Community discussions

MUM Europe 2020
 
mike456
just joined
Topic Author
Posts: 3
Joined: Wed Nov 13, 2019 9:58 am

Blocking FB, youtube on specific MAC or IP

Wed Nov 13, 2019 10:10 am

I looked around, but I found to a way to block FB and youtube for all connected devices only and then allow certain devices one by one at Layer 7 on the Router OS.
I want to do the opposite: block FB and youtube on only 4 devices. How can this be possible to do?
 
sindy
Forum Guru
Forum Guru
Posts: 4218
Joined: Mon Dec 04, 2017 9:19 pm

Re: Blocking FB, youtube on specific MAC or IP

Wed Nov 13, 2019 12:19 pm

If you've found a reliable way to block youtube alone without blocking the rest of google services, please share the link or your configuration, you'll make many people here happy. Also if you can block facebook without blocking login to other services using the facebook account, the same people will be happy too.

To your question, the same way you can place accept rules matching on IP addresses of privileged devices before the blocking rules, to except the traffic of the privileged devices from being handled by the blocking rules, you can also add a src-address-list to the blocking rules so that these rules would only apply on devices whose addresses are placed on that address list.

Firewall rules cannot be directly linked to MAC addresses without spending extra CPU so I would recommend to use static dhcp leases. However, to prevent users from escaping your rules by manually assigning IP addresses, you may need to set arp=reply-only on the interface and let the DHCP server add arp records for the addresses it leases out. The only reliable measure to prevent users from escaping your rules by changing their MAC addresses is to use 802.1x authentication, which requires (to date) an external RADIUS server. A poor man's alternative to this is to force use of PPPoE on LAN. But either of those authentication methods must be used for all users, not just those you want to restrict.

If the above is too theoretical for you, be aware that so was your question - so if you want a more detailed suggestion, post your export.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mike456
just joined
Topic Author
Posts: 3
Joined: Wed Nov 13, 2019 9:58 am

Re: Blocking FB, youtube on specific MAC or IP

Tue Dec 10, 2019 5:30 am

I'll come back to you about it
If you've found a reliable way to block youtube alone without blocking the rest of google services, please share the link or your configuration, you'll make many people here happy. Also if you can block facebook without blocking login to other services using the facebook account, the same people will be happy too.

To your question, the same way you can place accept rules matching on IP addresses of privileged devices before the blocking rules, to except the traffic of the privileged devices from being handled by the blocking rules, you can also add a src-address-list to the blocking rules so that these rules would only apply on devices whose addresses are placed on that address list.

Firewall rules cannot be directly linked to MAC addresses without spending extra CPU so I would recommend to use static dhcp leases. However, to prevent users from escaping your rules by manually assigning IP addresses, you may need to set arp=reply-only on the interface and let the DHCP server add arp records for the addresses it leases out. The only reliable measure to prevent users from escaping your rules by changing their MAC addresses is to use 802.1x authentication, which requires (to date) an external RADIUS server. A poor man's alternative to this is to force use of PPPoE on LAN. But either of those authentication methods must be used for all users, not just those you want to restrict.

If the above is too theoretical for you, be aware that so was your question - so if you want a more detailed suggestion, post your export.
 
vanhalf
just joined
Posts: 4
Joined: Mon Mar 07, 2016 1:24 pm

Re: Blocking FB, youtube on specific MAC or IP

Tue Dec 10, 2019 10:36 am

Blocking facebook for all IPs in the L7 IP list, including all FB services. Can be applied to other websites.
/ip firewall layer7-protocol
add comment="== social networks ==" name=block-socials regexp="^.+(www.facebook.com|facebook.com|login\
    .facebook.com|www.login.facebook.com|fbcdn.net|www.fbcdn.net|fbcdn.com|www.fbcdn.com|static.ak.fbc\
    dn.net|static.ak.connect.facebook.com|connect.facebook.net|www.connect.facebook.net|apps.facebook.\
    com).*\$";
/ip firewall filter
add action=drop chain=forward comment="==BLOCK L7 WEBSITES=="  layer7-protocol=\
    block-socials src-address-list=L7;
 
ahmedit
just joined
Posts: 4
Joined: Thu May 14, 2015 11:57 am

Re: Blocking FB, youtube on specific MAC or IP

Sun Jan 12, 2020 7:14 pm

hello vanhalf ,,,,
this script not working it's close all traffic not facebook only !!!!

Who is online

Users browsing this forum: Baidu [Spider] and 63 guests