Hello
We have been using Mikrotik’s web-proxy to prevent employees from visiting some internet sites.
The problem are web-based proxyes souch as http://www.3stupidfucks.net/
Is there a way to block souch sites with a simple rule?
thakns
I’m not with you, why don’t you just block these sites like you do for all the others?
The problem is that there is so many of them and some have names that don’t appear bad and some that change their domain name regulary.
It is hard to keep track of them all…
it would be so nice if there was a service such as spamhaus but with web-based proxy domain names…
Ok well then you need a content filter which has a subscribed database which is constantly updated and which will allow you to block sites like proxy avoidance, porn, facebook etc.
I use both NetworkGuardian (commercial - uses AD) and DansGuardian (free-er) and they are both wonderful. A client of mine went down from using 20Gbs to 10Gbs of Internet usage just installing DG.
If you look at SME server, it has contrib for DG. Very good and links in with the Mikrotik.
Hope this helps.
It sounds great, but I didn’t find any explanation how it links with MT?
Can you please clarify?
It links with Mikrotik in the sense that you have to redirect your users to the content filter proxy for all port 80 traffic.
The one thing I haven’t got my head around yet is the ability to do QoS as well as using a content filter (proxy with authentication). Perhaps someone has some input?
But how ho i tell mikrotik to redirect to another IP?
winbox allows me to redirect only to a specific port. Is winbox missing something or is it done slightly different?
I only have this one router in a production environment so i can’t test…
tryed using to-address in rule and received no errors but the saved rule has only to-ports field. to-address field is missing.
I’m not sure we’re on the same page here. Can you give me an example of what you’re saying?
make an account on opendns, configure some filters there, then force all users to use your opendns server with a DST-NAT rule 
Look, opendns even supports blocking anonymous proxies:
add action=redirect chain=dstnat comment=“” disabled=yes dst-port=80 in-interface=LAN protocol=tcp src-address=10.0.1.1-10.0.3.254 to-ports=8080
i tryed adding to-address=10.0.0.2 and when i press ‘enter’ there is no error, but when i type ‘export’ the rule looks like this one above
Will give it a try.
but the IP range is quite big and IP addresses are mostly users. We currently have 16 MBPS link. If opendns can handle this speed, it is one solution to my problem
Maybe i could set it as parent proxy to my existing MT proxy.
I replyed before i checked it out.
This is a service with an interesting concept. I don’t think i will find anything better…
But how do i tell MT to update the IP address… looks like my newly created script is about to be updated 
thanks