Something aint right here

eric.m · June 14, 2008, 5:17pm

/ip firewall filter add chain=forward \
src-address=192.168.0.0/24 protocol=tcp content=.mp3 \
action=drop

Dont work, where i am wrong ?
I got wan and lan, and using nat whit masquerade.

jwcn · June 15, 2008, 12:49am

Think you need to use proxy for this?

eric.m · June 15, 2008, 4:56pm

OMG

Is there any way to block downloading *.mp3 whitout proxy ?
I dont know hot to setup proxy, i am not good in that.

hilton · June 15, 2008, 5:17pm

Well if you’re using Active Directory, you can enable Group Policies and configure a policy to disallow the saving of a .mp3 to the server, with the net result that users will give up downloading them.

Proxy is best though. Waddle through the wiki, there is an example there.

eric.m · June 16, 2008, 1:36am

Am…. Now I got biger problems…

Start from begin…
I logon to winbox… then: system reset [y]
Logon again whit user admin and password blanko, then I configured my wan and lan whit ip adresses and dns informations about my provider, then from console I ping google and its oke.
Then I do all from this article…

http://wiki.mikrotik.com/wiki/How_to_Block_Websites_%26_Stop_Downloading_Using_Proxy

but from “any” computer i cannot go to internet at all. I also setup in connection tab from browser to use automatic proxy setings and setup ip adres dns and df gateway.

Is that article oke or i must do something more…
Thanks ppl, eric.m

normis · June 16, 2008, 5:54am

did you add default route and also a masquerade rule?
http://wiki.mikrotik.com/wiki/Basic_Installation_of_RouterOS

eric.m · June 17, 2008, 11:37am

Lan
Wan

Lan: /ip address add address=192.168.1.1/24 network=192.168.1.0 interface=lan
Wan: /ip dhcp-client add interface=wan disabled=no

ADDRESS NETWORK BROADCAST INTERFACE

0 D 192.168.0.253/24 192.168.0.0 192.168.0.255 wan
1 192.168.1.1/24 192.168.1.0 192.168.1.255 lan

IP – DNS – Setings.
My provider Setings

NAT

add a rule
chain=srcnat
src.Address=192.168.0.0/24

ACTIONS
action=masquerade

ping http://www.google.com
Oke ping!

Whitout proxy I got connection on internet from computers also

/ip proxy
enabled: yes
src-address: 192.168.1.1
port: 8080
parent-proxy: 192.168.1.1
cache-drive: system
cache-administrator: “webmaster”
max-disk-cache-size: none
max-ram-cache-size: none
cache-only-on-disk: no
maximal-client-connections: 1000
maximal-server-connections: 1000
max-object-size: 512KiB
max-fresh-time: 3d

Then!

/ip firewall nat
chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080

Then!

/ip firewall filter
chain=input in-interface=192.168.0.23 src-address=192.168.1.0 protocol=tcp dst-port=8080 action=drop
/ip proxy access
dst-host=www.vansol27.com action=deny

And finaly!
/ip proxy access
path=*.mp3 action=deny

Nothing happens!
Tried moziila browser- Settings “Auto detect proxy settings on the network!
Nothing happens!

normis · June 17, 2008, 11:46am

why do you have “src-address and parent proxy” in your proxy settings? remove those. also you don’t need "src-address’ in your masquerade rule, but instead use “out interface”

eric.m · June 17, 2008, 12:02pm

Done…

Am… this i dont understand, please explain what i must to do…
I don know very well this proxy mr. normis.

normis · June 17, 2008, 12:07pm

src-address (IP address; default: 0.0.0.0) - the web-proxy will use this address connecting to the parent proxy or web site

parent-proxy (IP address:port; default: 0.0.0.0) - IP address of the upper-level (parent) proxy

You don’t have a parent proxy. Your router itself is the proxy. So you don’t need to change those values.

eric.m · June 17, 2008, 12:12pm

Am, oke i remove that… Thank you mr.normis for update…

But i dont understand this…what do i need to do here ?

Please explain to me me step by step… i realy need help from you…

normis · June 17, 2008, 12:19pm

your masquerade rule is fine and working, but usually you just need to add masquerade rule with these parameters:

chain=src-nat out-interface=wan action=masquerade

eric.m · June 17, 2008, 12:24pm

oke, thank you mr. normis.

Now i setup everthing right.
Now i setup my firefox mozilla to use “auto detect proxy server”. And i can surf on websites…

but the problems is i still can download *.mp3 files.

But i added rule:

/ip proxy access
path=*.mp3 action=deny

Whats wrong now ?
Am, where am i wrong ?

normis · June 17, 2008, 12:34pm

did you set “transparent=yes” in proxy settings?

eric.m · June 17, 2008, 12:43pm

When i added this now… i cannot surf anywhere on the internet web pages… “acces is denaid” contact you system administrator"…

[b]Now, Make it Transparent[/b]

/ip firewall nat
chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080

[b]Make sure that your proxy is NOT a Open Proxy[/b]

/ip firewall filter
chain=input in-interface=wan src-address=0.0.0.0/0 protocol=tcp dst-port=8080 action=drop

normis · June 17, 2008, 12:48pm

WHY did you add that firewall rule ???

you are blocking all proxy requests

eric.m · June 17, 2008, 12:50pm

But i folow this tutorial here: http://wiki.mikrotik.com/wiki/How_to_Block_Websites_%26_Stop_Downloading_Using_Proxy

Oke i deleted that rules… how then to make transparent proxy now ?

normis · June 17, 2008, 1:02pm

looks like your browser was configured to use proxy, and your proxy was not set to transparent. you don’t need any proxy settings in browser when you use transparent mode. the tutorial should work when followed properly

edit: I just noticed that you specified the WAN interface in that firewall rule. Sorry, didn’t see it before. in that case, that rule doesn’t disturb anyone on the inside network

eric.m · June 17, 2008, 1:08pm

am… so confused…
mr. normis… in the end… what do i need more to stop downloading mp3 and what do i need to change in this qhole topic ???

It still dont work.

normis · June 17, 2008, 1:13pm

copy all that you have in “/ip proxy”, “/ip firewall nat”