Hi
Can you let us know what is the best way to block website .we are running ISP and traffic is 2Gbps+1G Peering with a number of customers is approx 2000 (public hotspot )+ home customer 2000 .we are using Mikrotik ccr 1072 and using third party Radius server for AAA .we have approx 100+ list of ip or website name which we want to block .but when we enable it .cpu utilization increase and slow internet browsing experience . I have gone through sum MUM video online at youtube .but that doesn't help us.

Please share me one simple step or example of how to make policy.
Waiting for quick support .thanks

what is the /tool profile indicating?
could you share details on how the blocking works?

what is the /tool profile indicating?
could you share details on how the blocking works?

find the policy how we are blocking

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block


/ip firewall address-list

add address=xmovies8.com list=DoT-block
add address=xmovies8.ru list=DoT-block
add address=xmovies8.tv list=DoT-block
add address=downloadhub.lol list=DoT-block
add address=downloadhub.ws list=DoT-block
add address=downloadhub.ind.in list=DoT-block
add address=downloadhub.wiki list=DoT-block
add address=downloadhub.biz list=DoT-block
add address=downloadhub.net.in list=DoT-block
.........................so on..........
approx 100 such policy


let me know -is it the right way to block the websites or not

what is the /tool profile indicating?
could you share details on how the blocking works?

find the policy how we are blocking

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block


/ip firewall address-list

add address=xmovies8.com list=DoT-block
add address=xmovies8.ru list=DoT-block
add address=xmovies8.tv list=DoT-block
add address=downloadhub.lol list=DoT-block
add address=downloadhub.ws list=DoT-block
add address=downloadhub.ind.in list=DoT-block
add address=downloadhub.wiki list=DoT-block
add address=downloadhub.biz list=DoT-block
add address=downloadhub.net.in list=DoT-block
.........................so on..........
approx 100 such policy


let me know -is it the right way to block the websites or not

I found this method is not reliable when the TTL is just a few second, routeros didn't update the ip fast enough for these domain and will not block them sometime.

what is the /tool profile indicating?
could you share details on how the blocking works?

find the policy how we are blocking

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block


/ip firewall address-list

add address=xmovies8.com list=DoT-block
add address=xmovies8.ru list=DoT-block
add address=xmovies8.tv list=DoT-block
add address=downloadhub.lol list=DoT-block
add address=downloadhub.ws list=DoT-block
add address=downloadhub.ind.in list=DoT-block
add address=downloadhub.wiki list=DoT-block
add address=downloadhub.biz list=DoT-block
add address=downloadhub.net.in list=DoT-block
.........................so on..........
approx 100 such policy


let me know -is it the right way to block the websites or not

I found this method is not reliable when the TTL is just a few second, routeros didn't update the ip fast enough for these domain and will not block them sometime.

Please suggest me best practices to block. i have list of ip address detail - plz help me how to block .share me one sample. I am new in Miktortik field .
Thanks

Hi

Please support me. How I can block the website so that my Mikrotik ccr 1072 CPU utilization remail normal.waiting for response

Redirect DNS to local DNS and then filter at DNS server.

Note that blocking 100% is impossible.

Redirect DNS to local DNS and then filter at DNS server.

DNS over HTTPS that is now being introduced (enabled by default) in webbrowsers will end that possibility...

find the policy how we are blocking

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block

Please show the entire forward chain. Are you using connection tracking? Is the rule placed after the "accept established/related" rule?
Note that such rules are expensive without connection tracking, because they have to be evaluated for each and every packet.

Hi All
below are the configuartion I have done . let me know if more need to do or how to do ? thanks


/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block


/ip firewall address-list

add address=xmovies8.com list=DoT-block
add address=xmovies8.ru list=DoT-block
add address=xmovies8.tv list=DoT-block
------------------100 such sites

Hi All

share me any link where I can find best way to block websites but it should not increase the CPU and also work fine.

I'm afraid there is no such link!
When you "need to block websites" the best advise is to close down your network.
That will create the best overal happiness amongst users and administrators.

I'm afraid there is no such link!
When you "need to block websites" the best advise is to close down your network.
That will create the best overal happiness amongst users and administrators.

thanks for wonderful advice

What's the rest of your firewall rules?

What's the rest of your firewall rules?

I am sharing sample of my router configuation --plz check and support me for any mistake there ........... currently i have done such configuration which has been enabled now in live network .some websites even get open (i have check that website ip are not getting changed ) .
2nd question :- will it work fine and configuration is correct

/ip firewall address-list

add address=abcd.com list=DoT-block
add address=xyz.ru list=DoT-block

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block log=yes

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=DoT-block new-routing-mark=block-website passthrough=yes


Thanks

Your mistake is sharing only few rules, because the rest matters too. But the mangle rule does show the problem, you're checking the list for every single packet. So of course it's going to be slow. You need to check the list only for new connections, mark them and don't check the list again, something like: Or if you're using firewall filter (it doesn't make sense to have both), you need to check the list only once, which is best done when you start your firewall with: and then you add other rules after these, so only new connections will get to them.

Your mistake is sharing only few rules, because the rest matters too. But the mangle rule does show the problem, you're checking the list for every single packet. So of course it's going to be slow. You need to check the list only for new connections, mark them and don't check the list again, something like:

Code: Select all

/ip firewall mangle
add chain=prerouting connection-state=new dst-address-list=DoT-block action=mark-connection new-connection-mark=block-website passthrough=yes
add chain=prerouting connection-mark=block-website action=mark-routing new-routing-mark=block-website

Or if you're using firewall filter (it doesn't make sense to have both), you need to check the list only once, which is best done when you start your firewall with:

Code: Select all

/ip firewall filter
add chain=forward connection-state=established,related,untracked action=accept
add chain=forward connection-state=invalid action=drop

and then you add other rules after these, so only new connections will get to them.

Thanks ..................extremely sorry for my mistake .............I have noted for future post