Community discussions

MikroTik App
 
User avatar
nithinkumar2000
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Wed Sep 11, 2019 7:42 am
Location: Coimbatore
Contact:

How to Block URL's in Router OS?

Wed Nov 18, 2020 3:51 pm

Hi,
Can anyone please suggest the best method to Block the URL in Router OS.

We are ISP in India and We are instructed by Govt to Block Certain Apps and URLs Like some Mentioned Below:

1. https://play.google.com/store/apps/deta ... superclean
2. https://play.google.com/store/apps/deta ... ewe.app200
3. https://play.google.com/store/apps/deta ... ty.warpath
etc....

Any help to block the above urls in ROS?
MTCNA | MTCRE | MTCINE | MTCTCE

Mikrotik Consultant - Specialized in ISP OPERATIONS | ROUTING | QOS | FIREWALL | MPLS | SCRIPTING | IPv6
 
sindy
Forum Guru
Forum Guru
Posts: 6325
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to Block URL's in Router OS?

Wed Nov 18, 2020 4:13 pm

There is no way to block a particular https urls on a router which doesn't support DPI (deep packet inspection) with https decryption (man-in-the-middle attacking of all https connections). In the https communication, you'll see only play.google.com in plaintext, the rest of the url is encrypted.

Some anti-virus solutions and enterprise security applicances do man-in-the-middle attacks on https, pretending to be the user towards the server, and forging server certificates towards the user, signed by their own certificate authority which is set as trusted at the user devices. This is the only way to block selectively a https session to a particular url. Doing this at nation-wide level would void https security.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
nithinkumar2000
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Wed Sep 11, 2019 7:42 am
Location: Coimbatore
Contact:

Re: How to Block URL's in Router OS?

Wed Nov 18, 2020 4:19 pm

There is no way to block a particular https urls on a router which doesn't support DPI (deep packet inspection) with https decryption (man-in-the-middle attacking of all https connections). In the https communication, you'll see only play.google.com in plaintext, the rest of the url is encrypted.

Some anti-virus solutions and enterprise security applicances do man-in-the-middle attacks on https, pretending to be the user towards the server, and forging server certificates towards the user, signed by their own certificate authority which is set as trusted at the user devices. This is the only way to block selectively a https session to a particular url. Doing this at nation-wide level would void https security.
But Is there any way to Block URLS in ROS. If Yes then How?
MTCNA | MTCRE | MTCINE | MTCTCE

Mikrotik Consultant - Specialized in ISP OPERATIONS | ROUTING | QOS | FIREWALL | MPLS | SCRIPTING | IPv6
 
sindy
Forum Guru
Forum Guru
Posts: 6325
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to Block URL's in Router OS?

Wed Nov 18, 2020 4:28 pm

One more time. There is no way in RouterOS, or in any other router/firewall that doesn't do DPI, for https urls. For plain http, it is possible, but nobody uses plain http these days, definitely not google.

To block certain mobile apps for Indian users, your government has to talk to Google directly, not to ISPs. Blocking at ISP level would cost them a lot of money for the appliances, and would have international consequences too. One of the middle-Asian governments apparently attempted to spawn a certificate authority to be included into trusted root CAs of operating systems and browsers and use it for the https man-in-the-middle attack I've described above, but it resulted in this CA not being removed from these trusted certificate stores by OS and browser vendors.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
nithinkumar2000
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Wed Sep 11, 2019 7:42 am
Location: Coimbatore
Contact:

Re: How to Block URL's in Router OS?

Wed Nov 18, 2020 4:36 pm

Can Anyone here Explain Me what is the Use of TLS Host Option in IP/Firewall/Filter
And when the TLS Host Is used? and How dose it work?
You do not have the required permissions to view the files attached to this post.
MTCNA | MTCRE | MTCINE | MTCTCE

Mikrotik Consultant - Specialized in ISP OPERATIONS | ROUTING | QOS | FIREWALL | MPLS | SCRIPTING | IPv6
 
User avatar
Larsa
Member Candidate
Member Candidate
Posts: 215
Joined: Sat Aug 29, 2015 7:40 pm

Re: How to Block URL's in Router OS?

Wed Nov 18, 2020 4:52 pm

 
sindy
Forum Guru
Forum Guru
Posts: 6325
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to Block URL's in Router OS?

Wed Nov 18, 2020 4:57 pm

And when the TLS Host Is used? and How dose it work?
That's what I wrote above. It matches on the only part of the url you can see in plaintext for https connections - the fqdn. So you can use it to block https connections to the the whole play.google.com. I don't think that's what you want.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
nithinkumar2000
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Wed Sep 11, 2019 7:42 am
Location: Coimbatore
Contact:

Re: How to Block URL's in Router OS?

Wed Nov 18, 2020 5:09 pm

And when the TLS Host Is used? and How dose it work?
That's what I wrote above. It matches on the only part of the url you can see in plaintext for https connections - the fqdn. So you can use it to block https connections to the the whole play.google.com. I don't think that's what you want.
Ok Thank You so Much... Will Installing Dedicated Firewall or Pfsense can Solve this Requirement???
MTCNA | MTCRE | MTCINE | MTCTCE

Mikrotik Consultant - Specialized in ISP OPERATIONS | ROUTING | QOS | FIREWALL | MPLS | SCRIPTING | IPv6
 
User avatar
jvanhambelgium
Member
Member
Posts: 370
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to Block URL's in Router OS?

Wed Nov 18, 2020 5:29 pm

And when the TLS Host Is used? and How dose it work?
That's what I wrote above. It matches on the only part of the url you can see in plaintext for https connections - the fqdn. So you can use it to block https connections to the the whole play.google.com. I don't think that's what you want.
Ok Thank You so Much... Will Installing Dedicated Firewall or Pfsense can Solve this Requirement???
Pfsense probably has the same issue.
I think you really need "the big guns" to do truly what you want in-depth & in-detail.
We have designed, build & operate such environments (1000-40000 users) build on Palo Alto hardware which recognizes A LOT of application and can act upon (AppID). Offcourse not everything is in there, some don't work and this is something under constant evolution.

https://www.paloaltonetworks.com/apps/p ... tech-brief

AppID database : https://applipedia.paloaltonetworks.com/
 
sindy
Forum Guru
Forum Guru
Posts: 6325
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to Block URL's in Router OS?

Wed Nov 18, 2020 5:34 pm

Will Installing Dedicated Firewall or Pfsense can Solve this Requirement???
Read again what I wrote above. It would have to be a firewall which is capable of doing DPI, and the end devices would have to accept the root CA used by that firewall to forge server certificates as a trusted one. So Google would have to update all the Android devices with that CA certificate. And if Google would agree on such a move, it would be much easier for them to ban the applications at their level rather than doing it this way.

If you are a small ISP, you can't do that. The government would have to agree with Google and with the ISPs which provide international connectivity to India. Asking this from a small local ISPs is a nonsense.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
aesmith
Member Candidate
Member Candidate
Posts: 139
Joined: Wed Mar 27, 2019 6:43 pm

Re: How to Block URL's in Router OS?

Thu Nov 19, 2020 10:34 am

Could you block the DNS entries that those apps depend on? So people could download and install the apps, but they wouldn't work.
 
User avatar
nithinkumar2000
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Wed Sep 11, 2019 7:42 am
Location: Coimbatore
Contact:

Re: How to Block URL's in Router OS?

Fri Nov 20, 2020 3:40 pm

Thank You so much for Quick and Active Response
MTCNA | MTCRE | MTCINE | MTCTCE

Mikrotik Consultant - Specialized in ISP OPERATIONS | ROUTING | QOS | FIREWALL | MPLS | SCRIPTING | IPv6
 
whatever
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Jun 21, 2018 9:29 pm

Re: How to Block URL's in Router OS?

Fri Nov 20, 2020 6:38 pm

Could you block the DNS entries that those apps depend on? So people could download and install the apps, but they wouldn't work.
DoH is a thing and even the hostname in SNI will become unreadable once TLS 1.3 is in broader use.
Stop trying to block certain URLs on network level, it is impossible without full control over all end user devices without risking huge collateral damage.

Who is online

Users browsing this forum: Doberman, dubuscyr, Kindis and 162 guests