Hi guys,

In our company we want to block facebook page. So i decided to use layer 7 protocol. Iv put ^(.*)(facebook)(.*)$ as a regexp value and in firewall set this parameters.

/ip firewall layer7-protocol
add name="Deny worktime" regexp="^(.*)(facebook)(.*)\$"
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward disabled=no layer7-protocol="Deny worktime" \
src-address=192.168.5.1-192.168.5.49
add action=drop chain=forward disabled=yes layer7-protocol="Deny worktime" \
src-address=192.168.5.0/24 time=8h-12h,mon,tue,wed,thu,fri
add action=drop chain=forward disabled=yes layer7-protocol="Deny worktime" \
src-address=192.168.5.0/24 time=13h-17h,mon,tue,wed,thu,fri
add action=drop chain=forward disabled=no dst-port=443 layer7-protocol=\
"Deny worktime" protocol=tcp src-address=0.0.0.0/0 src-port=""
add action=drop chain=forward disabled=no dst-port=80 layer7-protocol=\
"Deny worktime" protocol=tcp src-address=0.0.0.0/0 src-port=""


Rule work perfectly BUT it block more page than facebook. And some page are available in chome and not in IE or firefox. Others are available in IE bud not in chrome... and so on... Facebook is blocked in all browsers

Any ideas??

Using layer7 to block facebook causes a lot of problems. It is better to block facebook via IP addresses like this.

/ip firewall filter
add action=drop chain=forward comment="Block Facebook" dst-address=\
74.119.76.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
173.252.64.0/18
add action=drop chain=forward comment="Block Facebook" dst-address=\
204.15.20.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
66.220.144.0/20
add action=drop chain=forward comment="Block Facebook" dst-address=\
69.171.224.0/19

All right ill try your way btw where u got thoose IPs?

Oh thank you. Do u thing that will work what i did? I ping fb page and make that ip static record do dns. Then i make rules out of it. I did same for youtube and badoo.

And one more question. I need to block exe and msi files. Is it "save" solve it throu content?

Cheers

Odesláno z mého GT-I9300 pomocí Tapatalk 2

Using layer7 to block facebook causes a lot of problems. It is better to block facebook via IP addresses like this.

/ip firewall filter
add action=drop chain=forward comment="Block Facebook" dst-address=\
74.119.76.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
173.252.64.0/18
add action=drop chain=forward comment="Block Facebook" dst-address=\
204.15.20.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
66.220.144.0/20
add action=drop chain=forward comment="Block Facebook" dst-address=\
69.171.224.0/19

Hi cbrown. I tested with your rules and it works. but now I want to block Youtube using the dst-address. but which ip should I use? I cannot get it working.

Also you can update those rules by using whois in a linux/unix/mac box running the following commands:

echo "/ip firewall filter" ; whois -h whois.radb.net -- '-i origin AS32934' | grep '^route:' | sort -n | uniq | awk '{print "add action=drop chain=forward comment=Facebook dst-address="$2}'

echo "/ipv6 firewall filter" ; whois -h whois.radb.net -- '-i origin AS32934' | grep '^route6:' | sort -n | uniq | awk '{print "add action=drop chain=forward comment=Facebook dst-address="$2}'

You can modify awk command to fit your needs.

xMikes04, your regex layer7-protocol is ok but it should be used in dns requests
reject dns packets to any server with dst-port 53 and which hit the layer7-protocol
also fbcdn.net should be blocked

i want to allow the following:

gmail.com (only for emails)
yahoo.com (only for emails)
100.30.20.10
gregsowell.com
ports: 995, 465, 25, 110, and
ports: 8080, 8000 for only internal IP 192.168.1.101

i also have a L2TP+IPSEC VPN running on the same router right now....

everything else from inside the network should be blocked....

ETHER1 --> WAN with Fixed IP
ETHER2 to ETHER5 --> LAN Bridged Ports (IP RANGE: 192.168.1.150 - 192.168.1.250)
MASQUERADE --> ENABLED

i am getting pretty confused with all this above conditions.... all help in this is highly appreciated... please....help me!!!

Shifting from Pure Mikrotik Wireless to Firewall's from Mikrotik as an additional service....hence facing hurdles...

i want to allow the following:

gmail.com (only for emails)
yahoo.com (only for emails)
100.30.20.10
gregsowell.com
ports: 995, 465, 25, 110, and
ports: 8080, 8000 for only internal IP 192.168.1.101

sound like a company scenario, in such cases i recommend to allow http traffic only via a proxy server. it much easier to make a URL based to filter such stuff. For example: To block/allow only parts of the google services you need to intercept the encrypted https connection anyway. Some proxies can do that but you clients need to install and trust the the proxies certificate, otherwise the browsers will complain and show a warning and that's absolutely correct because technical you're doing a man in the middle "attack".

I want to allow the following:

gmail.com (only for emails)
yahoo.com (only for emails)
or another website with https port 443

1 ;;; WebProxy All https are block and I want to expect two:
One for login in gmail account and the secont for login in another https://aaaaa.xxxx......

Is this posible because I make some test on web proxy access but nothing

Using layer7 to block facebook causes a lot of problems. It is better to block facebook via IP addresses like this.

/ip firewall filter
add action=drop chain=forward comment="Block Facebook" dst-address=\
74.119.76.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
173.252.64.0/18
add action=drop chain=forward comment="Block Facebook" dst-address=\
204.15.20.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
66.220.144.0/20
add action=drop chain=forward comment="Block Facebook" dst-address=\
69.171.224.0/19

I added these and its blocked, but i want to make an exception for some ip's on the network, where can i put the addresses that i want to be able to access fb ?

Put another rule for any ip you want to access facebook above those with :
add action=accept chain=forward src-address=<allowed ip>

But this rule will allow them everything so if you have some other restrictions you need to arrange the order.

Dear all,

I have been trying to block Facebook from our MikroTik router, but till now, I just can not manage. I have tried basically everything from blocking individual IP's to changing the DNS to point to openDNS (which was configured to block social networks) to using the layer7 method. Nothing. I am a bit lost to be honest, and I am quite new with MikroTik.

We currently have have two WLAN networks configured, one is corporate and the other one is a guest network. The guest network is fire-walled, so that no one can access the corporate LAN.

Hi
I need to block viber any one have idea

well you can use squid to block fb but you have to use a modified version of squid to do it and you will need a box which can run it but once your setup and running it is smooth sailing, the dns blacklist and layer7 is unreliable so I use the ssl bumping to block fb at my work place I have set up two http/https redirect rules on the routerboard which is controlled via sheduling and set up filtering on the squid box based on acl which controls access. but ssl bumping is illegal even for Facebook in most cases, so consult with your legal folks at your company.

plz, I need these type of setup for our network. We want to block facebook for some staff from 9am(9:00 till 15hrs) but allow it for some systems, using their mac addresses to except them from the facebook blocking.

I need the steps and possible way of doing it.

Thanks

i use opendns

i use opendns

Every think you can drop, block
With open dns?

i use opendns

Every think you can drop, block
With open dns?

using opendns is an indirect way to block access to some sites avoiding to resolve dns to this sites

i use opendns

Every think you can drop, block
With open dns?

using opendns is an indirect way to block access to some sites avoiding to resolve dns to this sites

Write your method buz i am and all one benefit from method

You can setup in your mikrotik (if it is the DNS server and you redirect the other dns queries to itself) a static DNS entry for www.facebook.com to 10.0.0.1 (nonexistent IP) and "ready".
Is not pretty... but.... it could work

Write your method buz i am and all one benefit from method

1. Create a free personal account on https://www.opendns.com/

2. Login to opendns dashboard and set your ip, and filtering settings if you have dynamic wan ip you need to install client on some pc.

3. Activate dns cache on mikrotik, be sure of block inbound dns queries from internet to avoid amplification dns attack

4. Set dns on mikrotik to open dns servers 208.67.222.222-208.67.220.220

5. Set your dhcp setting to use mikrotik ip as dns for clients

6. Test your config, take in mind some changes on opendns take up to 10 minutes to be effective sometimes require clean dns cache on mikrotik and client.

7. If you have some clever users changing client machine dns you have to block in the firewall.

Write your method buz i am and all one benefit from method

1. Create a free personal account on https://www.opendns.com/

2. Login to opendns dashboard and set your ip, and filtering settings if you have dynamic wan ip you need to install client on some pc.

3. Activate dns cache on mikrotik, be sure of block inbound dns queries from internet to avoid amplification dns attack

4. Set dns on mikrotik to open dns servers 208.67.222.222-208.67.220.220

5. Set your dhcp setting to use mikrotik ip as dns for clients

6. Test your config, take in mind some changes on opendns take up to 10 minutes to be effective sometimes require clean dns cache on mikrotik and client.

7. If you have some clever users changing client machine dns you have to block in the firewall.

Thank you
208.67.222.222-208.67.220.220 , this ip take you a example or ip for open dns?

https://www.google.com/search?q=how+to+ ... 8&oe=utf-8

Thank you
I will test soon

Hi!
But is it possible to make regexp to work only for specific file, for example www.mysite.com/something.php ???
So the main site is working, but something.php - not.

Using layer7 to block facebook causes a lot of problems. It is better to block facebook via IP addresses like this.

/ip firewall filter
add action=drop chain=forward comment="Block Facebook" dst-address=\
74.119.76.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
173.252.64.0/18
add action=drop chain=forward comment="Block Facebook" dst-address=\
204.15.20.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
66.220.144.0/20
add action=drop chain=forward comment="Block Facebook" dst-address=\
69.171.224.0/19

Please explain why it's a bad idea to use Layer7 to block Facebook and other websites?

Blocking Facebook by direct IP is ISP depended because for each different ISP facebook can supply dedicated servers. When you use the use the DNS from your provider then you reach the facebook servers in the network of the ISP.

If you use the DNS from Google or OpenDNS the you go Facebook central. Even Google can filter your DNS request if the put their DNS server in your country and then direct to facebook servers in your country.

The only good way to block sites is doing with an own DNS, filtering xxx.xxx.facebook.com by only .facebook.com filter string.

Link to blocking by DNSMasq: viewtopic.php?f=13&t=118980&hilit=Facebook#p586318

Facebook, WhatsApp and Instagram.

Firewall address list supports domain names and dynamically adds IP entry to same address list.

Provided you use the Mikrotik as the DNS server it will always server up the same IP address/s of the specified domains and subsequently drop the traffic


Add address as follows
etc

then add a new firewall rule to drop the traffic and make sure it's in the right position in your firewall rules
Or you could