Slow website loading when filter is applied

bekta · March 7, 2017, 6:33pm

Hi everyone!
I want to add some filter rules in firewall to allow access to only certain websites and block all http and https traffic. To do so I added the following rules (example for one site):

/ip firewall filter add chain=forward src-address-list="HWE, SWE, TTE" dst-address-list="duden.de" action=accept comment="allow duden.de"
/ip firewall filter add chain=forward protocol=tcp dst-port="80, 443" src-address-list="HWE, SWE, TTE" action=drop comment="block http, https traffic"

I’m allowing the website by its IP address. After enabling “block http, https traffic” rule, the website takes about a minute or even more to load. Other http and https traffic is blocked.
I have the same issue with Layer 7 filter. This happens even when a filter rule for one website is applied.

I would really appreciate your help. Thank in advance!

dgnevans · March 7, 2017, 8:44pm

try adding

protocol=tcp dst-port="80, 443"

to your first rule

R1CH · March 7, 2017, 8:52pm

The website is probably trying to load fonts, images, JS, CSS, etc from sites you’ve blocked.

bekta · March 8, 2017, 7:55am

Thanks for the replies!

This doesn’t solve the problem.

That is not the cause, because our companies website is not loading fonts, images etc from other websites and still the website is loading to slow.

Has anyone managed to block all http and https traffic and allow only certain website by its ip address? I have searched the forum, but could not find an example that works form me.

R1CH · March 8, 2017, 3:24pm

Well the site you mentioned (duden.de) has lots of files loaded from external domains (including lots of blocking javascript), so that’s why it is slow. If you set your firewall to reject with tcp-reset, it will reduce the timeouts, but the site will be quite broken without all the 3rd party resources loading.

bekta · March 10, 2017, 1:58pm

I get your point. Could you please write the exact firewall rule for tcp-reset, because I’m not able to get it to work.

Can anybody tell my the proper way how to block all http/https traffic and allow only certain websites. Is there any way to block website by its domain? The layer 7 rules simply don’t work or maybe I can’t configure them right. Also, the Layer 7 can pump up the CPU usage so I’m kinda trying to avoid it.

dgnevans · March 10, 2017, 2:25pm

try adding tcp extablised and related rules above the drop rule.

add action=accept chain=forward comment="TCP Established" connection-state=established protocol=tcp
add action=accept chain=forward comment="Allow connections originating from Lan" connection-state=related protocol=tcp

bekta · March 10, 2017, 2:52pm

dgnevans:

try adding tcp extablised and related rules above the drop rule.

add action=accept chain=forward comment="TCP Established" connection-state=established protocol=tcp
add action=accept chain=forward comment="Allow connections originating from Lan" connection-state=related protocol=tcp

Thanks, but it still takes a decade to load.

Sob · March 10, 2017, 3:45pm

It’s about your blocking rule. When you do action=drop, packets silently disappear and client uselessly waits for reply. Use action=reject protocol=tcp reject-with=tcp-reset instead, to make client think that port is closed. You’ll need other rules if you also care about blocking non-tcp traffic.

bekta · March 13, 2017, 10:28am

Thank you very much. The websites are loading much faster. There are some parts of the website which can’t be loaded, but i guess there’s no other way.