Community discussions

MikroTik App
 
madmoses
just joined
Topic Author
Posts: 18
Joined: Mon Sep 26, 2016 6:19 pm

Whitelisting websites

Sat Aug 24, 2019 2:13 pm

Hi,

I want to block all traffic except of some services.

For example my user are allowed to use netflix, amazon prime video, spotify and so on.

Is this something I can do with RouterOS?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Whitelisting websites

Sat Aug 24, 2019 2:49 pm

Hoi
All connections start with dns resolution. Filter / control these and you'll be able to control what connections are made (for most part).
 
madmoses
just joined
Topic Author
Posts: 18
Joined: Mon Sep 26, 2016 6:19 pm

Re: Whitelisting websites

Sat Aug 24, 2019 2:53 pm

How would you do this?

I found something like that in the docs. But running the script every 30 seconds sounds a bit hacky. Because the first attempted to connect to a service will fail (because it is not listed in the cache and could not be processed):
https://wiki.mikrotik.com/wiki/Manual:S ... c_websites

Thank you
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Whitelisting websites

Sat Aug 24, 2019 3:24 pm

The problem you will hit is that "a website" is not a single entity.
You can allow access to an IP address (or a number of them) quite easily, there are more modern methods than that script,
but that will not bring you much. You may know the domain name of the site itself, but internally it will load items from all
kinds of other "sites" to show pictures, advertisements, video material, to get scripts, layout information, etc.

You first need to compile a complete list of all domain names used when operating the sites you want to whitelist, and put
them in your exception list. You can do that using address lists with DNS name instead of the script:
/ip firewall address-list
add address=www.netflix.com list=allowed
add address=codex.netflext.com list=allowed
add address=assets.netflext.com list=allowed
etc etc etc until you have everything.
However, when you have that all complete, next week the sitebuilder may add another one and the site is going to fail in
some mysterious way until you have hunted that down and added the correct name.

Long story short: it cannot be done in practice.
 
madmoses
just joined
Topic Author
Posts: 18
Joined: Mon Sep 26, 2016 6:19 pm

Re: Whitelisting websites

Sat Aug 24, 2019 3:55 pm

Hmm. okay I understand the problem.

Is there a DNS-Provider which blocks illegale websites? Like torrent pages etc?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Whitelisting websites

Sat Aug 24, 2019 4:47 pm

OpenDNS
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Whitelisting websites

Sat Aug 24, 2019 9:04 pm

Pi-hole can do whitelisting and in the next release the domains will be in a database which gives more control over what is filtered. It will then be also able to use wildcard whitelisting and regex based whitelisting.

Pi-hole sits between the clients and used DNS server.
 
madmoses
just joined
Topic Author
Posts: 18
Joined: Mon Sep 26, 2016 6:19 pm

Re: Whitelisting websites

Mon Aug 26, 2019 12:06 pm

/ip firewall address-list
add address=www.netflix.com list=allowed
add address=codex.netflext.com list=allowed
add address=assets.netflext.com list=allowed
There are only a few websites which I want to allow.

Is it possible to allow only traffic which is in the list "allowed" and send everything else through my VPN tunnel?

Can I do this that way or is there a better way doing this? https://wiki.mikrotik.com/wiki/Policy_Base_Routing
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Whitelisting websites

Mon Aug 26, 2019 1:15 pm

It is possible to do that but remeber: there is no practical way for you to isolate "traffic for a website" by domain or IP address.
 
madmoses
just joined
Topic Author
Posts: 18
Joined: Mon Sep 26, 2016 6:19 pm

Re: Whitelisting websites

Mon Aug 26, 2019 1:23 pm

It is possible to do that but remeber: there is no practical way for you to isolate "traffic for a website" by domain or IP address.
This is the reason why I want to send all the traffic which I don't have on my whitelist through the safe VPN.

I don't want to send everything because I have only ~200Mbit available with the VPN.

I will try this solution combined with a DNS server which is not Listing illegale website like torrent sites.

Worst case is => the traffic goes through a VPN tunnel to a provider which does not log etc.
Best case => User can not open illegal websites, because they are not listed / blocked in the DNS service.

I think this is the maximum I can do. What do you think?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Whitelisting websites

Mon Aug 26, 2019 2:12 pm

This means you still need to do investigation because it is unlikely that e.g. the bulk of the traffic (the video streams) from netflix will come from www.netflix.com.
But I would suggest to just try it and monitor the situation carefully.
 
madmoses
just joined
Topic Author
Posts: 18
Joined: Mon Sep 26, 2016 6:19 pm

Re: Whitelisting websites

Mon Aug 26, 2019 2:51 pm

Okay thank you.

I used this tutorial to setup a L2TP connection: https://www.rapidvpn.com/setup-vpn-l2tp-mikrotik-router

Where/How can I add the exceptions for the ip's listed in the "allowed" list to not use the VPN?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Whitelisting websites

Mon Aug 26, 2019 7:21 pm

I have a simple system of two+1 Addres lists.

- not VPN
- VPN
- fixed VPN

Fixed VPN are destination that don't like traffic arriving from different source addresses. This if you are using more than one VPN connection at the same time.

In Mangle you can use marking to separate traffic.
 
madmoses
just joined
Topic Author
Posts: 18
Joined: Mon Sep 26, 2016 6:19 pm

Re: Whitelisting websites

Tue Aug 27, 2019 11:21 am

chain=prerouting action=mark-routing new-routing-mark=L2TP 
      passthrough=yes src-address=192.168.88.10-192.168.88.254 
      dst-address-list=!allowed log=no log-prefix=""
My mangle looks like that at the moment.

If the ip is NOT in allowed list, then the traffic goes through the VPN.

Problem: If I deactivate the VPN (simulating a disconnect) all my traffic goes normally to the internet.

What I want: Only traffic to the allowed list are accepted.

How can I do this?
 
camxeoto24h
just joined
Posts: 2
Joined: Mon Feb 17, 2020 10:37 am
Location: HCMC
Contact:

Re: Whitelisting websites

Mon Feb 17, 2020 10:47 am

Okay thank you.

I used this tutorial to setup a L2TP connection: https://www.rapidvpn.com/setup-vpn-l2tp-mikrotik-router

Where/How can I add the exceptions for the ip's listed in the "allowed" list to not use the VPN?
Do you have success with this?
 
farolf
just joined
Posts: 1
Joined: Thu Sep 10, 2020 9:39 am

Re: Whitelisting websites

Thu Sep 10, 2020 9:57 am

Hi, sorry for replying to old thread. But I'd like to add a solution that might benefit others.

So to white list some sites we need to capture IPs for those sites first into an address list, then block access to any other IPs not in that list.
  • add a rule on mangle with:
    • action = add dst to address list
    • address list = allowed
    • timeout = none static
  • access all the white listed sites, apps, games etc
  • disable the rule
  • add a rule to only allow destinations in the "allowed" address list
  • done!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Whitelisting websites

Mon Sep 14, 2020 7:39 pm

That solution assumes that there is only a single, fixed, address for each website.
That may be true for a personal site or the site of a small company (especially when it already exists for a long time), but for more commonly requested sites like facebook, youtube, etc this is not at all the case. Such websites have many IP addresses that are rotated all the time to distribute the load, cover outages, etc.

Who is online

Users browsing this forum: No registered users and 6 guests