Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Block websites http and https without Web Proxy / 100% works.

Locked
 
ansari
newbie
Topic Author
Posts: 27
Joined: Mon Jan 23, 2017 8:04 am

Block websites http and https without Web Proxy / 100% works.

Thu Feb 15, 2018 2:36 pm

Today i am sharing my little experience with beginner like me, you can understand my post from title so no other words and lets start.
This method will not effect any other website, i would like to block Facebook in my example.

1: Add website in Layer7 Protocol.
Code: Select all
/ip firewall layer7-protocol
add name=facebook regexp="^.+(facebook.com).*\$"

2: Add your DNS, ISP and your DSL modem IPs and gateway in firewall address list for exception.
Code: Select all
/ip firewall address-list
add address=8.8.8.8 list=not_this_dst
add address=8.8.4.4 list=not_this_dst
add address=10.0.0.1 list=not_this_dst

3: Create mangle rule for filter facebook IPs
Code: Select all
/ip firewall mangle
add chain=forward action=add-dst-to-address-list protocol=tcp 
     src-address=192.168.88.0/24 dst-address-list=!not_this_dst 
     address-list=facebook address-list-timeout=0s layer7-protocol=facebook

Now you get all facebook IPs from firewall connections in firewall address list like this,
Image


4: Now create another mangle rule for facebook connection from filtered IPs list.
Code: Select all
/ip firewall mangle
add chain=forward action=mark-connection new-connection-mark=facebook 
     passthrough=yes dst-address-list=facebook


5: Now block this facebook connection from firewall filter
Code: Select all
/ip firewall filter
add chain=forward action=drop src-address=192.168.88.0/24 connection-mark=facebook

If you want to allow facebook to some or one user you can add exception IPs in rule, for this add those IPs in firewall address list
Code: Select all
/ip firewall address-list
add address=192.168.88.101 list=not_this_src
add address=192.168.88.120 list=not_this_scr
add address=192.168.88.155 list=not_this_src

Remove previous firewall filter rule and add new like this
Code: Select all
/ip firewall filter
add chain=forward action=drop src-address=192.168.88.0/24 
     src-address-list=!not_this_src connection-mark=facebook

Or you can edit and add IPs in your previous rule.
Are we done? NO.

Someone bypass your mikrotik firewall using VPN tool, in this condition you can use OpenDNS for block proxy or VPN tools.

Note: This method will not works just for youtube, you can block youtube videos from L7
Code: Select all
/ip firewall layer7-protocol
add name=videos regexp=videoplayback|video


Sorry, i made some mistake in my method, now i edit it.
Thank You.
Last edited by ansari on Thu Feb 15, 2018 10:10 pm, edited 1 time in total.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: Block websites http and https without Web Proxy / 100% works.

Thu Feb 15, 2018 3:17 pm

This method will not effect any other website
That is of course very far from the truth... but when you are satisfied, we are all happy!
Top
 
ansari
newbie
Topic Author
Posts: 27
Joined: Mon Jan 23, 2017 8:04 am

Re: Block websites http and https without Web Proxy / 100% works.

Thu Feb 15, 2018 3:30 pm

This method will not effect any other website
That is of course very far from the truth... but when you are satisfied, we are all happy!
I am absolutely satisfied with this method :)

And i would like to tell everybody that if website use both tcp and udp protocol then you should add another mangle rule like this:
Code: Select all
/ip firewall mangle
add chain=forward action=add-dst-to-address-list protocol=udp 
     src-address=192.168.88.0/24 dst-address-list=!not_this_dst 
     address-list=abc address-list-timeout=0s layer7-protocol=abc
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: Block websites http and https without Web Proxy / 100% works.

Thu Feb 15, 2018 4:40 pm

I am absolutely satisfied with this method :)
That is important.
But I would recommend other readers of this topic not to use it.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block websites http and https without Web Proxy / 100% works.

Thu Feb 15, 2018 5:54 pm

To make sure that the forum and friendly resident guru pe1chl doesn't look unfriendly, when someone else reads this topic, I'll add few details.

What you're doing is looking for "facebook<any character>com" in every single tcp connection to any port. It will match hostname in plain unencrypted http requests to facebook, SNI hostname in https requests to facebook, but also any http page containing this string anywhere, files transferred over ftp, it they contain it, etc. So it will block connections to FB, but it will also block a whole lot of other stuff, plus unnecessarily looking in all connections will not make the router happy, because it will use quite a lot of resources. It's like getting rid of rats in the basement by blowing up the house. True, the rats will be gone alright...
Top
 
ansari
newbie
Topic Author
Posts: 27
Joined: Mon Jan 23, 2017 8:04 am

Re: Block websites http and https without Web Proxy / 100% works.

Thu Feb 15, 2018 10:20 pm

To make sure that the forum and friendly resident guru pe1chl doesn't look unfriendly, when someone else reads this topic, I'll add few details.

What you're doing is looking for "facebook<any character>com" in every single tcp connection to any port. It will match hostname in plain unencrypted http requests to facebook, SNI hostname in https requests to facebook, but also any http page containing this string anywhere, files transferred over ftp, it they contain it, etc. So it will block connections to FB, but it will also block a whole lot of other stuff, plus unnecessarily looking in all connections will not make the router happy, because it will use quite a lot of resources. It's like getting rid of rats in the basement by blowing up the house. True, the rats will be gone alright...
Well, both are you as the Guru, I don't and can't argue with you. I just share my experiment which am I successfully implementing in Mikrotik ROS 5.26 and believe me it works for me perfectly, from this method I just filter websites Dst IPs and block them for specific Src IPs. You can check this configuration, all IPs are Facebook IPs.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: Block websites http and https without Web Proxy / 100% works.

Fri Feb 16, 2018 12:16 am

Please read again what Sob wrote: your solution will probably block facebook just fine, but it has lots of disadvantages.
Also I think it is unfortunate that so many beginning sysadmins are obsessed with blocking sites to their users, that the take this
on as a first project before they even have investigated how to properly manage their router (including how to update its software)...
Top
 
User avatar
karlisi
Member
Member
Posts: 440
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Block websites http and https without Web Proxy / 100% works.

Fri Feb 16, 2018 10:11 am

You can check this configuration, all IPs are Facebook IPs.
Not exactly. Big names, as FB, Google, Microsoft, hosts their data on many data-centers worldwide, which hosts also data for many other organizations. By blocking their addresses, You will block all services from these IP, i.e., software updates. If this is only for You, be happy. If You are serving data for customers, forget this method.
Top
 
User avatar
LucZWFM
Member Candidate
Member Candidate
Posts: 130
Joined: Tue Dec 26, 2017 10:47 pm
Location: Bergen op Zoom, The Netherlands

Re: Block websites http and https without Web Proxy / 100% works.

Fri Feb 16, 2018 10:22 am

Please read again what Sob wrote: your solution will probably block facebook just fine, but it has lots of disadvantages.
Also I think it is unfortunate that so many beginning sysadmins are obsessed with blocking sites to their users, that the take this
on as a first project before they even have investigated how to properly manage their router (including how to update its software)...

I 100% agree with this...
Top
 
mag2020
Trainer
Trainer
Posts: 79
Joined: Sat Nov 30, 2013 8:49 am

Re: Block websites http and https without Web Proxy / 100% works.

Fri Feb 16, 2018 10:54 am

Today i am sharing my little experience with beginner like me, you can understand my post from title so no other words and lets start.
This method will not effect any other website, i would like to block Facebook in my example.

1: Add website in Layer7 Protocol.
Code: Select all
/ip firewall layer7-protocol
add name=facebook regexp="^.+(facebook.com).*\$"

2: Add your DNS, ISP and your DSL modem IPs and gateway in firewall address list for exception.
Code: Select all
/ip firewall address-list
add address=8.8.8.8 list=not_this_dst
add address=8.8.4.4 list=not_this_dst
add address=10.0.0.1 list=not_this_dst

3: Create mangle rule for filter facebook IPs
Code: Select all
/ip firewall mangle
add chain=forward action=add-dst-to-address-list protocol=tcp 
     src-address=192.168.88.0/24 dst-address-list=!not_this_dst 
     address-list=facebook address-list-timeout=0s layer7-protocol=facebook

Now you get all facebook IPs from firewall connections in firewall address list like this,
Image


4: Now create another mangle rule for facebook connection from filtered IPs list.
Code: Select all
/ip firewall mangle
add chain=forward action=mark-connection new-connection-mark=facebook 
     passthrough=yes dst-address-list=facebook


5: Now block this facebook connection from firewall filter
Code: Select all
/ip firewall filter
add chain=forward action=drop src-address=192.168.88.0/24 connection-mark=facebook

If you want to allow facebook to some or one user you can add exception IPs in rule, for this add those IPs in firewall address list
Code: Select all
/ip firewall address-list
add address=192.168.88.101 list=not_this_src
add address=192.168.88.120 list=not_this_scr
add address=192.168.88.155 list=not_this_src

Remove previous firewall filter rule and add new like this
Code: Select all
/ip firewall filter
add chain=forward action=drop src-address=192.168.88.0/24 
     src-address-list=!not_this_src connection-mark=facebook

Or you can edit and add IPs in your previous rule.
Are we done? NO.

Someone bypass your mikrotik firewall using VPN tool, in this condition you can use OpenDNS for block proxy or VPN tools.

Note: This method will not works just for youtube, you can block youtube videos from L7
Code: Select all
/ip firewall layer7-protocol
add name=videos regexp=videoplayback|video


Sorry, i made some mistake in my method, now i edit it.
Thank You.
I find the new feature introduced in Router OS v6.41 which matches packets using "tls-host" very useful in dropping packets to https sites. I suggest you give it a try as it is very simple and straight forward. It will achieve the same purpose with few lines of command.
Top
 
msatter
Forum Guru
Forum Guru
Posts: 2912
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Block websites http and https without Web Proxy / 100% works.

Fri Feb 16, 2018 12:01 pm

In this posting you can find more domain names for facebook, Instagram and WhatsApp that can be filtered.

viewtopic.php?f=13&t=118980&p=586318&hi ... ok#p586318

I use a DNS filter that returns a dummy IP so that the traffic does not go anywhere. If n user uses a VPN then it can use an external DNS avoid my filter.

Facebook, Google and others put often dedicated content servers inside the network of your ISP that rely on the DNS of your ISP.
Top
 
irghost
Member
Member
Posts: 302
Joined: Sun Feb 21, 2016 1:49 pm

Re: Block websites http and https without Web Proxy / 100% works.

Fri Feb 16, 2018 12:59 pm

Today i am sharing my little experience with beginner like me, you can understand my post from title so no other words and lets start.
This method will not effect any other website, i would like to block Facebook in my example.

1: Add website in Layer7 Protocol.
Code: Select all
/ip firewall layer7-protocol
add name=facebook regexp="^.+(facebook.com).*\$"

2: Add your DNS, ISP and your DSL modem IPs and gateway in firewall address list for exception.
Code: Select all
/ip firewall address-list
add address=8.8.8.8 list=not_this_dst
add address=8.8.4.4 list=not_this_dst
add address=10.0.0.1 list=not_this_dst

3: Create mangle rule for filter facebook IPs
Code: Select all
/ip firewall mangle
add chain=forward action=add-dst-to-address-list protocol=tcp 
     src-address=192.168.88.0/24 dst-address-list=!not_this_dst 
     address-list=facebook address-list-timeout=0s layer7-protocol=facebook

Now you get all facebook IPs from firewall connections in firewall address list like this,
Image


4: Now create another mangle rule for facebook connection from filtered IPs list.
Code: Select all
/ip firewall mangle
add chain=forward action=mark-connection new-connection-mark=facebook 
     passthrough=yes dst-address-list=facebook


5: Now block this facebook connection from firewall filter
Code: Select all
/ip firewall filter
add chain=forward action=drop src-address=192.168.88.0/24 connection-mark=facebook

If you want to allow facebook to some or one user you can add exception IPs in rule, for this add those IPs in firewall address list
Code: Select all
/ip firewall address-list
add address=192.168.88.101 list=not_this_src
add address=192.168.88.120 list=not_this_scr
add address=192.168.88.155 list=not_this_src

Remove previous firewall filter rule and add new like this
Code: Select all
/ip firewall filter
add chain=forward action=drop src-address=192.168.88.0/24 
     src-address-list=!not_this_src connection-mark=facebook

Or you can edit and add IPs in your previous rule.
Are we done? NO.

Someone bypass your mikrotik firewall using VPN tool, in this condition you can use OpenDNS for block proxy or VPN tools.

Note: This method will not works just for youtube, you can block youtube videos from L7
Code: Select all
/ip firewall layer7-protocol
add name=videos regexp=videoplayback|video


Sorry, i made some mistake in my method, now i edit it.
Thank You.
this method just works when clients wants to resolve facebook.com form
if client use dnscrypt this method wont work
but with tls_host every thing is fine
Top
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26385
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Block websites http and https without Web Proxy / 100% works.

Fri Feb 16, 2018 2:04 pm

Advice of the original poster is misleading, incomplete and I do not suggest to use this method to block websites. In addition to false positives, you will also kill the CPU of your router.

Why not use the new tls-host matcher in firewall instead?
Top
 
blackzero
newbie
Posts: 25
Joined: Tue Aug 09, 2011 3:40 pm

Re: Block websites http and https without Web Proxy / 100% works.

Fri Aug 10, 2018 4:38 am

Advice of the original poster is misleading, incomplete and I do not suggest to use this method to block websites. In addition to false positives, you will also kill the CPU of your router.

Why not use the new tls-host matcher in firewall instead?
I came from Google search. My local Mikrotik vendor has this article: http://www.mikrotik.co.id/artikel_lihat.php?id=282

But I can't figure out how to make it as a whitelist. That article explain how to blacklist HTTPS connection to Facebook. I just want to allow some HTTPS to defined websites e.g bank institutions and WhatsApp. I don't want blacklist approach.
Top
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Block websites http and https without Web Proxy / 100% works.

Fri Aug 10, 2018 11:00 am

Advice of the original poster is misleading, incomplete and I do not suggest to use this method to block websites. In addition to false positives, you will also kill the CPU of your router.

Why not use the new tls-host matcher in firewall instead?
Not first person with similar advice... I saw so many that I already put in my bookmarks specific time from your coleague's presentation: https://youtu.be/XkKj9rj4quQ?t=25m54s
Unfortunately neither "correct - old" method or new tls-host method is bullet proof. What is most annoying is the fact, that for example youtube started using QUIC protocol. Availability of the protocol is cached so anyone who ever visited youtube in past (and who is using browser supporting QUIC) will not even once hit the tls-host as everything goes through UDP
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: Block websites http and https without Web Proxy / 100% works.

Fri Aug 10, 2018 11:55 am

You will have to understand that there are different agendas here, and the large and powerful companies are working to make it unrealistic to block their services while the small connectivity providers want to block things they don't see as useful or they feel are overloading their limited connections.
There are many topics about this on the forum, and everywhere you see the "solutions" that fail to achieve their goal (blocking) but in the meantime have undesired effects like blocking of unrelated services and overloading the router.
Unless you have unlimited amount of time and a good budget, you better not try to achieve your bandwidth limiting objectives by "blocking youtube". It is a lost race.
And when you need to "block facebook" e.g. because your employees are spending their worktime on their phones instead of on their job, you better use other methods to achieve better productivity. Blocking isn't going to work well and it will need continuous maintenance and attention.
Top
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Block websites http and https without Web Proxy / 100% works.

Sat Aug 11, 2018 2:30 pm

Code: Select all
And when you need to "block facebook" e.g. because your employees are spending their worktime on their phones instead of on their job, you better use other methods to achieve better productivity
Gosh! so true - this should be written in legislation.
I had request like that just month ago after one of my clients realized that I can do more than just plug in router..

I understand what you mean. I was just trying to spread the word, that block of youtube is nowadays almost impossible and blocking facebook is... well.. it has to be done correctly and still, there is no guarantee it will work.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: Block websites http and https without Web Proxy / 100% works.

Sat Aug 11, 2018 3:03 pm

blocking facebook is... well.. it has to be done correctly and still, there is no guarantee it will work.
Once you have successfully blocked facebook you will notice that "entirely legitimate for business use" services like "prezi" will suddenly be inaccessible to the users that "use their facebook account to login".
That is of course a very clever move by facebook: offer your authentication mechanism to other services and implement it in such a way that it is not possible to block your main service and at the same time allow that authentication service to function.
Top
Locked

Who is online

Users browsing this forum: Bing [Bot], STMT and 110 guests
  4. RouterOS
  5. Beginner Basics