Halo

I've made a web proxy in my mikrotik and allowed facebook for an specific ip i.e 192.168.1.50. So all ip except this can't access facebook. But if somebody write https, then they can access facebook. I've read some post here which says https dose not go through web proxy and some solution has given, but as my requirement is different (one ip can access facebook) I could not use those solution. Can anyone give me a solution so that i can allow facebook for specific ip and block https facebook for rest of all?

http://forum.mikrotik.com/viewtopic.php?f=2&t=44809

Use that except allow the one address that has access.

Tthe link you have provided has several options to block facebook. I'm very new with mikrotik, would you be kind to show me the command line and which procedure should i follow?

/ip firewall filter
add action=accept chain=forward src-address=192.168.1.50 dst-address=66.220.144.0/20
add action=accept chain=forward src-address=192.168.1.50 dst-address=69.171.224.0/19
add action=drop chain=forward comment="Block Facebook" \
dst-address=66.220.144.0/20
add action=drop chain=forward comment="Block Facebook" \
dst-address=69.171.224.0/19

Worked properly, thank you cbrown.

No problem.

/ip firewall filter
add action=accept chain=forward src-address=192.168.1.50 dst-address=66.220.144.0/20
add action=accept chain=forward src-address=192.168.1.50 dst-address=69.171.224.0/19
add action=drop chain=forward comment="Block Facebook" \
dst-address=66.220.144.0/20
add action=drop chain=forward comment="Block Facebook" \
dst-address=69.171.224.0/19

does not seem to work for me though....

help me!!!

have you tried doing a

dig facebook.com

or

nslookup facebook.com

You need to block the IP Addresses that facebook.com resolves to in your location. It may not be the two ranges you have blocked there.

For example I see

Serenity:Mikrotik alexander$ dig @8.8.8.8 facebook.com

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22045
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;facebook.com. IN A

;; ANSWER SECTION:
facebook.com. 69 IN A 173.252.110.27

;; Query time: 49 msec
;; SERVER: 8.8.8.8#53(8.8.8.
;; WHEN: Tue Aug 27 20:09:22 2013
;; MSG SIZE rcvd: 46

When I do a dig and therefore my facebook surfing wouldn't be blocked

which when I do a whois comes from the following IP Block given to facebook: 173.252.64.0/18

You would need to try find all of them. I think he.net would be a good place to be looking for these addresses.

This page here lists the IPv4 Addresses and you can click the link for IPv6 ones as well

http://bgp.he.net/AS32934#_prefixes

So I would suggest to block facebook for right now you would need to block this entire list. My advice would be to create an address list call "facebook" or something similar and create a rule that allows from permitted IP address to that address list. Then one that blocks all traffic to that address list. This keeps your rule list simpler and I think will also make the rules more efficient.

One more thing to look at is the chain you are using. from what I can see you are using some kind of NAT as you are using RFC1918 space for internal addresses so you may have to put the rules in another chain to catch the traffic (sorry I can't check this out right now and my brain not working 100% - toothache)

I may look at writing a guide to blocking things like this for future use making use of address lists. I may even look at creating a BGP feed of popular block entities so people can screen these things automatically from BGP.

Regards
Alexander

Better you check this out: http://bgp.he.net/AS32934#_prefixes