Community discussions

MikroTik App
 
onlysuraj
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Sun Jul 10, 2011 10:00 am
Location: india

i want to block the facebook in my internal network

Wed Aug 31, 2011 8:51 am

hi friends
some customer compained me that they want to block the facebook and orkut like social site
from our end.
these customer are connected to the access point (2.4)and all are using static internal ip
that are provided by us .
now i am not able to do that bcos if configure the firewall on radio(access point 2.4)then all client that are connected to that ap are not able to use facebook and other social sites .

kindy tell me what should to by giving me an example?????????????

i am also submittng the diagram of my network
with regard
from suraj
You do not have the required permissions to view the files attached to this post.
 
EHCorp
just joined
Posts: 5
Joined: Tue Aug 30, 2011 12:15 pm

Re: i want to block the facebook in my internal network

Wed Aug 31, 2011 9:40 am

If customers are assigned static IPs then it is so easy for you to add dropping rules through MT firewall, first of all your schema is a bit unclear but what I understood is that you need to block facebook for some clients knowing that these clients are assigned Static IPs, therefore collect the IPs you want to block and them to MT Firewall under Address List + add a filter Rule dropping facebook for instance to these specific clients, hope I was clear :) and if any further help needed please post back.
 
User avatar
laithmikrotik
Member
Member
Posts: 435
Joined: Wed Apr 13, 2011 3:18 pm

Re: i want to block the facebook in my internal network

Wed Aug 31, 2011 2:51 pm

If customers are assigned static IPs then it is so easy for you to add dropping rules through MT firewall, first of all your schema is a bit unclear but what I understood is that you need to block facebook for some clients knowing that these clients are assigned Static IPs, therefore collect the IPs you want to block and them to MT Firewall under Address List + add a filter Rule dropping facebook for instance to these specific clients, hope I was clear :) and if any further help needed please post back.
hellow
do you mean that some ip addresses should determined then block the facebook just for the determined ips
I LIKE MIKROTIK
 
onlysuraj
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Sun Jul 10, 2011 10:00 am
Location: india

Re: i want to block the facebook in my internal network

Wed Aug 31, 2011 3:23 pm

If customers are assigned static IPs then it is so easy for you to add dropping rules through MT firewall, first of all your schema is a bit unclear but what I understood is that you need to block facebook for some clients knowing that these clients are assigned Static IPs, therefore collect the IPs you want to block and them to MT Firewall under Address List + add a filter Rule dropping facebook for instance to these specific clients, hope I was clear :) and if any further help needed please post back.
 
onlysuraj
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Sun Jul 10, 2011 10:00 am
Location: india

Re: i want to block the facebook in my internal network

Wed Aug 31, 2011 3:30 pm

If customers are assigned static IPs then it is so easy for you to add dropping rules through MT firewall, first of all your schema is a bit unclear but what I understood is that you need to block facebook for some clients knowing that these clients are assigned Static IPs, therefore collect the IPs you want to block and them to MT Firewall under Address List + add a filter Rule dropping facebook for instance to these specific clients, hope I was clear :) and if any further help needed please post back.
thanks for your fast reply
but bad luck for me i tried too much but not succeed after all.

tell me any example that states how to restrict using from facebook for this ip 10.210.2.14/24

no nat
no hotspot
no pppoe server

simple rb 433 (access point )bridged accessspoint 2.4

and wds bridge for point to point ??????????
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Re: i want to block the facebook in my internal network

Wed Aug 31, 2011 8:33 pm

Try something like this.
/ip firewall filter add action=drop chain=forward content=facebook disabled=no src-address=10.210.2.14
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
onlysuraj
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Sun Jul 10, 2011 10:00 am
Location: india

Re: i want to block the facebook in my internal network

Thu Sep 01, 2011 8:37 am

Try something like this.
/ip firewall filter add action=drop chain=forward content=facebook disabled=no src-address=10.210.2.14
thanks for fast reply
but it is not working any more
kindly post some specific codes
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

i want to block the facebook in my internal network

Thu Sep 01, 2011 3:37 pm

Check the order of your rules. Put the rule I gave you at the top and see if that works. You could have another rule accepting the traffic before it is suppose to get dropped.
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: i want to block the facebook in my internal network

Thu Sep 01, 2011 4:36 pm

Due to the nature of SSL, using Content=facebook isn't always going to capture facebook traffic and has a fairly high false-positive rate (in theory you could be dropping packets for any webpage that uses facebook connect, or the "like this on facebook" button).

The only reliable method for blocking facebook with a mikrotik is to block at the DNS level.
Enable DNS server on the mikrotik, add invalid entries for facebook.com, the capture blacklisted users' DNS requests. This only works if aren't already providing a DNS server behind the mikrotik, and the mikrotik isn't providing DNS caching already.
/ip dns 
set servers=<public DNS server1>,<public DNS server2> allow-remote-requests=yes

/ip dns static
add address=127.0.0.1 disabled=no name=facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=www.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=glib1.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=glib2facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=mail.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=dns.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns0.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns1.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns2.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns3.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns4.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns5.facebook.com ttl=5m

/ip firewall nat
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=udp src-address-list=DNSBlacklist to-ports=53
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=tcp src-address-list=DNSBlacklist to-ports=53

/ip firewall address-list
add address=<Client Static IP to be blocked> list=DNSBlacklist comment="Added to DNS block list on request of <Customer name>"
--CC_DKP
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
onlysuraj
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Sun Jul 10, 2011 10:00 am
Location: india

Re: i want to block the facebook in my internal network

Fri Sep 02, 2011 10:47 am

Check the order of your rules. Put the rule I gave you at the top and see if that works. You could have another rule accepting the traffic before it is suppose to get dropped.

how fool i am :(
thanks man it's wirking
now the 10.210.2.14 can not access the facebook.early moring customer told me that they were not able to acces the facebook any more.
thanks

now i am finding more solutions.
hope you will help me :D
 
User avatar
MCT
Member Candidate
Member Candidate
Posts: 157
Joined: Wed Mar 03, 2010 5:53 pm

Re: i want to block the facebook in my internal network

Fri Sep 02, 2011 6:19 pm

Ever consider a different approach such as blocking any outgoing DNS request that contains facebook?
 
mhosts
newbie
Posts: 36
Joined: Tue Nov 03, 2009 4:43 pm

Re: i want to block the facebook in my internal network

Fri Sep 02, 2011 11:10 pm

Why don't you just drop all traffic to their network?

http://bgp.he.net/AS32934#_prefixes

Create an address list with all of those prefixes and drop the traffic in a firewall rule.
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

i want to block the facebook in my internal network

Sun Sep 04, 2011 2:44 am

Ever consider a different approach such as blocking any outgoing DNS request that contains facebook?
Yep and you could also setup web-proxy. There are many different ways to achieve this.
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8395
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: i want to block the facebook in my internal network

Sun Sep 04, 2011 4:43 pm

you could also setup web-proxy
you can transparently inspect DNS requests. you can NOT transparently inspect https traffic - it's encrypted

p.s. https://kproxy.com :(
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
albotik
just joined
Posts: 7
Joined: Fri Sep 23, 2011 9:51 am

Re: i want to block the facebook in my internal network

Fri Sep 23, 2011 10:03 am

Hi all,
After i blocked traffic for facebook, a need to know how to redirect the request for facebook to another webpage, like myhomepage.com?
Can anybody help me in this issue?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8395
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: i want to block the facebook in my internal network

Fri Sep 23, 2011 10:50 am

so, how did you do blocking?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
albotik
just joined
Posts: 7
Joined: Fri Sep 23, 2011 9:51 am

Re: i want to block the facebook in my internal network

Sat Sep 24, 2011 2:48 pm

I've blocked facebook in this way:
[nnnn@xxxxx] /ip firewall layer7-protocol> pr det
0 name="facebook" regexp="facebook"
[nnnn@xxxxx] /ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; drop facebook
chain=forward action=drop src-address=0.0.0.0/0 layer7-p

i used layer7 protocol as with simple filter content it will affect many other websites who has facebook content
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8395
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: i want to block the facebook in my internal network

Sat Sep 24, 2011 4:27 pm

you can redirect only when using some proxy. L7 matches already established connection, you cannot redirect in the middle of connection
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
albotik
just joined
Posts: 7
Joined: Fri Sep 23, 2011 9:51 am

Re: i want to block the facebook in my internal network

Sat Sep 24, 2011 8:33 pm

OK, I will try do it with proxy even i don't have experience of using proxy, any help here is welcomed :)
by the way many thnx Chupaka.
 
User avatar
dexlaine
just joined
Posts: 16
Joined: Mon Sep 27, 2010 3:45 pm

Re: i want to block the facebook in my internal network

Thu Dec 01, 2011 6:08 am

Hello,

I tried to block facebook and youtube and its working fine..

Is there a way... to unblock certain IP only lets say computer of my boss... hehe.. cause now he is included in the block

suggestion is highly appreciated

Thanks

Dex
 
User avatar
dexlaine
just joined
Posts: 16
Joined: Mon Sep 27, 2010 3:45 pm

Re: i want to block the facebook in my internal network

Thu Dec 01, 2011 6:12 am

This is the way I do my FACEBOOK and YOUTUBE block

/ip firewall filter
add action=drop chain=forward comment="Drop facebook" content=facebook.com disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop facebook" content=www.facebook.com disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop facebook" content=apps.facebook.com disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop facebook" content=facebook disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop facebook" content=facebook.* disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop youtube" content=youtube.com disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop youtube" content=www.youtube.com disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop youtube" content=apps.youtube.com disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop youtube" content=youtube disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop youtube" content=youtube.* disabled=no out-interface=LAN11
/
 
studyete
just joined
Posts: 20
Joined: Wed Jun 20, 2012 2:37 pm

Re: i want to block the facebook in my internal network

Fri Nov 16, 2012 9:37 am

Halo all,

I found many post regarding facebook block here in this forum. So i don't want to open a new blog. So i'm sharing the problem with blocking here hoping somebody will share the solution.

I'm blocking facebook from firewall filter rule. I've created adress list of my local network like this. 192.168.1.0/24 and named list as facebook. Then from ip-->firewall-->filter-->forward chain-->content facebook.com-->dst-addlist-->facebook-->action reject.

tis way i can block facebook and I've created another rule above it which allowed a single ip to access facebook. The problem occur when https comes. The above rule can't stop https facebook.

I've tried blocking facebook with facebook ip but my sys admin told me facebook might change their ip and they do all the time, so it is not efficient way to block facebook though i succeed blocking facebook booth http and https.

so can any one share a solution so i can block a site without above rule both for https and http?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8395
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: i want to block the facebook in my internal network

Fri Nov 16, 2012 1:04 pm

Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
studyete
just joined
Posts: 20
Joined: Wed Jun 20, 2012 2:37 pm

Re: i want to block the facebook in my internal network

Sat Nov 17, 2012 8:34 am

can you explain what can i do with the link?

http://bgp.he.net/AS32934#_prefixes
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8395
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: i want to block the facebook in my internal network

Mon Nov 19, 2012 9:43 am

block all Faceboox prefixes - they should not change frequently :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
grizly
just joined
Posts: 20
Joined: Thu Nov 29, 2012 2:15 am
Location: Melbourne/Australia

Re: i want to block the facebook in my internal network

Wed Dec 12, 2012 6:07 am

can you explain what can i do with the link?
My implementation:
/ip firewall address-list
add address=31.13.24.0/21 comment=\
    "Facebook IP Subnets from: http://bgp.he.net/AS32934#_prefixes" disabled=\
    no list=Facebook
add address=31.13.64.0/24 disabled=no list=Facebook
add address=31.13.64.0/19 disabled=no list=Facebook
add address=31.13.65.0/24 disabled=no list=Facebook
add address=31.13.66.0/24 disabled=no list=Facebook
add address=31.13.69.0/24 disabled=no list=Facebook
add address=31.13.70.0/24 disabled=no list=Facebook
add address=31.13.71.0/24 disabled=no list=Facebook
add address=31.13.72.0/24 disabled=no list=Facebook
add address=31.13.73.0/24 disabled=no list=Facebook
add address=31.13.74.0/24 disabled=no list=Facebook
add address=31.13.77.0/24 disabled=no list=Facebook
add address=31.13.75.0/24 disabled=no list=Facebook
add address=31.13.76.0/24 disabled=no list=Facebook
add address=31.13.78.0/24 disabled=no list=Facebook
add address=31.13.79.0/24 disabled=no list=Facebook
add address=31.13.80.0/24 disabled=no list=Facebook
add address=31.13.81.0/24 disabled=no list=Facebook
add address=31.13.82.0/24 disabled=no list=Facebook
add address=31.13.96.0/19 disabled=no list=Facebook
add address=66.220.144.0/21 disabled=no list=Facebook
add address=69.63.176.0/21 disabled=no list=Facebook
add address=69.63.176.0/24 disabled=no list=Facebook
add address=69.63.184.0/21 disabled=no list=Facebook
add address=69.171.224.0/20 disabled=no list=Facebook
add address=69.171.239.0/24 disabled=no list=Facebook
add address=69.171.240.0/20 disabled=no list=Facebook
add address=69.171.255.0/24 disabled=no list=Facebook
add address=74.119.76.0/22 disabled=no list=Facebook
add address=103.4.96.0/22 disabled=no list=Facebook
add address=103.4.96.0/22 disabled=no list=Facebook
add address=173.252.64.0/19 disabled=no list=Facebook
add address=173.252.70.0/24 disabled=no list=Facebook
add address=173.252.96.0/19 disabled=no list=Facebook
add address=204.15.20.0/22 disabled=no list=Facebook
/ip firewall filter
add chain=forward action=log dst-address-list=Facebook log-prefix="Faceboke Traffic" disabled=no
add chain=forward action=drop dst-address-list=Facebook disabled=no
add chain=forward action=drop src-address-list=Facebook disabled=no
It works.. wish there was an easier way to import them, but building a list with find&replace wasn't that hard.
FYI: boke means puke in Doric.. ;-)
 
User avatar
Xanadu
just joined
Posts: 9
Joined: Thu Jan 03, 2013 4:47 am

Re: i want to block the facebook in my internal network

Thu Jan 03, 2013 6:23 am

Hi Guys, I'm pretty new using Mikrotik.
But thanks to the manual and some forums I've learned a bit, I'm now tangled with the issue of blocking facebook.

I have block facebook by web proxy , but as you know well I can prevent users from entering https://ww.facebook.com.
So as you explain here I decided to apply this rule:
 > ip firewall filter add action = drop chain = forward comment = "Block Facebook" dst-address = 66
.220.144.0/20
> Ip firewall filter add action = drop chain = forward comment = "Block Facebook" dst-address = 69
.63.176.0/20
> Ip firewall filter add action = drop chain = forward comment = "Block Facebook" dst-address = 20
4.15.20.0/22
> ip firewall filter add action = drop chain = forward comment = "Block Facebook" dst-address = 69.171.224.0/19 
This prevents all users from accessing network https://ww.facebook.com, now the problem is that some users need to access that page, for this I used:
 > add action = accept chain = forward src-address = 192.168.1.62 dst-address = 66.220.1.0/20
> add action = accept chain = forward src-address = 192.168.1.62 dst-address = 69
.63.176.0/20
> add action = accept chain = forward src-address = 192.168.1.62 dst-address = 20
4.15.20.0/22
> add action = accept chain = forward src-address = 192.168.1.62 dst-address = 69.171.224.0/19 
This is only a test, I know that to include all users with permission to access https://ww.facebook.com.I have to make an
addres-list to avoid entering the ip address of each user.
Anyway still fails! Privileged users can not access https://ww.facebook.com

I hope someone help me with the problem and thank you very much! :D
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

i want to block the facebook in my internal network

Thu Jan 03, 2013 1:40 pm

Make sure your accept rules are before your drop rules.
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
User avatar
Xanadu
just joined
Posts: 9
Joined: Thu Jan 03, 2013 4:47 am

Re: i want to block the facebook in my internal network

Thu Jan 03, 2013 3:34 pm

Make sure your accept rules are before your drop rules.
Thanks, works perfectly :D
 
User avatar
Xanadu
just joined
Posts: 9
Joined: Thu Jan 03, 2013 4:47 am

Re: i want to block the facebook in my internal network

Thu Jan 03, 2013 5:24 pm

I tried to do exactly the same with https://twitter.com/, but didn't work :?

And never is going to work 'cause their ip addresses are subject to sudden change without notice, so I tried block by content and is not working neither.

Anyone have a suggestions? Please :shock:
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8395
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: i want to block the facebook in my internal network

Sun Jan 06, 2013 12:36 am

to do exactly what? we're not telepathists ;)

http://bgp.he.net/AS13414#_prefixes

by the way, you'd better use Address Lists for such things - it's managed much easier
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Xanadu
just joined
Posts: 9
Joined: Thu Jan 03, 2013 4:47 am

Re: i want to block the facebook in my internal network

Mon Jan 07, 2013 4:52 pm

If you see my previous posts in this topic, I talk about blocking Facebook by IP range and right now it's working perfectly. Then I tried to do the same with twitter, I even used same link that you posted for the IP range but isn't working. Also I tried to block twitter by content and isn't working either. :?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8395
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: i want to block the facebook in my internal network

Mon Jan 07, 2013 5:07 pm

I tried to block twitter by content and isn't working either. :?
it won't work: as far as I can see, twitter uses encrypted connections. but blocking by IP ranges sould work, recheck your config
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Xanadu
just joined
Posts: 9
Joined: Thu Jan 03, 2013 4:47 am

Re: i want to block the facebook in my internal network

Tue Jan 08, 2013 8:51 pm

I actually ended up deleting my twitter rule and did it again. Right now is working perfectly.
But now I can't access facebook my web browser says server not found, until yesterday my Facebook rule was working perfectly,
allowing access to privilege users and denying regular users. I think is something about DNS :?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8395
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: i want to block the facebook in my internal network

Wed Jan 09, 2013 1:24 am

use traceroute from the PC to know for sure
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

i want to block the facebook in my internal network

Wed Jan 09, 2013 3:52 am

And also double check the order of your rules again, just incase ;)
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
User avatar
Xanadu
just joined
Posts: 9
Joined: Thu Jan 03, 2013 4:47 am

Re: i want to block the facebook in my internal network

Wed Jan 09, 2013 10:55 pm

Actually I can tracert without problem and my rules are in order :s I don't know what is going on :?
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

i want to block the facebook in my internal network

Wed Jan 09, 2013 11:29 pm

Post /export compact so we can take a look.
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
binyo66
just joined
Posts: 1
Joined: Fri Feb 15, 2013 12:01 pm

Re: i want to block the facebook in my internal network

Fri Feb 15, 2013 1:07 pm

Try something like this.
/ip firewall filter add action=drop chain=forward content=facebook disabled=no src-address=10.210.2.14
Its kind of working to me. But how can I extend to multiple-ip (such as group in profile) so that the specific profile can not access facebook? (I did try, to set inside the hotspot user profile, address list like block_facebook), and then assign it in the ip firewall filter, advanced, source list), and it didn't work :(
 
letabawireless
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Thu Jul 26, 2012 5:11 pm

Re: i want to block the facebook in my internal network

Thu May 23, 2013 10:51 am

Hi there

I have found a way:

chain=prerouting action=add-dst-to-address-list src-address=192.168.x.0/24 dst-address-list=!LAN address-list=FACEBOOK
address-list-timeout=0s content=facebook

Then you do :

chain=forward action=drop dst-address-list=FACEBOOK

You will see I said in dst addr list !LAN. Here I specify my internal range, otherwise if you have local DNS server, access will be blocked to it as well.

What I also did, is write a script to clear the address list everyday, so if there was any incorrect entry, it will be cleared.

Hope this helps.
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Re: i want to block the facebook in my internal network

Fri May 24, 2013 2:34 pm

How is that any different than just simply dropping anything with content=facebook? You are still going to get many false positives.
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
cusco
newbie
Posts: 34
Joined: Tue Jun 29, 2010 2:34 pm

Re: i want to block the facebook in my internal network

Fri Jun 07, 2013 10:50 pm

I created address list using the same method

on linux:
whois -h whois.radb.net -- '-i origin AS32934'|grep ^route:|while read a b; do echo "/ip firewall address-list add address=$b list=facebook"; done
 
theaubolgs
just joined
Posts: 2
Joined: Mon Jul 01, 2013 9:53 pm

Re: i want to block the facebook in my internal network

Mon Jul 01, 2013 9:58 pm

for all
really i tried too much hard to block facebook by all ways u offered me and doesnt work
what do u think me to do
 
theaubolgs
just joined
Posts: 2
Joined: Mon Jul 01, 2013 9:53 pm

Re: i want to block the facebook in my internal network

Mon Jul 01, 2013 10:09 pm

please help me \
i tried all these previous ways no working with me what to do now?

Who is online

Users browsing this forum: No registered users and 43 guests