Community discussions

MikroTik App
 
cmartin027
just joined
Topic Author
Posts: 6
Joined: Mon Sep 13, 2021 7:23 pm

Block internet traffic except some URLs

Wed Sep 15, 2021 10:00 am

Hello,

I open a new thread for not reopening a old. I need to block all internet traffic except some URLs, I configure the firewall rules indicated in this thread:

viewtopic.php?t=161562

that send me the Mikrotik Support, and don't works. I can block all traffic in one computer, but the exceptions don't works. Do you see any issue in my firewall configuration?:
/ip firewall address-list
add address=www.islonline.es list=WebsPermitidas
/ip firewall filter
add action=drop chain=forward comment="Bloqueo salida internet equipos Delsys" dst-address-list=!WebsPermitidas dst-port=443 log=yes log-prefix=Bloqueo protocol=tcp \
    src-address=10.45.9.105
If you think that there are other options for this, you can tell me. Thank you.

Best regards
Last edited by cmartin027 on Wed Sep 15, 2021 5:08 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 10:25 am

Configure your internal network as hotspot, and use walled-garden
 
cmartin027
just joined
Topic Author
Posts: 6
Joined: Mon Sep 13, 2021 7:23 pm

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 2:06 pm

...
Last edited by cmartin027 on Wed Sep 15, 2021 2:07 pm, edited 1 time in total.
 
cmartin027
just joined
Topic Author
Posts: 6
Joined: Mon Sep 13, 2021 7:23 pm

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 2:07 pm

Configure your internal network as hotspot, and use walled-garden
Thank you, but I don't like this option, I don't need to activate a HotSport service, I only need to block the internet access at some computers of the actual network, and add some exceptions. This computers are connected in different switch (Not Mikrotik) in the network, I can't activate HotSpot only in their ethernet connections.

Regards
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 3:46 pm

/ip firewall address-list
add address=www.islonline.es list=WebsPermitidas
/ip firewall filter
add action=drop chain=forward comment="Bloqueo salida internet" log=yes log-prefix=Bloqueo protocol=tcp src-address=10.45.9.105 dst-address-list=!WebsPermitidas
You will need to use the router for DNS or add a accept rule for Public DNS above the Drop rule.
/ip firewall filter
add action=accept chain=forward dst-address=8.8.8.8,8.8.4.4 comment="Google DNS"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 3:54 pm

@2frogs is useless,

as on OP:
... action=drop chain=forward ... protocol=tcp ... src-port=443

this do NOT BLOCK DNS

instead the OP treath outocoming traffic like is incoming:
/ip firewall filter
... drop ... forward ... src-address-list=!WebsPermitidas src-port=443
must be dst, destination address list and destination port!!!
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 4:21 pm

How is it useless? I provided an alternate firewall rule that blocks all forwarded from a single IP that is not in the the address list. This would include any forwarded DNS requests.

So folks just live to be arrogant and rude I suppose...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 4:26 pm

Besides the petty squabbling, I dont see how the firewall rule would block
https: (external) IP on blocked list or IP not on allowed list

Can firewall rules see inside https URLs ??
 
cmartin027
just joined
Topic Author
Posts: 6
Joined: Mon Sep 13, 2021 7:23 pm

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 4:54 pm

@2frogs is useless,

as on OP:
... action=drop chain=forward ... protocol=tcp ... src-port=443

this do NOT BLOCK DNS

instead the OP treath outocoming traffic like is incoming:
/ip firewall filter
... drop ... forward ... src-address-list=!WebsPermitidas src-port=443
must be dst, destination address list and destination port!!!
Excuse me, I try some options and I don't copy the correct rule (In the thread send by the Mikrotik Support viewtopic.php?t=161562 the solved answer are "src-port" and "src-address-list"....¿why?...we don't know)

The rules that I have now are:
/ip firewall address-list
add address=www.islonline.com list=WebsPermitidas
/ip firewall filter
add action=drop chain=forward comment="Bloqueo salida internet equipos Delsys" dst-address-list=!WebsPermitidas dst-port=443 log=yes log-prefix=Bloqueo protocol=tcp \
    src-address=10.45.9.105
They don't works, block all the traffic but I can't navigate to the exceptions in Address List.
 
cmartin027
just joined
Topic Author
Posts: 6
Joined: Mon Sep 13, 2021 7:23 pm

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 4:59 pm

/ip firewall address-list
add address=www.islonline.es list=WebsPermitidas
/ip firewall filter
add action=drop chain=forward comment="Bloqueo salida internet" log=yes log-prefix=Bloqueo protocol=tcp src-address=10.45.9.105 dst-address-list=!WebsPermitidas
You will need to use the router for DNS or add a accept rule for Public DNS above the Drop rule.
/ip firewall filter
add action=accept chain=forward dst-address=8.8.8.8,8.8.4.4 comment="Google DNS"
Thank you, but don't works, I only bloqued the protocol 443 for navigation, if I send ping to any URL resolve correctly.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 5:27 pm

In the thread send by the Mikrotik Support viewtopic.php?t=161562 the solved answer are "src-port" and "src-address-list"....¿why?...we don't know)
Send by the Mikrotik Support???
I do not see anyone inside that topic from mikrotik support,

and also that rule is useless for block outgoing connection,
becaue if any computer on your network try to contact (for example) www.google.com
the computer estabilishing outgoing connection with destination www.google.com,
not the opposite,
is not www.google.com that instaurate connection vs your internal devices (only then would it be the source).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 5:39 pm

How is it useless? I provided an alternate firewall rule that blocks all forwarded from a single IP that is not in the the address list. This would include any forwarded DNS requests.
So folks just live to be arrogant and rude I suppose...
Apparently, you first...

@2frog, you are arrogant and you do not know neither how DNS works

these rules:
1) do not block DNS, mostly UDP, i see rarely TCP DNS requests.
2) the rule block only TCP, all other type of traffic, like QUIK (Quick UDP Internet Connection) is allowed and,
for example, using chrome permit to still reach all sites that use QUICK.
/ip firewall address-list
add address=www.islonline.es list=WebsPermitidas
/ip firewall filter
add action=accept chain=forward dst-address=8.8.8.8,8.8.4.4 comment="Google DNS"
[...]
add action=drop chain=forward [...] protocol=tcp src-address=10.45.9.105 dst-address-list=!WebsPermitidas

before saying arrogant to the king of the arrogant, first look at what you wrote...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 5:52 pm

Besides the petty squabbling, I dont see how the firewall rule would block
https: (external) IP on blocked list or IP not on allowed list

Can firewall rules see inside https URLs ??
@anav, if done correctly, it can block all traffic to the destination IP, it can block everything, https, ping, ftp, everything.

The OP want a method for block all except (fr example) www.islonline.es
adding the FQDN (@cmartin not the "URL", is another thing) to address-list cause routeros to add the solved IP to address-list
Blocking all outgoing traffic (destned) except the traffic directed to own LAN, RouterBOARD, DNS and allowed address-list, can do what the OP ask.
 
cmartin027
just joined
Topic Author
Posts: 6
Joined: Mon Sep 13, 2021 7:23 pm

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 6:03 pm

Send by the Mikrotik Support???
I do not see anyone inside that topic from mikrotik support,
If you read my first message, I said that Mikrotik Support send me this thread, not that they has responded in this thread...

And as I have been able to verify it does not work. That is why I have opened this thread.

Regards
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet traffic except some URLs

Wed Sep 15, 2021 6:22 pm

Please don't make the language an obstacle to understanding, I'm not English.
I understood both times what you wrote,
but that doesn't change what I wrote:
1) No post within the topic was created by a support user,
2) It is useless because it considers the remote site as the source of a new connection, instead of considering the PC as the source of the connection.
3) It wrote about URL, but on address-lsit can not be set URL, only IP or DN, this is absurd: "add address=your-webpage list="Permited URL"

Usually when a new connection is maded from PC to remote server (ignoring NAT and other frills):
chain: forward
protocol: tcp
src-address: 10.45.9.105
src-port: like random
dst-address: resolved www.islonline.es
dst-port: 80 or 443

this is how the connection can be identified

Who is online

Users browsing this forum: Bing [Bot] and 58 guests