Community discussions

MikroTik App
 
User avatar
tasn
just joined
Topic Author
Posts: 15
Joined: Tue May 24, 2016 9:54 am
Location: Ioannina, Greece

Block many websites

Tue Jan 16, 2018 2:08 pm

Hello community,

I am in search of a solution to my problem and i would like to ask some questions before.
I would like to block access from my lan to a list of websites (around 1000) which i have in an excel file.

I know there are some ways to block websites like Layer 7 or Web proxy etc.
So my main question is if i can use a mikrotik device and how efficient will it be and which way you think would be better.

The other question is if i can somehow easily import the list i have to an excel file into the mikrotik device. Or do i need to make a script.

I don't want the solution, i just want directions.

Thank you
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Block many websites

Tue Jan 16, 2018 2:16 pm

L7 will kill your router, and is very inefficient. You can also block by IP address, that would be much easier and faster, if most of those websites have known list of fairly static IP addresses.
 
User avatar
tasn
just joined
Topic Author
Posts: 15
Joined: Tue May 24, 2016 9:54 am
Location: Ioannina, Greece

Re: Block many websites

Tue Jan 16, 2018 2:29 pm

Thanks Normis,

By ip you mean to block the ip addresses of websites in Firewall->Filter Rules right?

I ll try that
 
ivicask
Member
Member
Posts: 422
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Block many websites

Tue Jan 16, 2018 2:49 pm

Thanks Normis,

By ip you mean to block the ip addresses of websites in Firewall->Filter Rules right?

I ll try that
/ip firewall address-list
add address=facebook.com list=blocked_web
add address=youtube.com list=blocked_web
add address=whatever.com list=blocked_web
etc continue the list from your excel table

Add this to block them all.
/ip firewall filter
add action=reject chain=forward comment="Block Web Sites" \
dst-address-list=blocked_web reject-with=icmp-network-unreachable

Simple as that
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: Block many websites

Tue Jan 16, 2018 2:51 pm

That is indeed very simple, but unfortunately it will not work correctly!
One IP address can handle multiple websites, so when you block this way you will block other sites as well.
 
ivicask
Member
Member
Posts: 422
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Block many websites

Tue Jan 16, 2018 2:58 pm

That is indeed very simple, but unfortunately it will not work correctly!
One IP address can handle multiple websites, so when you block this way you will block other sites as well.
Well than in that case you can do DNS block

/ip dns static
add address=127.0.0.1 regexp=facebook.com
etc

And in order to enforce Mikrotik as DNS so users cant use any other i use

add action=drop chain=forward comment="BLOCK OTHER DNS SERVERS" disabled=yes \
dst-address=!192.168.1.244 port=53 protocol=tcp
add action=drop chain=forward disabled=yes dst-address=!192.168.1.244 port=53 \
protocol=udp

Where 244 is IP of my mikrotik serving as DNS server.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Block many websites

Tue Jan 16, 2018 3:00 pm

New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST:
/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com
 
ivicask
Member
Member
Posts: 422
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Block many websites

Tue Jan 16, 2018 3:07 pm

New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST:
/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com
What about sites who dont use SSL?Or does sites SSL certificate needs to be named same name as site?How reliable that is?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Block many websites

Tue Jan 16, 2018 3:10 pm

Sites without SSL you can block in other ways already. And also, there aren't many sites without SSL.
Can you name an example of a popular site that has SSL certificate issued for a different domain? I don't think that is even possible.
 
User avatar
sri2007
Member Candidate
Member Candidate
Posts: 205
Joined: Wed May 20, 2015 10:14 pm
Location: Lake Grove, NY

Re: Block many websites

Tue Jan 16, 2018 5:04 pm

Hi!!! I believe that it can work by configuring your Mikrotik and your network to work with OpenDNS, in that site you can block anything, and really need to do extra things in the Mikrotik, as for example, denying any proxy communication, denying any VPN port, denying UltraSurf and doing a dst-nat to force any DNS request sent to a different server and redirect it to the OpenDNS server
 
User avatar
tasn
just joined
Topic Author
Posts: 15
Joined: Tue May 24, 2016 9:54 am
Location: Ioannina, Greece

Re: Block many websites

Tue Jan 16, 2018 7:06 pm

I have in mind OpenDNS but i would like first to try a more "mikrotik" solution.
The list does not contain very common websites like facebook google etc so most of them have only 1 ip.
I will try that and see if it suits me.

Btw
New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST:
Code: Select all
/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com
I tested it and it does not match any traffic. I tried some diffs of the command provided but couldn't find sth working.

Anyway thank you all for your ideas - knowledge
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 632
Joined: Fri Apr 30, 2010 3:25 pm
Location: Prévost, QC, Canada
Contact:

Re: Block many websites

Thu Jan 18, 2018 2:51 pm

MikroTik made a MUM presentation that might help you with that. Look for the title "my holy war against masquerade". It helped me a lot!!

Sent from Tapatalk

 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Block many websites

Sun Jan 21, 2018 9:09 pm

That is indeed very simple, but unfortunately it will not work correctly!
One IP address can handle multiple websites, so when you block this way you will block other sites as well.
What do you mean by that? Can you give me an example of an IP Address that handles more than one Websites?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block many websites

Mon Jan 22, 2018 11:58 am

Read this: https://httpd.apache.org/docs/2.4/vhosts/examples.html
It should explain you a bit what virtual host for WWW is.
IMHO all hosting companies share one IP for many sites. There is no enough IP4 addresses to host each possible WWW site with it's own address.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Block many websites

Tue Jan 23, 2018 11:27 am

Read this: https://httpd.apache.org/docs/2.4/vhosts/examples.html
It should explain you a bit what virtual host for WWW is.
IMHO all hosting companies share one IP for many sites. There is no enough IP4 addresses to host each possible WWW site with it's own address.
Thanks BartoszP
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 632
Joined: Fri Apr 30, 2010 3:25 pm
Location: Prévost, QC, Canada
Contact:

Re: Block many websites

Thu Jan 25, 2018 2:09 am


Btw
New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST:
Code: Select all
/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com
I tested it and it does not match any traffic. I tried some diffs of the command provided but couldn't find sth working.

Anyway thank you all for your ideas - knowledge


Dito here!!
/ip firewall filter
add action=log chain=forward log-prefix="====================" protocol=tcp tls-host=*.facebook.com
Not matching anything. Normis, am I doing something wrong??
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: Block many websites

Thu Jan 25, 2018 11:22 am

I think you need to apply those matchers in the mangle chain, to set a mark on the connection, and then use a filter in the forward chain to block packets for those marked connections.
This is because such matches operate on "peeking into a session" and by the time they identified the traffic, it has already passed through.
You cannot drop the actual TLS exchange, but you can drop the further traffic when you have marked the connection.
 
reinerotto
Long time Member
Long time Member
Posts: 520
Joined: Thu Dec 04, 2008 2:35 am

Re: Block many websites

Thu Jan 25, 2018 3:40 pm

ivicask gave the simplest and most complete solution to the problem. Also works for https-sites, of course.
 
TAD
just joined
Posts: 13
Joined: Tue Mar 13, 2012 12:17 pm

Re: Block many websites

Thu Aug 16, 2018 2:26 pm

New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST:
/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com
Hi Normis i have tested this but Facebook stil open
 
User avatar
chebedewel
just joined
Posts: 9
Joined: Tue Feb 02, 2016 6:41 am
Location: Noumea
Contact:

Re: Block many websites

Fri Sep 07, 2018 8:58 am

Hi, try with this :
/ip firewall filter add action=reject chain=forward comment="Reject FB" protocol=tcp reject-with=icmp-network-unreachable tls-host=*.facebook.com
Same for v6 :
/ipv6 firewall filter add action=reject chain=forward comment="Reject FB" protocol=tcp reject-with=icmp-no-route tls-host=*.facebook.com
 
yalex
just joined
Posts: 11
Joined: Sat Jul 04, 2015 3:30 pm

Re: Block many websites

Sun Oct 07, 2018 4:46 pm

Hi
I have a problem on my network with CoinMainer.ha malware. this one made me crazy :( it have many sub domains and not use SSL. How can I block all traffic in/out from coinhive.com and subdomains like ws006.coinhive.com, ws084.coinhive.com,wsxyz.coinhive.com... there is many server with many IPs for this malware and I have many client/server infected with that.

Who is online

Users browsing this forum: Babujnik, infabo, roncsak and 100 guests