Hi All,
Hope you guys doing well.
I have a Mikrotik router board and i have 20 users i want to block all traffic for them except three websites. (p.s. when traffic is denied in google.com i want to redirect to my website or any website i want to)
Also i have 10 users who need to have full access over internet.
Thank you.
Re: Web Proxy
You could use hotspot + walled garden. The full access users have a logon that lets them use the full Internet. The login screen could simply state that you must login to use sites other than X, Y, and Z...
One problem could be if there is internal device-to-device communication within the LAN, a hotspot would also try to interfere with that, so keep that in mind when making your decision.
The non-hotspot way to do it would be to have an IP address list with the hostnames of the three websites you want to allow (as well as the hostnames of any resources those sites may depend on), and make a dstnat rule which uses the logic "dst-address=!allowed-websites" and matches tcp ports 80/443, with the action of dst-nat to-address=ip-of-your-web-server-with-the-access-denied-page
Also make a rule in the filtering forward chain which blocks everything but tcp/80,443 from the computers that should only be accessing those sites.
One problem could be if there is internal device-to-device communication within the LAN, a hotspot would also try to interfere with that, so keep that in mind when making your decision.
The non-hotspot way to do it would be to have an IP address list with the hostnames of the three websites you want to allow (as well as the hostnames of any resources those sites may depend on), and make a dstnat rule which uses the logic "dst-address=!allowed-websites" and matches tcp ports 80/443, with the action of dst-nat to-address=ip-of-your-web-server-with-the-access-denied-page
Also make a rule in the filtering forward chain which blocks everything but tcp/80,443 from the computers that should only be accessing those sites.
Re: Web Proxy
Thank you for your swift response,
"You could use hotspot + walled garden" CAN I DO IT VIA GUI BECAUSE IM A NOOB AT MIKROTIK COMMANDS.
"One problem could be if there is internal device-to-device communication within the LAN" YOU MEAN DOMAIN USER CANNOT SEE DOMAIN SERVER ?
"The non-hotspot way to do it" HOW CAN I DO I WITH NON-HOTSPOT?
Thank you again.
"You could use hotspot + walled garden" CAN I DO IT VIA GUI BECAUSE IM A NOOB AT MIKROTIK COMMANDS.
"One problem could be if there is internal device-to-device communication within the LAN" YOU MEAN DOMAIN USER CANNOT SEE DOMAIN SERVER ?
"The non-hotspot way to do it" HOW CAN I DO I WITH NON-HOTSPOT?
Thank you again.
Re: Web Proxy
The non-hotspot way is not as tight, because it can only block / allow certain IP addresses....
So if a permitted IP address hosts a site you want as well as a site you do not want, then there's no way (using this method alone) to block the other site(s) also being hosted on the same server.
Anyway, to do this, make an IP address list in the firewall settings - call it allowedhosts (or whatever makes sense)
When adding entries to the list, don't use IP addresses but hostnames:
i.e.
/ip firewall address-list
add list=allowedhosts address=www.goodsite.example.com
add list=allowedhosts address=www.okaysite.example.org
etc...
The list will automatically do the DNS lookups and add all discovered IP addresses to the "allowedhosts" list as dynamic entries. These will be regularly updated with the same interval as the DNS entries' TTL values.
So then you have a filter rule set which includes something to the effect of
chain=forward , out-interface=wan , src-address=x.x.x.x/x , protocol=tcp , dst-port=80,443 , dst-address-list=allowedhosts action=accept
chain=forward , out-interface=wan , src-address=x.x.x.x/x , action=drop
The src-address=x.x.x.x/x would be some network range that matches your restricted hosts.
If all restricted hosts have IP addresses 192.168.10.64-127, then src-address=192.168.10.64/26
Another option would be to make another IP address list called "restrictedhosts" and add the individual IP addresses of your restricted hosts into this list, and simply use src-address-list=restrictedhosts instead of the src-address=x.x.x.x/x
So if a permitted IP address hosts a site you want as well as a site you do not want, then there's no way (using this method alone) to block the other site(s) also being hosted on the same server.
Anyway, to do this, make an IP address list in the firewall settings - call it allowedhosts (or whatever makes sense)
When adding entries to the list, don't use IP addresses but hostnames:
i.e.
/ip firewall address-list
add list=allowedhosts address=www.goodsite.example.com
add list=allowedhosts address=www.okaysite.example.org
etc...
The list will automatically do the DNS lookups and add all discovered IP addresses to the "allowedhosts" list as dynamic entries. These will be regularly updated with the same interval as the DNS entries' TTL values.
So then you have a filter rule set which includes something to the effect of
chain=forward , out-interface=wan , src-address=x.x.x.x/x , protocol=tcp , dst-port=80,443 , dst-address-list=allowedhosts action=accept
chain=forward , out-interface=wan , src-address=x.x.x.x/x , action=drop
The src-address=x.x.x.x/x would be some network range that matches your restricted hosts.
If all restricted hosts have IP addresses 192.168.10.64-127, then src-address=192.168.10.64/26
Another option would be to make another IP address list called "restrictedhosts" and add the individual IP addresses of your restricted hosts into this list, and simply use src-address-list=restrictedhosts instead of the src-address=x.x.x.x/x