Community discussions

MikroTik App
 
bakerbakura
just joined
Topic Author
Posts: 4
Joined: Thu Apr 22, 2021 2:27 pm

Block domains using wildcard

Thu Apr 22, 2021 2:38 pm

Hi!

I recently got a Mikrotik router with RouterOS v6.45.9 installed, and would like to block some websites based on their domain. For 99% of the cases I can do this via my computer's hosts file, but unfortunately that doesn't work for some websites. For instance, itch.io (where one can download games) has a separate subdomain for each game creator, like creator1.itch.io, superspecialawesomme.itch.io, and so on. I've found this old post on the Mikrotik wiki https://wiki.mikrotik.com/wiki/How_to_B ... sing_Proxy which gives a way to do this, but that post is almost 10 years old so I'm hesitant to try it on my router in case it doesn't work and I break something.

Can someone please confirm whether the above post's method will work, and if not recommend another way to block domains with wildcards?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26291
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Block domains using wildcard

Thu Apr 22, 2021 3:13 pm

Using proxy will not block you anything anymore.
Please use tls-host matcher to block webpages.

Example with wildcards:

Step 1 disable fasttrack
Step 2 add rules
/ip firewall filter
add action=jump chain=forward comment=BLOCKLIST jump-target=blocklist
add action=reject chain=blocklist comment="block youtube" disabled=yes protocol=tcp reject-with=icmp-network-unreachable tls-host=*youtube*
 
bakerbakura
just joined
Topic Author
Posts: 4
Joined: Thu Apr 22, 2021 2:27 pm

Re: Block domains using wildcard

Wed May 05, 2021 1:51 pm

Thanks for the pointers! I've entered the commands exactly as you gave them, both for YouTube and for itch.io, and unfortunately both of them are not being blocked at all. I've attached a screenshot of the firewall page; please let me know if there's any information you need.
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block domains using wildcard

Wed May 05, 2021 3:06 pm

first, upgrade to 6.47.9,

second, the rules on example are (X) disabled (right choice on examples)
must be activated for work, but probably you also do not have disabled fasttrack
 
bakerbakura
just joined
Topic Author
Posts: 4
Joined: Thu Apr 22, 2021 2:27 pm

Re: Block domains using wildcard

Wed May 05, 2021 6:57 pm

Hi rextended

Thanks for your help! I have now enabled those two rules which were disabled before. Also, fasttrack has been disabled. However, I am having trouble updating RouterOS to 6.47.9, as when I try to click 'Download&Install' in the relevant menu I get the error 'Couldn't perform action - not permitted (9)'. My guess is that this is some restriction from my ISP. Do I have to update to the latest version in order for this filtering to work correctly?

Anyway, the filtering is not working yet as I can still access YouTube and itch.io.
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Block domains using wildcard

Fri May 07, 2021 12:17 pm

Hi rextended

Thanks for your help! I have now enabled those two rules which were disabled before. Also, fasttrack has been disabled. However, I am having trouble updating RouterOS to 6.47.9, as when I try to click 'Download&Install' in the relevant menu I get the error 'Couldn't perform action - not permitted (9)'. My guess is that this is some restriction from my ISP. Do I have to update to the latest version in order for this filtering to work correctly?

Anyway, the filtering is not working yet as I can still access YouTube and itch.io.
Hello,
This is my rules maybe help you if it didt work try to move rule to up
;;; Drop Layer7 Web Filter Rule
      chain=forward action=reject reject-with=icmp-admin-prohibited layer7-protocol=blockwebsite protocol=tcp 
      in-interface-list=LAN out-interface-list=WAN dst-port=80,443 log=no log-prefix=""
      ---------------------
      ^.+(anten.ir|filimo.com|youtube.com).*$
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Block domains using wildcard

Fri May 07, 2021 12:32 pm

;;; Drop Layer7 Web Filter Rule
      chain=forward action=reject reject-with=icmp-admin-prohibited layer7-protocol=blockwebsite protocol=tcp 
      in-interface-list=LAN out-interface-list=WAN dst-port=80,443 log=no log-prefix=""
      ---------------------
      ^.+(anten.ir|filimo.com|youtube.com).*$
You might want to update this rule. If you are not dropping QUIC protocol (Quick UDP Internet Connection) (UDP/443) in another rules, then you better not only match "protocol=tcp" but remove this or add udp too.
Youtube is using both TCP and UDP these days.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Block domains using wildcard

Mon May 10, 2021 10:04 am

@jvanhambelgium

Thank you for your suggestion, I did remove the TCP from the rule <3
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Block domains using wildcard  [SOLVED]

Mon May 10, 2021 12:35 pm

In the example that Normis gave, the new rule for BLOCKLIST in the forward firewall has to be moved to the top of the forward rules.
When it is below the "accept established/related" rule it will not work.
I advise you to keep the forward rules together, so move the two forward rules that are between input rules down below the BLOCKLIST (jump) rule.
 
bakerbakura
just joined
Topic Author
Posts: 4
Joined: Thu Apr 22, 2021 2:27 pm

Re: Block domains using wildcard

Mon May 10, 2021 5:04 pm

Thanks @pe1chl! It seems to be working now.

Who is online

Users browsing this forum: Google [Bot], stevencameron16 and 97 guests