Community discussions

 
tefte
just joined
Topic Author
Posts: 6
Joined: Sun Mar 03, 2013 9:15 pm

Adblocking on routeros

Tue Dec 29, 2015 3:38 pm

Hello everyone !

finally today i try to get adblock option on one of my router and so far with no luck. Maybe someone can tell me what is wrong.

i made adblock.rsc file with..

/ip dns static
add address=127.0.0.1 name=localhost
add address=127.0.0.1 name=domain-*.facebook.*
add address=127.0.0.1 name=*google.com*
add address=127.0.0.1 name=*.youtube.*
add address=127.0.0.1 name=domain-youtube.com


and in terminal use commands

[admin@MikroTik] > /ip dns static remove [/ip dns static find]
[admin@MikroTik] > /import adblock.rsc
Script file loaded and executed successfully


however every of them still working :?
 
User avatar
ConnectivityEngineer
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sat Dec 19, 2015 10:57 pm
Location: Ohio, USA
Contact:

Re: Adblocking on routeros

Tue Dec 29, 2015 4:32 pm

While you will need to tweak this to your liking - might try using the script below which pulls from the blocklister.gefoo.org lists


Keep in mind... Thousands of entries in the firewall CAN create a slow internet experience if Every Packet has to go through it.

To that end - might decide to edit the list to your liking

# create script to Download fresh list and replace old one
/system script add name="Download_Ads_List" source="/tool fetch url=\"https://blocklister.gefoo.org/ads" dst-path=ads.rsc; /import file-name=ads.rsc;"

# create schedule to run script weekly
/system scheduler add comment="Download_Ads_List" interval=7d name="DownloadAdsList" on-event=Download_Ads_List start-date=jan/01/1970 start-time=02:42:00

# add firewall rule once
/ip firewall filter add chain=forward in-interface=bridge-local connection-state=new protocol=tcp dst-address-list=ads_list action=reject reject-with=tcp-reset comment="Ad-block list drop"
No promises - on version 6 - on version 5 the aforementioned script should work - might need to reword for v6.x
Last edited by ConnectivityEngineer on Tue Dec 29, 2015 5:09 pm, edited 1 time in total.
Glenn Kelley | MCTNA, MTCWE, MTCTCE, RHCE, RHCSS
http://Connectivity.Engineer
USA Based 24x7x365 Mikrotik, Juniper, Ubiquiti TAC & WISP / ISP Blind Label Support Call Center
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Adblocking on routeros

Tue Dec 29, 2015 4:48 pm

This is a pretty effective solution - and IP address lists should process pretty fast (compared to a long chain of drop rules).

The only thing to be concerned about is if you trust a website to automatically tell your router who should be blocked. ;)

EDIT: As long as the filter rule for new connections against the IP blacklist is after a rule which accepts established,related then this check will only happen on the first packet of each new outbound connection, which isn't going to really impact performance much unless your computer gets infected with a botnet client and starts trying to rapidly scan large blocks of IP addresses at once.

----

As for your DNS solution, make sure that the users' computers are actually using your Mikrotik's DNS proxy.
You can force it with a dstnat rule:
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 in-interface=lan action=redirect

Also - if you're running DNS proxy, make sure your filter's input chain will block DNS queries from the outside world, or else the hackers will find you and your box will be used in DNS amp attacks later on.
Last edited by ZeroByte on Tue Dec 29, 2015 5:15 pm, edited 1 time in total.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
ConnectivityEngineer
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sat Dec 19, 2015 10:57 pm
Location: Ohio, USA
Contact:

Re: Adblocking on routeros

Tue Dec 29, 2015 5:11 pm

Good Point ZeroByte

Joshaven has a great solution for some RBL's - i run locally to verify myself - and the above solution works -
Needs to get tweaked for v6 i think however
Glenn Kelley | MCTNA, MTCWE, MTCTCE, RHCE, RHCSS
http://Connectivity.Engineer
USA Based 24x7x365 Mikrotik, Juniper, Ubiquiti TAC & WISP / ISP Blind Label Support Call Center
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Adblocking on routeros

Tue Dec 29, 2015 9:58 pm

used that in past and its Really work.
but few advices:
1. increase DNS memory (in its option) in case of Fat tables)
2. instead of hand-crafted or manually-imported sites lists - write scripts than download, parse and then import adblock lists from popular society/community-managed ones. personally i was prefer(for sentimental purposes, perhaps) P Lowe list http://pgl.yoyo.org/adservers/
3. not forget to block outgoing DNS traffic, that may BYPASS you DNS filtering. usual for Chrome browser and some OS-level things. ie add firewall rules that filter it from forwarding.
4. consider adding malware domains to blocklist aswell. like this list http://www.malwaredomains.com/ for example.

bottom line: its may become memory-consuming. for example Lowe+malware-domain - around 22k domains and around 17Mb RAM for DNS. yeah, lack of L1 and L2 cache , IMC/RAM bandwidth - make you router bit slower, but you already prepared to sacrifice bit of that, do you ?
 
tefte
just joined
Topic Author
Posts: 6
Joined: Sun Mar 03, 2013 9:15 pm

Re: Adblocking on routeros

Wed Dec 30, 2015 12:31 am

i tried ConnectivityEngineer script, had some problem with making .rsc file, but did it manually. after firewall rule adding i can see that everything is in its place but still no luck and nothing is blocked
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Adblocking on routeros

Thu Dec 31, 2015 1:31 am

i tried ConnectivityEngineer script, had some problem with making .rsc file, but did it manually. after firewall rule adding i can see that everything is in its place but still no luck and nothing is blocked
probably firewall rules that prohbit dns forwarding THRU your router - made incorrectly?
or there was applications using multicast, p2p dns replacements/wrappers, which is unlikely, but not enteriely uncommon thing.
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: Adblocking on routeros

Sun Jan 03, 2016 1:22 pm

i would try blocking packets to dns servers based on a l7 filter like this
/ip firewall layer7-protocol
add name=ads regexp="facebook|google|youtube"

Who is online

Users browsing this forum: No registered users and 30 guests