Is there a solution to prevent the āYour Freedomā app from unauthorized access to the internet in my network through a firewall or something like that other than using pppoe server
In general routers are not APP blocking specific, that is the domain of PC software and or usage agreements by users.
If you know the IP address of the server its connecting to, you can drop all traffic to that IP address.
Iām not sure what means āunauthorized access to the internet in my networkā. Does that mean that your users should have access only to the resources of that network itself but should not have any access to the internet at all, and by means of that VPN application, they can overcome the restriction and get to internet? Or that you just want/need to know what sites their visit and the VPN hides this information from you? Or that you have set some bandwidth limitations for different services, and the customers use the VPN to overcome these limitations?
If itās the first case, i.e. where internet access should be completely blocked, thereās something wrong with your firewall rules.
If itās the second case, why do you only have problem with one particular VPN app? There are plenty of them, and people who donāt want to be spied on will simply move to the next one once you block the one they use, so at the end of the day youād end up with the first case if you wanted to block them all.
If itās the third case, you have to change the order of matching of your bandwidth limiting rules, so that the higher bandwidth was assigned for explicitely listed destinations and the lower one to all the rest.
Iāve also got no idea whatās the idea behind using pppoe server, can you elaborate?
I think the OP is blocking certain sites, and users are overcoming those limits by using VPN.
Its impossible to block someone who liks to get on the net 100% without removing internet.
Users will always fin a way around any block you make.
Ultrasuft i a tool to have when some has locked your network.
https://ultrasurf.us/d
Terms of Reference and usage agreement.
- Any use of VPNs to bypass router settings will result in loss of use of services.
@anav, administrative measures sound great if you are a company IT admin, but it still requires an ability to identify the forbidden kind of traffic beyond any doubt so that you could apply the administrative sanctions. And if you can identify it beyond any doubt, you can as well block/throttle it rather than applying the sanctions. So it again boils down to the ability to tell a TLS VPN from a normal HTTPS traffic, as both use remote TCP port 443 and both are encrypted. So either you do the man-in-the middle attack on HTTPS sessions, which you can only do as a company IT admin and only in some countries/states, or you cannot tell one from the other.
As an ISP with uplink bandwidth limitations, you probably donāt want to lose customers. So whilst you have the problem of classification as well, blocking/throttling the trespassing traffic is also a better option than terminating the customer contract. Hence the only way is to throttle everything but a few known exceptions rather than to let everything go and throttle/block only few exceptions, and even that way is only possible under favourable conditions (basically when all the āunlimitedā destinations are within your own network).
If politics comes into play, and the government orders you to block some sites, there is no working solution. DNS filtering can be overcome using DoH, destination address filtering can be overcome using VPN, so either you implement the government requirement only formally and it is sufficient for them, or they insist on a working solution without understanding the technical reality, and then you become a āpassive criminalā as you havenāt done enough to obey the law.
Some government was installing their own root certificates on all citizensā devices in order to be able to decrypt TLS (mostly HTTPS) sessions without the end user getting a warning, so big players stopped trusting root certificates issued by that government.
Raw idea on how identify VPN traffic from point a to point b, if the tunnel use https or other non-standard methods and non-standard ports
some clue:
the traffic is encrypted (ehmā¦)
the traffic do not come from netflix, youtube, amazon video, etc.
connection-tracking session longer, very longer, with big amount of bytes exchanged,
mysteriously no other type of trafficā¦
more download than upload,
pause between traffic / no continuosly download
My network is programmed so that whoever wants to access the Internet must buy a card and log in through this page*.. The problem is that this application bypasses the page and connects to the Internet without logging in.. During each month I lose more than 50 dollars as a result of this hack because the Internet prices in my country are expensive
The picture is for clarification
If so, it is the āfirst caseā in my discussion above - your firewall rules for users who havenāt succesfully completed the login quest are not tight enough. How is that done - using Mikrotikās hotspot functionality or using some other solution?
There are VPNs that connect to DNS ports, VPNs that use ICMP echo/echo response as transport packets, ā¦
@rextended, a great thank you in the name of all the less clever censors who didnāt know until now what to look for 
I would not take āmore download then uploadā as a reliable criterion, and ātraffic does not come from popular entertaining servicesā is also less reliable (no matter how surprising that may be, some people may not use these services at all). The rest of the points is valid unless the VPN generates some extra traffic to make it less obvious.
Luckily for people who need freedom of information, automation of such a traffic analysis is resource-hungry and therefore expensive, so it will hopefully not be implemented in mass volume in near time.
Some programs for bypass hotspot use item already presents on walled garden, like googleā¦
You block google or permit something can be used to bypass the firewall?
Just more proof that understanding the requirrments of the OP is the most important step and until that is done, talking config is a waste of time.
On topic, does Hotspot usage prevent bypassing said page? It sounds like OP is bypassing hotspot ;-PPP for some other turnkey solution.
Okay pink text, what is so special about August 23rd? You turn 60?
No 
, the age on my profile is true, is for the RouterOS 7.0.4 (stable) is present on all new distribuited devices.
So young!!
The problem is that the basic settings of the firewall from Mikrotik are not enough to repel these attacks, so I made some settings by other programmers, but the problem is that they work for a certain period and then fail to repel the attacks, especially when the owners of the application update the application
This is the last script that was uploaded
/ip firewall layer7-protocol
add name=AKfreedom regexp=ā^.+(1yf.de|2yf.de|53r.de|93.ye|YF.de|8u6.de|f.de|fer.net|resolution.de|freedom.net) |your-freedom|your-freedom.de|www.your-freedom.de|www.your-freedom.net)ā
/ip firewall filter
add action=drop chain=input layer7-protocol=AKfreedom comment=Freedom_akrm.alqadsi
add action=drop chain=pre-hs-input layer7-protocol=AKfreedom comment=Freedom_akrm.alqadsi
I apologize for taking up some of your time
But what do you think of this article?
Would if I did it make my router better and safer?
Too much novels.
Put on forum your config:
/export hide-sensitive file=export
Remember to open the file with notepad for see if something sensitive is left.
DO NOT DELETE ANYTHING!!!, just censore true IPs, e-mail, and what hide-sensitive left, with ***
There are only two strategies that succeed in long-term. Either to start understanding how the firewall actually works, or to hire a consultant.
The documentation page you refer to describes a firewall for a home/SOHO router, where the router itself and all the devices on its LAN are allowed to get anywhere and all restrictions are applied only on connections initiated from the internet (WAN) side.
For your use case (providing internet connectivity to paying customers), you need to be able to restrict also connections initiated by the āLANā clients, both to the router itself (you donāt want your customers to change settings of your router) and to the internet. Whereas there is no difference between clients that have authenticated themselves via your login page and those who havenāt when it comes to access to management of the router itself, there is a big difference between these two states when it comes to internet connections: those who have already logged in can get anywhere, including any VPN service, whereas those who havenāt logged in can get nowhere at all (except the login page).
Again - in your scenario, there is no need to block āYour Freedomā selectively. Until a client has authentified himself via your login page, you can block everything except the login page. Once he has authentified himself, there is no need to block anything for him, as your interest is only to be able to charge a particular customer account for the traffic volume, and you donāt care what kind of traffic it is.
Obviously, what currently fails is the part āblock everything except the login pageā.
So as @rextended wrote - post the export of your configuration if you want a working solution. See my automatic signature for a mini-howto.