Community discussions

 
safiullahtariq
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sun Apr 06, 2014 9:21 pm
Location: Lahore Pakistan

Internet Limit

Thu Apr 02, 2015 7:49 pm

Hello All,

I would like to get some help from you.

I have a router RB-750. There has been a request from my office.

I want to limit all internet excess to all PCs except gmail.com. But few executives MAC addresses are to be excluded from this limitation so that they can surf youtube and show us that they are Bosses :)

Any help regarding this is highly appreciated.

Regards,

Safiullah
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Thu Apr 02, 2015 10:34 pm

Couldn't your bosses show their highness and pay some mikrotik training for you?
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Thu Apr 02, 2015 10:36 pm

Anyway. I would go by address lists based on ip and set firewall rules for that. You can link mac to ip by dhcp static assignment.
 
safiullahtariq
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sun Apr 06, 2014 9:21 pm
Location: Lahore Pakistan

Re: Internet Limit

Sat Apr 04, 2015 12:21 pm

Thanks for your help.
I am not able to understand Mikrotik terminology thats why im quite confused.

How about this to stop internet:

/ip firewall filter rules

add chain=forward source-address-list=xxx-xxx action=drop

To allow

add chain=forward source-MAC-address=xxx-xxx action=accept

I am using winbox, i know this isnt the actual code, im just saying that will this approach be good ?
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Sat Apr 04, 2015 1:01 pm

First accept rule with exclusions and then general drop for the rest.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Internet Limit

Sat Apr 04, 2015 7:18 pm

For this project -
Enable http proxy
In the proxy rules-
Create a rule allow gmail.com
Create the second rule = drop everything
In firewall nat rules make a rule in dstnat that matches in-interface=lan dst-port=80 protocol=tcp action=jump jump-target=http_proxy_check
Add the rest of these rules with chain=http_proxy_check:
source mac address = mac of boss computer 1 , action = return
source mac address = mac of boss computer 2 , action = return
...
etc
...
last rule:
(no conditions) action = redirect to-ports=8080

This will force all computers except the boss macs to use the http proxy.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
safiullahtariq
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sun Apr 06, 2014 9:21 pm
Location: Lahore Pakistan

Re: Internet Limit

Sat May 02, 2015 10:04 pm

I cant get this right.

This is what I did. Please help me... I have created an address list and bounded MAC addresses of normal users. So separating the normal users from managers wont be a problem.

The issue is, I can block TCP traffic but other services/internet e.g whatsapp are not blocked. I want to block everything except gmail and few other websites. Do you suggest that I go with layer7 protocol blocking ?
This is what I have done...

/ip proxy access
add dst-host=*gmail* action=allow
add dst-port=80 action=deny

/ip proxy
enabled: yes
src-address: ::
port: 8080
anonymous: no
parent-proxy: ::
parent-proxy-port: 0
cache-administrator: Administrator
max-cache-size: unlimited
max-cache-object-size: 2048KiB
cache-on-disk: no
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-path: web-proxy


/ip firewall nat
chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=8080 protocol=tcp dst-port=80 log=no log-prefix=

/ip firewall filter
chain=input action=drop protocol=tcp in-interface=WAN dst-port=8080 log=no log-prefix=""

---------------------------------------------------------------------------------------

I can block web browsing but other services like teamviewer/whatsapp etc are not blocked.

Can anyone please suggest me something ?

Very Best Regards

Safiullah
 
safiullahtariq
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sun Apr 06, 2014 9:21 pm
Location: Lahore Pakistan

Re: Internet Limit

Fri May 08, 2015 1:41 pm

Pleaae Help anyone....
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Internet Limit

Fri May 08, 2015 3:21 pm

Just add a firewall rule to the forward chain which allows all traffic from the boss computer MAC addresses (you may as well put this rule before the "redirect to proxy" rule) and then the last rule has no match criteria (matches all traffic) and action = drop.

Done.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
safiullahtariq
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sun Apr 06, 2014 9:21 pm
Location: Lahore Pakistan

Re: Internet Limit

Fri May 22, 2015 12:42 am

Thank you for your guidelines Brother

I was able to block internet and all other services like teamviewer etc.

This is what I did

/ip firewall filter
chain=input action=drop protocol=tcp in-interface=ether11 dst-port=8080 log=no log-prefix=""

/ip firewall nat

chain=srcnat action=masquerade log=no log-prefix=""

;;; Admin PC
chain=dstnat action=accept src-mac-address=xxxxxx log=no log-prefix=""

;;; Admin Mobile
chain=dstnat action=accept src-mac-address=xxxxxx log=no log-prefix=""

chain=dstnat action=jump jump-target=http_proxy_check protocol=tcp in-interface=ether11 dst-port=80 log=no log-prefix=""

chain=http_proxy_check action=return src-mac-address=xxxxxxxx log=no log-prefix=""

chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80 log=no log-prefix=""

chain=dstnat action=redirect to-ports=8080 protocol=tcp log=no log-prefix=""

chain=dstnat action=redirect to-ports=8080 protocol=udp log=no log-prefix=""


Lets hope that this helps someone else too.

Regards,

Safi
 
jeffzack
just joined
Posts: 5
Joined: Wed Jul 29, 2015 9:36 am

Re: Internet Limit

Thu Jul 30, 2015 7:43 am

Thank you for your guidelines Brother

I was able to block internet and all other services like teamviewer etc.

This is what I did

/ip firewall filter
chain=input action=drop protocol=tcp in-interface=ether11 dst-port=8080 log=no log-prefix=""

/ip firewall nat

chain=srcnat action=masquerade log=no log-prefix=""

;;; Admin PC
chain=dstnat action=accept src-mac-address=xxxxxx log=no log-prefix=""

;;; Admin Mobile
chain=dstnat action=accept src-mac-address=xxxxxx log=no log-prefix=""

chain=dstnat action=jump jump-target=http_proxy_check protocol=tcp in-interface=ether11 dst-port=80 log=no log-prefix=""

chain=http_proxy_check action=return src-mac-address=xxxxxxxx log=no log-prefix=""

chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80 log=no log-prefix=""

chain=dstnat action=redirect to-ports=8080 protocol=tcp log=no log-prefix=""

chain=dstnat action=redirect to-ports=8080 protocol=udp log=no log-prefix=""


Lets hope that this helps someone else too.

Regards,

Safi
hi, i need to the same thing as you, can you post your full config? thanks
 
Henrymark1990
just joined
Posts: 3
Joined: Tue Jul 28, 2015 1:15 pm
Location: Dhaka, Bangladesh

Re: Internet Limit

Thu Jul 30, 2015 2:14 pm

Just add a firewall rule to the forward chain which allows all traffic from the boss computer MAC addresses (you may as well put this rule before the "redirect to proxy" rule) and then the last rule has no match criteria (matches all traffic) and action = drop.

Done.
Thanks for your guidance. This might help to solve issue.

Who is online

Users browsing this forum: Hav0c and 101 guests