Community discussions

 
Faneva
just joined
Topic Author
Posts: 1
Joined: Tue Mar 20, 2018 3:28 pm

Block web site with Firewall

Wed Mar 21, 2018 6:41 am

Good morning,
I have a router mikrotik RB951Ui-2HnD and I want to block some web site like facebook and youtube.
I have tried to use Layer 7 protocol and web proxy but it was not working. The users are still accessing the web site.
Can you help me please.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1051
Joined: Fri Jul 28, 2017 2:53 pm

Re: Block web site with Firewall

Wed Mar 21, 2018 9:38 am

Post here your firewall config. You should block them just on layer 3.
 
User avatar
WirtelPL
newbie
Posts: 34
Joined: Sat Nov 11, 2017 11:22 am
Location: Poland

Re: Block web site with Firewall

Wed Mar 21, 2018 11:06 am

You must off "FastTrack".
Better use option TLS HOST than L7 protocol. You must have ROS min. v. 6.41.1 to this.
RB951G-2HnD for home production
RBmAP2nD | RB952Ui-5ac2nD-TC for home lab
 
User avatar
nichky
Long time Member
Long time Member
Posts: 530
Joined: Tue Jun 23, 2015 2:35 pm

Re: Block web site with Firewall

Wed Mar 21, 2018 12:14 pm

Try this one:

/ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube).*\$"

/ip firewall mangle
add action=mark-connection chain=prerouting protocol=udp dst-port=53 connection-mark=no-mark layer7-protocol=youtube new-connection-mark=youtube_conn passthrough=yes

add action=mark-packet chain=prerouting connectionmark=youtube_conn new-packet-mark=youtube_packet

/ip firewall filter
add action=drop chain=forward packet-mark=youtube_packet
add action=drop chain=input packet-mark=youtube_packet
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
icsterm
newbie
Posts: 29
Joined: Sun Mar 11, 2018 11:11 pm

Re: Block web site with Firewall

Wed Mar 21, 2018 2:45 pm

I would just add all the facebook and youtube prefix list in the routing table with type unreachable, keeping fasttrack and call it a day.
But it seems a lot of youtube servers share the same subnet with google.com, so it's hard to do.

One way around is to block youtube and facebook domains in the mikrotik dns server, make static resolvers to 127.0.0.1. Then drop DNS queries out from your LAN on port 53 except the router it self, to avoid users using public dns servers. That should block most novice users from using youtube and facebook.
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Block web site with Firewall

Wed Mar 21, 2018 8:17 pm

On my current router, which the microtik will replace, I found it very difficult to block anything with HttpS.
Does mikrotik handle blocking HTTPS sites with ease??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
az1984
newbie
Posts: 28
Joined: Thu Sep 14, 2017 3:58 pm
Location: Germany

Re: Block web site with Firewall

Thu Mar 22, 2018 8:49 am

I would agree with WirtelPL:

Try using the TLS-Host option. It was introduced in RouterOS v. 6.41. It will also handle HTTPS.

Just an excerpt from the mikrotik newsletter Feb2018:
Since most of the internet now uses https, it has become much harder to filter specific web content. For this
reason, RouterOS 6.41 introduces a new firewall matcher which allows you to block https websites (TLS traffic)
based on the TLS SNI extension, called “TLS-HOST”. The new parameter supports glob-style patterns, which
should be enough for whatever you’re trying to match.
For example, to block example.com, you would use a rule like this:
/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.example.com action=reject
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Block web site with Firewall

Thu Mar 22, 2018 6:21 pm

Thanks a bunch az1984!
So the OP has many options in terms of
blocking by name and by TLS name
by IP and TLS IP

It sounds like if one had access to list of various names and a list of IPs used by facebook youtube,
one could put them in a single address list and then apply the TLS Rule to the LIST!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
n0b0dy
just joined
Posts: 3
Joined: Sun Jun 03, 2018 10:49 pm

Re: Block web site with Firewall

Sun Jun 03, 2018 10:52 pm

Try this one:

/ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube).*\$"

/ip firewall mangle
add action=mark-connection chain=prerouting protocol=udp dst-port=53 connection-mark=no-mark layer7-protocol=youtube new-connection-mark=youtube_conn passthrough=yes

add action=mark-packet chain=prerouting connectionmark=youtube_conn new-packet-mark=youtube_packet

/ip firewall filter
add action=drop chain=forward packet-mark=youtube_packet
add action=drop chain=input packet-mark=youtube_packet



i tried this and it blocks all traffic going out to my router...is there other ways to block site aside from this...thank in regards
 
Gerry123
just joined
Posts: 8
Joined: Wed Nov 14, 2018 9:14 pm

Re: Block web site with Firewall

Mon Sep 16, 2019 5:36 pm

Hello, May you help ?
My setup {hapac2 > SXT LTE > ISP} SXT does NAT for hapac2.
Your code works. Thank you.

Below shows traffic & marks connection,
add action=mark-connection chain=prerouting comment=youtube connection-mark=\
no-mark dst-port=53 layer7-protocol=youtube new-connection-mark=\
youtube_conn passthrough=yes protocol=udp

however (below) does nothing & does not work when inserted in your code.
add action=mark-connection chain=prerouting comment=youtube connection-mark=\
no-mark dst-port=53 layer7-protocol=youtube new-connection-mark=\
youtube_conn passthrough=yes protocol=udp src-address-list=tablets

A previous simple firewall rule for limiting internet access by time with the same "src-address-list=tablets" works fine.
I have tried placing the code in both the hapac2 & SXT & in both the mangle & fw rules but no success.

Who is online

Users browsing this forum: No registered users and 27 guests