Page 1 of 1

Policy to block website in Mikrotik increase CPU

Posted: Thu Sep 05, 2019 8:48 am
by mukeshchaubey
Hi
Can you let us know what is the best way to block website .we are running ISP and traffic is 2Gbps+1G Peering with a number of customers is approx 2000 (public hotspot )+ home customer 2000 .we are using Mikrotik ccr 1072 and using third party Radius server for AAA .we have approx 100+ list of ip or website name which we want to block .but when we enable it .cpu utilization increase and slow internet browsing experience . I have gone through sum MUM video online at youtube .but that doesn't help us.

Please share me one simple step or example of how to make policy.
Waiting for quick support .thanks

Re: Policy to block website in Mikrotik increase CPU

Posted: Thu Sep 05, 2019 9:41 pm
by sebastia
what is the /tool profile indicating?
could you share details on how the blocking works?

Re: Policy to block website in Mikrotik increase CPU

Posted: Fri Sep 06, 2019 7:22 am
by mukeshchaubey
what is the /tool profile indicating?
could you share details on how the blocking works?
find the policy how we are blocking

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block


/ip firewall address-list

add address=xmovies8.com list=DoT-block
add address=xmovies8.ru list=DoT-block
add address=xmovies8.tv list=DoT-block
add address=downloadhub.lol list=DoT-block
add address=downloadhub.ws list=DoT-block
add address=downloadhub.ind.in list=DoT-block
add address=downloadhub.wiki list=DoT-block
add address=downloadhub.biz list=DoT-block
add address=downloadhub.net.in list=DoT-block
.........................so on..........
approx 100 such policy


let me know -is it the right way to block the websites or not

Re: Policy to block website in Mikrotik increase CPU

Posted: Fri Sep 06, 2019 8:20 am
by DummyPLUG
what is the /tool profile indicating?
could you share details on how the blocking works?
find the policy how we are blocking

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block


/ip firewall address-list

add address=xmovies8.com list=DoT-block
add address=xmovies8.ru list=DoT-block
add address=xmovies8.tv list=DoT-block
add address=downloadhub.lol list=DoT-block
add address=downloadhub.ws list=DoT-block
add address=downloadhub.ind.in list=DoT-block
add address=downloadhub.wiki list=DoT-block
add address=downloadhub.biz list=DoT-block
add address=downloadhub.net.in list=DoT-block
.........................so on..........
approx 100 such policy


let me know -is it the right way to block the websites or not
I found this method is not reliable when the TTL is just a few second, routeros didn't update the ip fast enough for these domain and will not block them sometime.

Re: Policy to block website in Mikrotik increase CPU

Posted: Fri Sep 06, 2019 10:47 am
by mukeshchaubey
what is the /tool profile indicating?
could you share details on how the blocking works?
find the policy how we are blocking

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block


/ip firewall address-list

add address=xmovies8.com list=DoT-block
add address=xmovies8.ru list=DoT-block
add address=xmovies8.tv list=DoT-block
add address=downloadhub.lol list=DoT-block
add address=downloadhub.ws list=DoT-block
add address=downloadhub.ind.in list=DoT-block
add address=downloadhub.wiki list=DoT-block
add address=downloadhub.biz list=DoT-block
add address=downloadhub.net.in list=DoT-block
.........................so on..........
approx 100 such policy


let me know -is it the right way to block the websites or not
I found this method is not reliable when the TTL is just a few second, routeros didn't update the ip fast enough for these domain and will not block them sometime.
Please suggest me best practices to block. i have list of ip address detail - plz help me how to block .share me one sample. I am new in Miktortik field .
Thanks

Re: Policy to block website in Mikrotik increase CPU

Posted: Mon Sep 09, 2019 1:51 pm
by mukeshchaubey
Hi

Please support me. How I can block the website so that my Mikrotik ccr 1072 CPU utilization remail normal.waiting for response

Re: Policy to block website in Mikrotik increase CPU

Posted: Mon Sep 09, 2019 2:16 pm
by R1CH
Redirect DNS to local DNS and then filter at DNS server.

Note that blocking 100% is impossible.

Re: Policy to block website in Mikrotik increase CPU

Posted: Mon Sep 09, 2019 4:29 pm
by pe1chl
Redirect DNS to local DNS and then filter at DNS server.
DNS over HTTPS that is now being introduced (enabled by default) in webbrowsers will end that possibility...

Re: Policy to block website in Mikrotik increase CPU

Posted: Mon Sep 09, 2019 4:34 pm
by pe1chl
find the policy how we are blocking

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block
Please show the entire forward chain. Are you using connection tracking? Is the rule placed after the "accept established/related" rule?
Note that such rules are expensive without connection tracking, because they have to be evaluated for each and every packet.

Re: Policy to block website in Mikrotik increase CPU

Posted: Tue Sep 10, 2019 5:20 am
by mukeshchaubey
Hi All
below are the configuartion I have done . let me know if more need to do or how to do ? thanks


/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block


/ip firewall address-list

add address=xmovies8.com list=DoT-block
add address=xmovies8.ru list=DoT-block
add address=xmovies8.tv list=DoT-block
------------------100 such sites

Re: Policy to block website in Mikrotik increase CPU

Posted: Tue Sep 10, 2019 11:51 am
by mukeshchaubey
Hi All

share me any link where I can find best way to block websites but it should not increase the CPU and also work fine.

Re: Policy to block website in Mikrotik increase CPU

Posted: Tue Sep 10, 2019 2:45 pm
by pe1chl
I'm afraid there is no such link!
When you "need to block websites" the best advise is to close down your network.
That will create the best overal happiness amongst users and administrators.

Re: Policy to block website in Mikrotik increase CPU

Posted: Tue Sep 10, 2019 6:02 pm
by mukeshchaubey
I'm afraid there is no such link!
When you "need to block websites" the best advise is to close down your network.
That will create the best overal happiness amongst users and administrators.
thanks for wonderful advice

Re: Policy to block website in Mikrotik increase CPU

Posted: Tue Sep 10, 2019 6:41 pm
by Sob
What's the rest of your firewall rules?

Re: Policy to block website in Mikrotik increase CPU

Posted: Thu Sep 12, 2019 1:51 pm
by mukeshchaubey
What's the rest of your firewall rules?
I am sharing sample of my router configuation --plz check and support me for any mistake there ........... currently i have done such configuration which has been enabled now in live network .some websites even get open (i have check that website ip are not getting changed ) .
2nd question :- will it work fine and configuration is correct

/ip firewall address-list

add address=abcd.com list=DoT-block
add address=xyz.ru list=DoT-block

/ip firewall filter
add action=drop chain=forward dst-address-list=DoT-block log=yes

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=DoT-block new-routing-mark=block-website passthrough=yes


Thanks

Re: Policy to block website in Mikrotik increase CPU

Posted: Thu Sep 12, 2019 3:17 pm
by Sob
Your mistake is sharing only few rules, because the rest matters too. But the mangle rule does show the problem, you're checking the list for every single packet. So of course it's going to be slow. You need to check the list only for new connections, mark them and don't check the list again, something like:
/ip firewall mangle
add chain=prerouting connection-state=new dst-address-list=DoT-block action=mark-connection new-connection-mark=block-website passthrough=yes
add chain=prerouting connection-mark=block-website action=mark-routing new-routing-mark=block-website
Or if you're using firewall filter (it doesn't make sense to have both), you need to check the list only once, which is best done when you start your firewall with:
/ip firewall filter
add chain=forward connection-state=established,related,untracked action=accept
add chain=forward connection-state=invalid action=drop
and then you add other rules after these, so only new connections will get to them.

Re: Policy to block website in Mikrotik increase CPU

Posted: Thu Sep 12, 2019 7:24 pm
by mukeshchaubey
Your mistake is sharing only few rules, because the rest matters too. But the mangle rule does show the problem, you're checking the list for every single packet. So of course it's going to be slow. You need to check the list only for new connections, mark them and don't check the list again, something like:
/ip firewall mangle
add chain=prerouting connection-state=new dst-address-list=DoT-block action=mark-connection new-connection-mark=block-website passthrough=yes
add chain=prerouting connection-mark=block-website action=mark-routing new-routing-mark=block-website
Or if you're using firewall filter (it doesn't make sense to have both), you need to check the list only once, which is best done when you start your firewall with:
/ip firewall filter
add chain=forward connection-state=established,related,untracked action=accept
add chain=forward connection-state=invalid action=drop
and then you add other rules after these, so only new connections will get to them.
Thanks ..................extremely sorry for my mistake .............I have noted for future post