Community discussions

MikroTik App
 
Asadullah2
just joined
Topic Author
Posts: 6
Joined: Sun May 22, 2022 1:52 pm

hotspot config to allow whatsapp and drop other traffic

Thu Jul 28, 2022 12:58 pm

Hi every one,
i just created this address list and want to allow only whatsapp traffic and drop all other traffic, it works in the PC with whatsapp messenger but doesn't work with Whatsapp messenger in the mobile phone. what is wrong with it please help me or show me another way how to allow only whatsapp traffic in hotspot. thanks in advance
2.PNG
1.PNG
please let me know what's wrong with it.
You do not have the required permissions to view the files attached to this post.
 
User avatar
rumahnetmks
newbie
Posts: 26
Joined: Mon Dec 21, 2020 10:00 am

Re: hotspot config to allow whatsapp and drop other traffic

Fri Aug 05, 2022 4:00 pm

First :
For address IP Whatsapp list u can get at https://developers.facebook.com/docs/wh ... uirements/ scroll down to "WhatsApp server IP addresses and ranges (.zip file)"
Add it to address list like ur example, "Whatsapp+list"
Now u mention it that u using this for hotspot, so "Whatsapp Package" address list must be entered at that hotspot user-profile...
Then try paste this through Winbox terminal and test
/ip firewall filter
add action=accept chain=forward comment="WA Accept" dst-address-list=Whatsapp+list src-address-list="Whatsapp Package"
add action=drop chain=forward comment="Else Drop" dst-address-list=!Whatsapp+list src-address-list="Whatsapp Package"

CMIIW, sorry for my noobness.
 
Asadullah2
just joined
Topic Author
Posts: 6
Joined: Sun May 22, 2022 1:52 pm

Re: hotspot config to allow whatsapp and drop other traffic

Sun Aug 28, 2022 10:00 am

Thank you for your reply. it was helpful for me
 
User avatar
danielcs
just joined
Posts: 7
Joined: Tue Aug 30, 2022 2:19 am
Location: Argentina

Re: hotspot config to allow whatsapp and drop other traffic

Tue Aug 30, 2022 2:32 am

In case you require it, we have a github repository that automatically updates the lists of ip addresses and whatsapp domains: https://github.com/HybridNetworks/whatsapp-cidr

Example:
/tool fetch url="https://raw.githubusercontent.com/HybridNetworks/whatsapp-cidr/main/WhatsApp/whatsapp_cidr_ipv4.rsc" mode=https
/ip firewall address-list remove [find where list="WHATSAPP-CIDR"]
/import file-name=whatsapp_cidr_ipv4.rsc
/file remove whatsapp_cidr_ipv4.rsc

Although the update is every 24 hours, an update can be configured between 5 days. Since the servers change every few months.
 
juhov
just joined
Posts: 4
Joined: Sun Sep 25, 2022 1:19 pm

Re: hotspot config to allow whatsapp and drop other traffic

Sun Sep 25, 2022 1:34 pm

Thanks for the previous replies. This has been really helpful already.

I'm setting up Mikrotik CCR2004-16G-2S+, version 7.3.1. In addition it has a CAPsMAN configuration for two APs (CAP ac and mANTBox 15s). The idea would be to have total access to Internet using all other interfaces in LAN except the two ports that have Wifi access points. These APs and then again Wifi should have access only to whatsapp.

I used the provided code to download the address list WHATSAPP-CIDR to the router, so far so good.

Added the following lines to firewall filter on top of my default configuration
/ip firewall filter
add action=accept chain=forward comment="WA Accept" dst-address-list=WHATSAPP-CIDR
add action=drop chain=forward comment="Else Drop" dst-address-list=!WHATSAPP-CIDR

And true enough, everything else drops except whatsapp from wireless devices.

Questions

1) It seems that the connection to whatsapp is quite patchy and slow (e.g. images are not uploading or downloading) after adding the above rules? Anyone else experiencing the same with these rules? Might this have something to do with rest of my firewall configuration (listed bellow)?

2) What might be the best way to restrict the limitations just for the wifi interfaces using CAPsMAN?

ether1 =WAN
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; accept established,related
      chain=input action=accept connection-state=established,related 

 2    chain=input action=drop connection-state=invalid 

 3    ;;; allow ICMP
      chain=input action=accept protocol=icmp in-interface=ether1 

 4    ;;; allow Winbox
      chain=input action=accept protocol=tcp in-interface=ether1 port=8291 

 5    ;;; allow SSH
      chain=input action=accept protocol=tcp in-interface=ether1 port=22 

 6    ;;; block everything else
      chain=input action=drop in-interface=ether1 

 7    ;;; fast-track for established,related
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 
 8    ;;; accept established,related
      chain=forward action=accept connection-state=established,related 

 9    chain=forward action=drop connection-state=invalid 

10    ;;; drop access to clients behind NAT from WAN
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 

11    ;;; WA Accept
      chain=forward action=accept dst-address-list=WHATSAPP-CIDR log=no log-prefix="" 

12    ;;; Else drop 
      chain=forward action=drop dst-address-list=!WHATSAPP-CIDR log=no log-prefix="" 
Thanks in advance, Juho
 
User avatar
rumahnetmks
newbie
Posts: 26
Joined: Mon Dec 21, 2020 10:00 am

Re: hotspot config to allow whatsapp and drop other traffic

Sun Sep 25, 2022 5:23 pm

/ip firewall filter
add action=accept chain=forward comment="WA Accept" dst-address-list=WHATSAPP-CIDR
add action=drop chain=forward comment="Else Drop" dst-address-list=!WHATSAPP-CIDR
This make all connection LAN and WIFI have same rule, even if they are in separate network.
My comment there for Thread Starter case with hotspot. So if ur target only for WIFI user, u can make address list for WIFI Network user first.
Example WIFI Network is 172.16.00.0/24 (I assume ur LAN have different network) so
/ip firewall address-list add address=172.16.0.0/24 list=WIFIUSER
Remember to change that segment IP with ur actual wifi network IP, which u want only access whatsapp.

Then change that quoted firewall with
/ip firewall filter
add action=accept chain=forward comment="WA Accept" dst-address-list=WHATSAPP-CIDR src-address-list=WIFIUSER
add action=drop chain=forward comment="Else Drop" dst-address-list=!WHATSAPP-CIDR src-address-list=WIFIUSER

Then additional I assume ur network using Private IP in RFC 1918, so then I think u need to catch content from whatsapp.net and whatsapp.com
Try this :
* Make address list that contain private IP (RFC1918), named like example LOCAL-IP
/ip firewall address-list
add address=0.0.0.0/8 list=LOCAL-IP
add address=10.0.0.0/8 list=LOCAL-IP
add address=100.64.0.0/10 list=LOCAL-IP
add address=127.0.0.0/8 list=LOCAL-IP
add address=169.254.0.0/16 list=LOCAL-IP
add address=172.16.0.0/12 list=LOCAL-IP
add address=192.0.0.0/24 list=LOCAL-IP
add address=192.0.2.0/24 list=LOCAL-IP
add address=192.168.0.0/16 list=LOCAL-IP
add address=198.18.0.0/15 list=LOCAL-IP
add address=198.51.100.0/24 list=LOCAL-IP
add address=203.0.113.0/24 list=LOCAL-IP
add address=224.0.0.0/4 list=LOCAL-IP
add address=240.0.0.0/4 list=LOCAL-IP

* Then catch the additional IP, add to WHATSAPP-CIDR
/ip firewall raw
add action=add-dst-to-address-list address-list=WHATSAPP-CIDR address-list-timeout=none-dynamic chain=prerouting comment="Catch Whatsapp IP" content=.whatsapp.net dst-address-list=!LOCAL-IP src-address-list=LOCAL-IP
add action=add-dst-to-address-list address-list=WHATSAPP-CIDR address-list-timeout=none-dynamic chain=prerouting comment="Catch Whatsapp IP" content=.whatsapp.com dst-address-list=!LOCAL-IP src-address-list=LOCAL-IP

CMIIW, sorry for my noobness.
 
juhov
just joined
Posts: 4
Joined: Sun Sep 25, 2022 1:19 pm

Re: hotspot config to allow whatsapp and drop other traffic

Sun Sep 25, 2022 9:37 pm

Thanks for the help, much appreciated!

I did a setup of two VLANs for the wifi (two SSIDs as well) other having addresses 192.168.10.0/24 and the other 192.168.20.0/24. The former is the restricted network and the latter a network with full access to the Internet. I used the src-address=192.168.10.0/24 setting in filter rules.

However, I seem to have the issue with images (both upload and download) in Whatsapp when using that restricted network. They are not going through. It seems if someone sends an image, there's a preview in chat, but downloading the image ain't possible.

Any ideas if I'm missing some needed firewall filter rules or other settings? Also, I'd be interested if someone has set up similar system allowing only whatsapp and having the full functionality.

Thanks, Juho
 
User avatar
rumahnetmks
newbie
Posts: 26
Joined: Mon Dec 21, 2020 10:00 am

Re: hotspot config to allow whatsapp and drop other traffic

Fri Sep 30, 2022 10:37 am

Im using this similar 'wa-only thing' in my network but I'm using hotspot sistem.
Home user and Hotspot user at diferent ethernet port, different VLAN, different network segment
User hotspot that I test have 'wa-only' profile will only can access WA and as far as I test the video originally from WA perfectly no problems.
Are u sure the video u mean here orignally from WA not from other like Youtube etc?
I test record video from WA using phone camera and GSM internet and send it to a phone with hotspot 'WA-only" profile. It plays the video without any error.
 
juhov
just joined
Posts: 4
Joined: Sun Sep 25, 2022 1:19 pm

Re: hotspot config to allow whatsapp and drop other traffic

Fri Sep 30, 2022 1:51 pm

Thanks for the reply, again.

I reckon that the issue might be with my firewall filters, since the issue with whatsapp images or videos not working happens with or without the separate VLAN for the wifi.

Could you provide your firewall filter rules / settings that I could check what could be the differences?

Thanks,
Juho
 
User avatar
rumahnetmks
newbie
Posts: 26
Joined: Mon Dec 21, 2020 10:00 am

Re: hotspot config to allow whatsapp and drop other traffic

Sat Oct 01, 2022 3:57 pm

Sry can't.
Why dont u post ur config here and maybe other pro here see ur config then.
 
juhov
just joined
Posts: 4
Joined: Sun Sep 25, 2022 1:19 pm

Re: hotspot config to allow whatsapp and drop other traffic

Sun Oct 02, 2022 10:21 pm

Sry can't.
Why dont u post ur config here and maybe other pro here see ur config then.
Please see firewall configs bellow, addresses 192.168.10.0/24 are for the VLAN used by wifi.

Filter rules
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; accept established,related
      chain=input action=accept connection-state=established,related 

 2    chain=input action=drop connection-state=invalid 

 3    ;;; allow ICMP
      chain=input action=accept protocol=icmp in-interface=ether1 

 4    ;;; allow Winbox
      chain=input action=accept protocol=tcp in-interface=ether1 port=8291 

 5    ;;; allow SSH
      chain=input action=accept protocol=tcp in-interface=ether1 port=22 

 6    ;;; block everything else
      chain=input action=drop in-interface=ether1 

 7    ;;; fast-track for established,related
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 

 8    ;;; accept established,related
      chain=forward action=accept connection-state=established,related 

 9    chain=forward action=drop connection-state=invalid 

10    ;;; drop access to clients behind NAT from WAN
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 

11    ;;; WA Accept
      chain=forward action=accept src-address=192.168.10.0/24 dst-address-list=WHATSAPP-CIDR log=no log-prefix="" 

12    ;;; Else drop Wifi
      chain=forward action=drop src-address=192.168.10.0/24 dst-address-list=!WHATSAPP-CIDR log=no log-prefix="" 
Raw
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=.whatsapp.net log=no log-prefix="" src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

 2    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=.whatsapp.com src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

 3    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=.whatsapp.com src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

 4    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=.cdn.whatsapp.net src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

 5    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=g.whatsapp.net src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

 6    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=graph.facebook.com src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

 7    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=graph.whatsapp.com src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

 8    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=media-.*.cdn.whatsapp.net src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

 9    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=media..*.fna.whatsapp.net src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

10    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=mmg.whatsapp.net src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

11    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=pps.whatsapp.net src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

12    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=static.whatsapp.net src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

13    ;;; Catch Whatsapp IP
      chain=prerouting action=add-dst-to-address-list content=v.whatsapp.net src-address-list=LOCAL-IP dst-address-list=!LOCAL-IP address-list=WHATSAPP-CIDR 
      address-list-timeout=none-dynamic 

Any thoughts why the whatsapp messages are going through, but not images or videos.

Thanks,
Juho

Who is online

Users browsing this forum: No registered users and 2 guests