Community discussions

MikroTik App
 
tomislav91
Member Candidate
Member Candidate
Topic Author
Posts: 178
Joined: Fri May 26, 2017 12:47 pm

block internet access but allow some sites - NOT WORKING

Mon Feb 22, 2021 11:27 pm

i have two rules
add action=accept chain=forward dst-address-list=\
    AllowedSites dst-port=80,443 protocol=tcp \
    src-address=192.168.50.181
add action=drop chain=forward dst-address=0.0.0.0/0 \
    src-address=192.168.50.181
and in AllowedSites list is a list of IPs for outlook from their website https://docs.microsoft.com/en-us/micros ... -worldwide
but when try to reach outlook it showed me DNS PROBE ERROR.
LAN, VPN subnets are working(also being added into AllowdSites).

how to solve it? I want only outlook to be reached.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6190
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: block internet access but allow some sites - NOT WORKING

Tue Feb 23, 2021 5:24 am

what are you trying to accomplish?
without talking about the config, in terms of users? what do you want to allow or not allow.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
erkexzcx
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Oct 07, 2019 11:42 pm

Re: block internet access but allow some sites - NOT WORKING

Tue Feb 23, 2021 10:36 am

Sites blocking is never going to work. At some point user will start using VPN provider and there is no way to block it (e.g. NordVPN can use 443 over TCP as well as obfuscated traffic).
 
tomislav91
Member Candidate
Member Candidate
Topic Author
Posts: 178
Joined: Fri May 26, 2017 12:47 pm

Re: block internet access but allow some sites - NOT WORKING

Tue Feb 23, 2021 11:04 am

Sites blocking is never going to work. At some point user will start using VPN provider and there is no way to block it (e.g. NordVPN can use 443 over TCP as well as obfuscated traffic).
we are speaking about users inside company, for sure they will not use vpns.
i just wanted to use outlook web, nothing else
 
sindy
Forum Guru
Forum Guru
Posts: 6899
Joined: Mon Dec 04, 2017 9:19 pm

Re: block internet access but allow some sites - NOT WORKING

Tue Feb 23, 2021 1:46 pm

Microsoft gear (and Android one as well) is checking internet availability by sending DNS queries and checking the response. So if these DNS queries do not get responded, it concludes internet is not accessible and doesn't even try to connect to the actual servers.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7236
Joined: Mon Jun 08, 2015 12:09 pm

Re: block internet access but allow some sites - NOT WORKING

Tue Feb 23, 2021 8:42 pm

Also those networks published by Microsoft are not complete and uptodate all the time.
I tried to fill an address list with "Microsoft addresses" to use in an outbound firewall but it is a continuous task where the drop rule is logging and you need to examine the dropped traffic weekly, do whois lookups of suspect addresses, and add them to the address list when they are Microsoft.
They should provide some well defined downloadable file that is automatically updated, instead of an online document with formatting.
 
User avatar
ingdaka
Member
Member
Posts: 396
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: block internet access but allow some sites - NOT WORKING

Wed Feb 24, 2021 12:18 am

How you will find what IP has outlook.com if you drop traffic to DNS server?
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE | MTCWE | RIPE NCC Certified Professional
 
pe1chl
Forum Guru
Forum Guru
Posts: 7236
Joined: Mon Jun 08, 2015 12:09 pm

Re: block internet access but allow some sites - NOT WORKING

Wed Feb 24, 2021 11:18 am

How you will find what IP has outlook.com if you drop traffic to DNS server?
Well, there are two things: the client can get a DNS server (actually resolver) where it can lookup outlook.com, this can be the MikroTik router itself when it is configured to forward those DNS requests to next level resolvers (e.g. at the ISP, or 1.1.1.1 or 8.8.8.8 for example). No need to allow any Microsoft addresses for that.
However, some software thinks it is "smart" by sending some packets to specific external addresses (in this case some DNS server maintained by Microsoft) irrespective of the settings on the system itself (done via DHCP or static).
This is sometimes part of a scheme to detect if there is a "wifi logon portal" (e.g. "hotspot") in the way that needs to be shown to the user to enter their credentials before the connection to the internet server can be made.
Such mechanisms often allow extra firewall rules so they work correctly, in this case maybe allow DNS forward which would normally be unnecessary and maybe even unwanted.

Who is online

Users browsing this forum: cgallery, hpet, ramirez, Znevna and 136 guests