hello guys

blocking of https://www.facebook.com in web-proxy doesn't work only port 80 (http://www.facebook.com) can block, i try to block facebook dst-address=(facebook host ip) port=443 or dst-host=https://www.facebook.com doesn't work either. is there any trick to block this? you guys try to block http://www.facebook.com in web-proxy then try to use https://www.facebook.com

thanks

Try blocking 443/TCP to the

• 66.220.144.0-66.220.159.255
  69.63.176.0-69.63.191.255
  204.15.20.0-204.15.23.255

IP addresses

On *very* crude method of blocking facebook is to drop all packets containing facebook - in chain forward, put facebook into the content field under Advanced in winbox IP>firewall filter rules. Use Action reject with icmp host prohibited.

other websites will stop working, and a lot of them, as facebook is mentioned often

I think I have seen this before while using openDNS.

"www.facebook.com" did not work but "facebook.com" did work.

Perhaps it is the same for your setup.

I think I have seen this before while using openDNS.

"www.facebook.com" did not work but "facebook.com" did work.

Perhaps it is the same for your setup.

no burley i dont want to use opendns filtering i have my web-proxy works fine it can block facebook.com or www.facebook.com the only problem using https and i work as a IT in a hotel there are few people here in back office browsing facebook during office hours that should not allow by the company policy, i want only to block specific computer only the problem is if they use https://www.facebook.com the web-proxy doesn't block.

thanks

I wasn't suggesting to use openDNS, just wondering if "https://facebook.com" makes any difference.

I wasn't suggesting to use openDNS, just wondering if "https://facebook.com" makes any difference.

ahhh okey burley do you have any idea or trick to do this? im totally out of idea

thanks

I haven't tried to do exactly what you are doing, but based on my previous experience perhaps you could substitute dst-host=https://facebook.com (leave out the www).

I admit my suggestion is only a guess.

I haven't tried to do exactly what you are doing, but based on my previous experience perhaps you could substitute dst-host=https://facebook.com (leave out the www).

I admit my suggestion is only a guess.

ok i do try.

I haven't tried to do exactly what you are doing, but based on my previous experience perhaps you could substitute dst-host=https://facebook.com (leave out the www).

I admit my suggestion is only a guess.

ok i do try.

it doesnt work

If you really must do this, there is really only one good way.

Drop all outbound traffic and require people to use the proxy (configured in the browser).

Then the proxy can block HTTPS traffic.

Dropping traffic containing facebook wont do it, because you cant match content in an https connection.

in my case, users could use only my routerboard as dns (I blocked forward of port 53 from lan), then I inserted static dns entries like www.facebook.com > 127.0.0.1

in my case, users could use only my routerboard as dns (I blocked forward of port 53 from lan), then I inserted static dns entries like http://www.facebook.com > 127.0.0.1

hello rodolfo can you please give some example

thanks

1. suppose your lan is connected to ether2, in firewall filter add a rule in forward chain to drop connection udp to port 53:
/ip fire filt
add action=drop chain=forward disabled=no \
dst-port=53 in-interface=ether2 protocol=udp

2. now configure the dns server of your router like this:
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 servers=208.67.222.222,208.67.220.220
/ip dns static
add address=127.0.0.1 disabled=no name=www.facebook.com ttl=1d
add address=127.0.0.1 disabled=no name=facebook.com ttl=1d
add address=127.0.0.1 disabled=no name=www.youtube.com ttl=1d
(here you could add sites you want)

For servers I indicated OpenDNS. This is sufficient.
If you have a static public ip address, you can also create a free account in openDNS to block some site categories (i.e. "social networks")

If in the lan you have your own DNS server (i.e. the domain controller of a microsoft domain) you must set your router as dns forward and disable root hint.

This approach is valid in 99% of cases; it is not valid if an user:
- write manually a dns resolution in its hosts file
- configure an external ssl proxy

I think MicroTik needs to come up with a novel solution for blocking access to particular domains. RegEx on L7 feels like such a hack and manually maintaining IP lists is impossible these days, not to mention issues with v hosts.

It seems like we have the DNS requests, we have a transparent DNS proxy and we good layer 7 control, that should be enough to solve the issue and put a very intuitive interface on it:

[Block/Allow] access to [*facebook.com/ and *.fbcdn.com] over [http and https] between [8am and 5pm] [MTWThF].

...And just have that work.

Of course theres always proxies to get get around but I don't think anyone expects to win that war- just to help users who aren't very good at self-enforcing company policies.

im totally agree with edified, the problem is web-proxy cannot block blocking facebook via https my co staff here at around 100 employees they have individual computers i dony want staff using facebook during office hours.

thanks

Try blocking 443/TCP to the

• 66.220.144.0-66.220.159.255
  69.63.176.0-69.63.191.255
  204.15.20.0-204.15.23.255

IP addresses

Have you tested?

im totally agree with edified, the problem is web-proxy cannot block blocking facebook via https my co staff here at around 100 employees they have individual computers i dony want staff using facebook during office hours.

thanks

Yes it can. FORCE their compuers to use the proxy directly, instead of with a redirect.

Web proxy cant TRANSPARENTLY filter https.

Man simply find some proxy sites..
you can find some at newest proxy sites

it is much easier to unblock.

hope this helps enjoy

you could also use L7 to add ip addresses of all connections containing http*.facebook.*, then block access to this ip addresses

hello guys

blocking of https://www.facebook.com in web-proxy doesn't work only port 80 (http://www.facebook.com) can block, i try to block facebook dst-address=(facebook host ip) port=443 or dst-host=https://www.facebook.com doesn't work either. is there any trick to block this? you guys try to block http://www.facebook.com in web-proxy then try to use https://www.facebook.com

thanks

Need to follow 2 steps as below:

1) Create layer7 Protocols

/ip firewall layer7-protocol> add name=facebook regexp=facebook

2) Create Firewall filter rule to drop the packet

add action=drop chain=forward comment="drop facebook" disabled=no layer7-protocol=facebook src-address=172.16.0.0/16

Hope this will help

Does L7 filter work on SSL (TCP443)? Does anyone tried that before?

duplicate topic: http://forum.mikrotik.com/viewtopic.php ... 1&p=278627