OpenDNS.
It will of course not work against the determined offender.
It is easy to formulate requirements like “I must block” but in fact it is almost impossible to implement them.
And part of that is because parties like google strive to an internet that cannot be so easily manipulated by states, network administrators, etc.
well, i can provide Open DNS from mikrotik to the students and filter all that i want. But they can change, easy, the dns servers on his device and is open again…
I can’t control the devices of students…It is possible to force opendns servers for his devices?, i mean that if they change dns servers on his dives manually, from mikrotik force to use the opendns, this is possible ?
I already told you: It will of course not work against the determined offender.
You can of course do a dst-nat rule that redirects all outgoing DNS requests to your own router, which again forwards them to OpenDNS.
But, your users can use some “dnscrypt” software or use a VPN.
This will be a battle, a battle that you are going to lose. What you want to do is actually not possible. At least not 100%.
Ok but we can limited the users to use this. Can you tell me please, how work this dst-nat rule that redirects all outgoing DNS requests to your own router, which again forwards them to OpenDNS.
.