hello Friends,
I am faced with this challenge to setup a network using mikrotik in an office environment, where we have to block and restrict the use of facebook and youtube streaming in the network. This is because the limited available bandwidth will not be enuf for all the staff, assuming the start streaming some online movies and videos expecially from youtube.
Please, your guided help is needed as urgently as possible.
I have tried this but it seems not working, yet some sites like yahoomail is not opening very well.
This is the script I used,
(This will block youtube and other video playback in mikrotik)
This is a lost case!
What you constructed will slow down any connection that has those words in it (including visiting this thread
on the forum), but it will do nothing for youtube because that is all https now so you cannot look in its content.
Tell your boss that it is not going to happen. You need either a directive towards the personnel that it is not
allowed to do these things over the office network (with corresponding sanctions to offenders), or you need
more bandwidth so that it will allow this usage.
OpenDNS will work with USB/3G connection. However I think you have to have a public static IP in order to have an account to filter websites you define.
Sticking websites you wish to block in the static DNS of the Mikrotik with IP resolving to 0.0.0.0 will block them. But to make time restrictions work, you’d need to learn a little Mikrotik scripting.
I consider only Facebook, but can be used also for youtube.
Identify all the common facebook address using this lists: http://www.armabloggin.com/facehost.php (but really is not the full list, for example some sites like fbcdn.net are missing)
This list is from one user that try to help other user to BYPASS the block of Facebook, but really we help us to block it…
My method works until the user use one vpn or one external proxy.
Any try to bypass the block changing the DNS or contact directly the IP’s are unuseful…
Create one address list on firewall called “allowed_ip_AD” with the IP of the devices you want allow to use facebook, youtube, etc.
Add this to firewall and move the rules at the top (the rule is valid from “monday” to “friday”, change if the time is different, or duplicate for saturday if the working time are different):
This really isn’t possible anymore, certainly with those big players.
They have more servers than you care to put in a list you have to maintain, and even worse: there is nothing that
prevents them from serving different types of content from the same CDN with the same IP address, so blocking by
IP is going to block unwanted things as well.
Interesting that you add Facebook in the mix, because they have done something very “clever” to avoid blocking:
they try to get all kinds of sites and services to use their authentication mechanism (“login using your Facebook account”)
and they run this auth service on the same IP addresses, yes even on the same domain name, as their main site.
So, when you block Facebook on your network, at the same time you block a lot of other services like Prezi etc,
and in no-time you have the users whining that they cannot work because Facebook is blocked.
With Youtube there is less of this particular problem, but you still have the problem that they share the CDN with others.
I understand, but actually I do not see any shared IP used by Facebook with another stand-alone service.
This is different for Youtube, rarely sometime share the ip with some ADvertising from google (ehm… you notice “lista_ip_AD” ? All is started for block many ADvisors on the web as possible***).
If you want use Prezi, use normal login or login with LinkedIn, instead of Facebook login.
*** is like when you call an hydraulic for some reason, when he come to your house he come also with some promoters without ADvertising you before…
there is one way it can be done setup a ssl proxy and place a redirect rule which activates at working hours and disables after well that is what I use but messing with ssl can be intrusive you might want to check it legally where you live and get written to company policy.well hope it provides an idea where to start
yes you can set on mikrotik the hours where you want to send queries to opendns, at the the hours without restriction you can change the rules on mikrotik to send dns queries to another dns without restriction
Hello all,
Thanks for your inputs, Solar77 and others,
The above code, Where do you put it and how do you implement them in mikrotik.
I mean the l7 filter, mangle and other commands that linked to it, so that I can try it and give feed back. This is very important as people are required to concentrate of their work from 8:00 - 16:00, but can do their facebooking and youtube after those working hours.
Please note again: L7 filters DO NOT WORK ANYMORE.
They are a thing of the past, that worked before these services went to https.
You should not keep copying solutions from the past to the situation of today.
Actually the L7 rule on DNS may work well enough, and with minimal scripting to enable/disable the firewall rule will get you your time restrictions.
In IP > Firewall > Layer 7 Protocols, create an entry with name BlockedSites and Regexp of:
^.+(facebook|youtube|iplayer).*$
Next go to Filter Rules, create two rules and move them to the top.
Chain=Input, Protocol=17 (UDP), Dst. Port=53, Layer 7 Protocol=BlockedSites, Action=drop
The first rule is for PCs that query the router for DNS. The second rule are for those that try and query an outside DNS server.
When testing, your PC may cache DNS so to actually test these rules you have to clear your DNS cache. On windows go to command prompt and type ipconfig /flushdns
Next create a schedule to enable the rules at 8am with script:
/ip firewall filter enable numbers=0
/ip firewall filter enable numbers=1
Then create a schedule to disable the rules at 4pm with script:
/ip firewall filter disable numbers=0
/ip firewall filter disable numbers=1
Note that the “numbers=0” must correspond with the # in firewall filter rules.
Because we’re blocking DNS requests, this will block both HTTP and HTTPS. A user can still add entries to his HOSTS file to get around this type of blocking. But most users won’t know how to do that and for the purposes of reducing bandwidth during the day, this may work fine enough.