I am new to RouterOS so please forgive me if this question is a repeat. I have a client who is paranoid about letting his employees access the internet. He previously was using only in house software, but now is using a cloud based system. I would like to configure a RouterBoard 750GL running RouterOS 6.33.5 to block all internet access except for the site hosting his software. Since the office is small, After doing some research, I decided firewall filters would be easier to implement and maintain than a proxy server. I have been successful in creating filters using IP addresses in a address list to allow access to the desired site, and another that drops basically everything. However, with the sometimes fluid nature of IP addresses in the corporate world, I would prefer to use names. I have tried creating an accept filter using L7 protocol matching. With the drop filter disabled, this accept filter matches just fine. However, with the drop filter enabled, the request never reaches the accept filter. FYI, the accept filter is number 0, and the drop filter is 7. Obviously something else is going on first as the same scenario using the IP address list works fine. I assumed it was DNS, so I added two accept filters (0 and 1) to pass all port 53 (tcp and udp) traffic, but they never get hit. Can anyone shed some light on this? Thanks!
Why not use destination IPs in your firewall rules?
i.e:
not actual code - mind you
1 - accept - src 0.0.0.0/0 dst (desired site)
2 - drop - src 0.0.0.0/0 dst 0.0.0.0/0
That should suffice, and as new sites come up that they want available you can create a new rule to that destination and simply move it up in queue.
This is practically impossible.
When people say “this site should be accessible”, what they really mean is that the content on that site should render
correctly. However, all but the most trivial sites use many, many different places to gather the information they ultimately
display.
So your little list of addresses or URL’s will keep expanding and will quickly become unmanagable.
I would say it is easier to do with a proxy than with an IP filter. But even then it will be a big nightmare to maintain.
This is why I would like to use names instead of IP addresses. However, when trying to filter on name, the request hits the drop filter before the name gets matched and processed by the accept filter. Hence the dilemma! Thanks for the advice!