Page 1 of 1

How to block specific port for range of IP Addresses?

Posted: Fri Aug 20, 2010 5:36 pm
by joseta
Hi Everyone,

I would like to block specific port for range of IP Addresses...

That means, the ip address 192.168.0.200 to 192.168.0.220 don't want internet access. How I can block port 80.

And also specific web addresses example: www.youtube.com, www.facebook.com and so forth.

Advanced Thanks
Joseph Thekkiniath

Re: How to block specific port for range of IP Addresses?

Posted: Mon Aug 23, 2010 5:54 pm
by fewi
/ip firewall address-list
add list=no_HTTP address=192.168.0.200
add list=no_HTTP address=192.168.0.201
/ip firewall filter
add chain=forward src-address-list=no_HTTP protocol=tcp dst-port=80 action=drop
Blocking web sites via URL: http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxy

Re: How to block specific port for range of IP Addresses?

Posted: Mon Aug 23, 2010 6:49 pm
by joseta
hi Fewi,

:D Thanks! Its working!!!

No other way to create range of address list? Instead of doing one by one.

For blocking www.youtube.com; www.facebook.com
Where I can put the ip range (ex: 192.168.0.180 to 192.168.0.199) no entertainment.

Advance Thanks
Joseph Thekkiniath

Re: How to block specific port for range of IP Addresses?

Posted: Mon Aug 23, 2010 6:56 pm
by fewi
:for IP from=200 to=220 do={ /ip firewall address-list add list="no_HTTP" address="192.168.0.$IP" }
To limit who gets blocked by URL in the proxy, you need to adjust the line that actually redirects traffic to the proxy:
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
That redirects all traffic to tcp/80 (HTTP) to the proxy. To only apply that to 192.168.0.180 - 192.168.0.199, first make another address list, then add a qualifier to the proxy redirects that only fires for traffic sourced from that list:
:for IP from=200 to=220 do={ /ip firewall address-list add list="filtered_by_proxy" address="192.168.0.$IP" }
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 src-address-list=filtered_by_proxy action=redirect to-ports=8080
and of course remove the original proxy redirect line first.

Re: How to block specific port for range of IP Addresses?

Posted: Mon Aug 23, 2010 7:08 pm
by Chupaka
:for IP from=200 to=220 do={ /ip firewall address-list add list="no_HTTP" address="192.168.0.$IP" }
for every complex problem... you know =)
/ip firewall address-list add list=no_HTTP address=192.168.0.200-192.168.0.220

Re: How to block specific port for range of IP Addresses?

Posted: Mon Aug 23, 2010 7:23 pm
by fewi
Duh.

Re: How to block specific port for range of IP Addresses?

Posted: Mon Aug 23, 2010 11:43 pm
by joseta
Hi Everyone,

I haven't tried range of ips. Before I have confirm other options also.

Here how I can put the time schedule? At night it must be allowed...

Thanks
Joseph Thekkiniath

Re: How to block specific port for range of IP Addresses?

Posted: Mon Aug 23, 2010 11:45 pm
by fewi
Refer to the filter manual for the available parameters.

Re: How to block specific port for range of IP Addresses?

Posted: Tue Aug 24, 2010 8:29 pm
by joseta
Hi Everyone,

I didn't come up with blocking www.youtube.com and www.facebook.com
for the range of ips (192.168.0.180 - 192.168.0.200)

And also, how I can create group of clients...

Thanks
Jose Thekkiniath

Re: How to block specific port for range of IP Addresses?

Posted: Tue Aug 24, 2010 8:54 pm
by fewi
http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxy
That links shows to to block websites.
You create groups of clients via address lists as described in this thread.
What specifically is your question? The link and examples in this thread have all the configuration you need.

Re: How to block specific port for range of IP Addresses?

Posted: Tue Aug 24, 2010 10:56 pm
by joseta
Hi

/ip proxy
set src-address: 0.0.0.0 ----??? what ip ???
set parent-proxy: 0.0.0.0:0 ---- ??? what ip ???

My network 192.168.0.0/24

No access website ip addresses would be 192.16.0.180 - 192.168.0.200

Thanks
Jose Thekkiniath

Re: How to block specific port for range of IP Addresses?

Posted: Tue Aug 24, 2010 11:04 pm
by fewi
Look at the manual:
http://wiki.mikrotik.com/wiki/Manual:IP/Proxy#General
parent-proxy (Ip4 | ip6; Default: 0.0.0.0) IP address and port of another HTTP proxy to redirect all requests to. If set to 0.0.0.0 parent proxy is not used.
src-address (Ip4 | Ip6; Default: 0.0.0.0) Proxy will use specified address when connecting to parent proxy or web site. If set to 0.0.0.0 then appropriate IP address will be taken from routing table.
You don't have a parent proxy, so leave that at 0.0.0.0 to disable the feature. If you want traffic to be sourced from a particular IP address on your router (so you can easily recognize it further upstream, for example) you set it here, if you don't care or don't need the feature you leave it at 0.0.0.0.

Re: How to block specific port for range of IP Addresses?

Posted: Tue Aug 24, 2010 11:38 pm
by joseta
Hi

Is there any way to know the visiting websites of client machine
by Webproxy.

Thanks
Jose Thekkiniath

Re: How to block specific port for range of IP Addresses?

Posted: Tue Aug 24, 2010 11:41 pm
by fewi

Re: How to block specific port for range of IP Addresses?

Posted: Wed Aug 25, 2010 7:05 pm
by Andr3s
You can prove with OPEN DNS, is very easy and dont have to load de CPU of your Mikrotik with rules

Re: How to block specific port for range of IP Addresses?

Posted: Wed Aug 25, 2010 8:07 pm
by joseta
Hi

I have tried and its working. But I want to block only specific range of ips

/ip firewall filter
chain=input action=drop protocol=tcp src-address-list=No Entertainment Webpage in-interface=ether4-Office LAN dst-port=8080

/ip firewall filter
No Entertainment Webpage=192.168.0.161-192.168.0.180

Note: ether4-Office LAN = My DHCP LAN 192.168.0.0/24

Other commands As you said. Now I could not access the site for all the ips.

Thanks
Jose Thekkiniath

Re: How to block specific port for range of IP Addresses?

Posted: Wed Oct 26, 2011 1:26 pm
by fabbygoh
Jose Thekkiniath

Have you found the solution to blocking websites on the specific range of IP address? I have been working on this, but seem not working at all....

Your help is really appreciated.

Re: How to block specific port for range of IP Addresses?

Posted: Thu Oct 27, 2011 6:09 am
by tjc
/ip firewall filter
chain=input action=drop protocol=tcp src-address-list=No Entertainment Webpage in-interface=ether4-Office LAN dst-port=8080

/ip firewall filter
No Entertainment Webpage=192.168.0.161-192.168.0.180
1) You should not put spaces in the names.
2) That's the wrong syntax for defining an address list
3) You're mixing address lists and ranges which is a bit funky.
4) Do you really want this on the input chain? Unless the router itself is hosting the wbepage (or maybe acting as a proxy?) you probably want it on the forwarding chain.

Try something more like:
/ip firewall address-list
add address=192.168.0.161-192.168.0.180 list=NoEntertainmentWebpage \
  comment="Note that there are no spaces in the list name, these are users who are denied certain web pages."
/ip firewall filter
add chain=forward action=drop protocol=tcp dst-port=8080 src-address-list=NoEntertainmentWebpage in-interface=ether4-Office-LAN \
  comment="Again no spaces in the names for the address list or the port.  Port names can use '-' but address list names don't seem to allow it."
Once you've added that firewall rule you will also need to move it to the correct place in the chain.

Re: How to block specific port for range of IP Addresses?

Posted: Thu Oct 27, 2011 6:50 am
by fabbygoh
thanks for your reply. My condition is like this.

I want to block this range of IP address 192.168.1.100 to 192.168.1.200 from being able to access the following contents:

www.facebook.com
porn*.com
tube*.com
sex*.com

Note that all other IP besides the range, can still access the above mentioned contents.

Thanks

Re: How to block specific port for range of IP Addresses?

Posted: Thu Oct 27, 2011 10:41 am
by sadeghrafie
http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxy
That links shows to to block websites.
You create groups of clients via address lists as described in this thread.
What specifically is your question? The link and examples in this thread have all the configuration you need.
MK webproxy will bypass with some programs like Ultrasurf :lol:

Re: How to block specific port for range of IP Addresses?

Posted: Thu Oct 27, 2011 10:44 am
by sadeghrafie
thanks for your reply. My condition is like this.

I want to block this range of IP address 192.168.1.100 to 192.168.1.200 from being able to access the following contents:

http://www.facebook.com
porn*.com
tube*.com
sex*.com
You should live in my country IRAN or you can connect to my router via PPTP and have it as Your DG, because all of these you mentioned are Filtered :lol:
We have a strong filtering. A certain website is available right now but it may be Filtered 10 second later :D

Re: How to block specific port for range of IP Addresses?

Posted: Thu Nov 17, 2011 1:21 pm
by dunga
Hello,
I still ask how do someone create address-list without adding them one by one, Just as in having a host file in windows which is used to block some sites in each system.

Can someone create such a file and direct mikrotik to read from the file incase of both blocked or unblocked.

Thanks

Re: How to block specific port for range of IP Addresses?

Posted: Thu Nov 17, 2011 1:26 pm
by normis
you can connect to my router via PPTP and have it as Your DG, because all of these you mentioned are Filtered :lol:
+1 for taking a positive attitude at this :D this joke made my day

Re: How to block specific port for range of IP Addresses?

Posted: Thu Nov 17, 2011 2:00 pm
by sadeghrafie
you can connect to my router via PPTP and have it as Your DG, because all of these you mentioned are Filtered :lol:
+1 for taking a positive attitude at this :D this joke made my day
you're welcome. I always say "try to use sense of humor in the forum" :D

Re: How to block specific port for range of IP Addresses?

Posted: Tue Nov 22, 2011 2:23 pm
by dunga
hello,
I still want to find out how to block a specific port for a particular ip address using mikrotik.

What I want to do is to block this ip from browsing the internet but can only chat. The Ip address is 192.168.0.201 only.

I have set put it in the address list and enabled a filter rule o it like this
ip firewall filter>
add chain=forward protocol=tcp dst-port=80 src-address-list=no_HTTP \
action=drop comment="Block Reception From Browsing" disabled=no
add chain=forward protocol=tcp dst-port=3128 src-address-list=no_HTTP \
action=drop comment="Block Reception Http port 3128" disabled=no

I am using web proxy and i redirect all traffic from port 80 to 3128 since my web proxy uses port 3128.

Upon using this yet, that system still browse the internet. Is there anything I am doing wrong?

Thanks

Re: How to block specific port for range of IP Addresses?

Posted: Mon Feb 02, 2015 11:14 pm
by silvan
hey guys.... im using mikrotik too, any body knows how to block "youtube app" of mobile phones !> :?

Re: How to block specific port for range of IP Addresses?

Posted: Fri Dec 28, 2018 11:02 am
by umny
Dear All
i want to deny teamviewer on mikrotik router but it can't
please kindly help thank you

Re: How to block specific port for range of IP Addresses?

Posted: Sat Dec 29, 2018 9:18 pm
by Chupaka
i want to deny teamviewer on mikrotik router but it can't
What did you do for that? Did you block port 5938, for example?