Community discussions

MikroTik App
 
YordanY1
newbie
Topic Author
Posts: 35
Joined: Tue Sep 07, 2021 2:54 am
Location: Bulgaria

Blocking Blogspot.com ?

Tue Oct 19, 2021 1:57 pm

Hello.
I would like to block the users in my networks from accessing their private blogs in blogspot.com, since it turns out they are most of time spending there, and this angry the boss quite a bit.
Anyway I've tried the solution by adding blogspot.com to the address list, and then drop the traffic from it, but still - the subdomains are working.

How to achieve blocking it entirely ?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Blocking Blogspot.com ?

Tue Oct 19, 2021 2:24 pm

Look at DNS filters like Pi-hole.
 
ivicask
Member
Member
Posts: 422
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Blocking Blogspot.com ?

Tue Oct 19, 2021 2:47 pm

Hello.
I would like to block the users in my networks from accessing their private blogs in blogspot.com, since it turns out they are most of time spending there, and this angry the boss quite a bit.
Anyway I've tried the solution by adding blogspot.com to the address list, and then drop the traffic from it, but still - the subdomains are working.

How to achieve blocking it entirely ?
Just add blogspot.com to adress list so its resolved to IP than block that in FW it should work regardless or DNS, unless they fireup VPN...
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Blocking Blogspot.com ?

Tue Oct 19, 2021 3:52 pm

Hello.
I would like to block the users in my networks from accessing their private blogs in blogspot.com, since it turns out they are most of time spending there, and this angry the boss quite a bit.
Anyway I've tried the solution by adding blogspot.com to the address list, and then drop the traffic from it, but still - the subdomains are working.

How to achieve blocking it entirely ?
Just add blogspot.com to adress list so its resolved to IP than block that in FW it should work regardless or DNS, unless they fireup VPN...
IP addresses can change. It is a nice way to keep chasing your tail ...
Something like PI Hole or alternative capable of blocking DNS names seems to be the most practical solution.

VPN will not prevent this either. Then that also needs to be blocked ?
 
YordanY1
newbie
Topic Author
Posts: 35
Joined: Tue Sep 07, 2021 2:54 am
Location: Bulgaria

Re: Blocking Blogspot.com ?

Tue Oct 19, 2021 9:07 pm

emh.. the blogspot is resolved, but it have subdomains which is the private blogs on network with 65.000 possible ip's.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Blocking Blogspot.com ?

Tue Oct 19, 2021 9:26 pm

Like @holvoetn suggested a DNS-Server like Pihole is the most practical solution.

But if you want to use the Mirkotik-Device itself...
Try Blocking the Traffic via Layer7 (https://www.youtube.com/watch?v=mcJbY8dvDJc)

It's not perfect... and Performace will suffer..
But it may solve your problem !

Basic Exemple :
/ip firewall filter
add action=add-dst-to-address-list address-list=blogspot address-list-timeout=none-dynamic chain=forward comment="Identify blogspot Servers (blogspot)" protocol=tcp tls-host=*blogspot*
add action=add-dst-to-address-list address-list=blogspot address-list-timeout=none-dynamic chain=forward comment="Identify blogspot Servers (blogger)" protocol=tcp tls-host=*blogger*
add action=drop chain=forward comment="Drop: All Traffic to blogspot-Servers" dst-address-list=blogspot
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Blocking Blogspot.com ?

Tue Oct 19, 2021 9:45 pm

I read layer 7 filtering can be indeed quite performance hungry.

Wild question ...
Would PiHole running in a docker container on ROS 7.1rc4 be less of a performance hit ?
I have it as a docker container on a Synology NAS. It has not too much processor impact, from what I can see.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Blocking Blogspot.com ?

Tue Oct 19, 2021 9:53 pm

I have it as a docker container on a Synology NAS. It has not too much processor impact, from what I can see.
Well, keep it running on your NAS ?
This is how I run it over here, Pihole on my 918+ NAS and running fine for years now.
DNS-traffic on the Mikrotik is intercepted and delivered to the Pihole in case some client has some hardcoded IP's (eg. notoriously Google) and wants to resolve directly...
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Blocking Blogspot.com ?

Tue Oct 19, 2021 10:14 pm

I have it as a docker container on a Synology NAS. It has not too much processor impact, from what I can see.
Well, keep it running on your NAS ?
This is how I run it over here, Pihole on my 918+ NAS and running fine for years now.
DNS-traffic on the Mikrotik is intercepted and delivered to the Pihole in case some client has some hardcoded IP's (eg. notoriously Google) and wants to resolve directly...
The remark was not for me but as an alternative to use a separate device to prevent using Layer-7 filtering.
 
YordanY1
newbie
Topic Author
Posts: 35
Joined: Tue Sep 07, 2021 2:54 am
Location: Bulgaria

Re: Blocking Blogspot.com ?

Tue Oct 19, 2021 10:37 pm

Thank You very much guys that trying to help ! :)
I appreciate all of the answers.

I am going to try this Layer 7, but what do You mean that it may be performance hungry ?
Will my router start to slow down or.. what shall I expect ?

( btw - tried the filter rules but they doesnt seems to works -no counters is triggered or the blogspot is blocked )
Last edited by YordanY1 on Tue Oct 19, 2021 10:48 pm, edited 1 time in total.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Blocking Blogspot.com ?

Tue Oct 19, 2021 10:42 pm

It means you will have to be smart with your Firewall-Rules!


If possible Post your Firewall config and i'll make a suggestion
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Blocking Blogspot.com ?

Tue Oct 19, 2021 10:55 pm

@holvoetn,

RB5009UG+S+IN with a Pihole-Container is a very nice Solution!!
Especially for SME's who don't have Servers and low requirements
like for exemple Restaurants, hairdressers, bakery's ,shrink-Office, Kindergarten , etc..

A bit off topic,
but as soon as i get my 5009, i want to try and run a small 3CX-Server.
It would be an amazing solution to replace AVM Fritz.Box or other All-in-One Routers
 
YordanY1
newbie
Topic Author
Posts: 35
Joined: Tue Sep 07, 2021 2:54 am
Location: Bulgaria

Re: Blocking Blogspot.com ?

Wed Oct 20, 2021 9:50 am

It means you will have to be smart with your Firewall-Rules!


If possible Post your Firewall config and i'll make a suggestion
/ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 
 2    chain=input action=drop connection-state=invalid log=no log-prefix="" 
 3    chain=input action=accept protocol=icmp log=no log-prefix="" 
 4    chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=1723 log=yes log-prefix="PPTP>" 
 5    chain=input action=accept protocol=gre in-interface-list=WAN log=no log-prefix="" 
 6    chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 
 7    chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 
 8    chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 
 9    chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 
10    chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 
11    chain=forward action=drop connection-state=invalid log=no log-prefix="" 
12    chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 
13    ;;; BLOCK FACEBOOK
      chain=forward action=drop dst-address-list=block-facebook log=no log-prefix="" 
14    ;;; BLOCK BLOGSPOT
      chain=forward action=reject reject-with=icmp-admin-prohibited dst-address-list=BLOCK-Blogspot log=no log-prefix="" 
15    ;;; BLOCK INSTAGRAM
      chain=forward action=drop dst-address-list=BLOCK-Instagram log=no log-prefix="" 
16    ;;; BLOCK Tik-Tok
      chain=forward action=drop dst-address-list=BLOCK-TikTok log=no log-prefix="" 
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Blocking Blogspot.com ?

Wed Oct 20, 2021 7:12 pm

Good Evening,

Your Firewall is very simple and only as 3 filtering categories.
Internet -> Router (Input)
Internet -> LAN (Forward)
LAN -> Internet (Forward)


----------------------------------------------------------------------
Step 1: L7-Filtering (identifying Servers)
The best way usually to implement the L7-Filtering is in LAN -> Internet
In your Case it should be rule #13 and #14. (Before "BLOCK FACEBOOK")

/ip firewall filter
add action=add-dst-to-address-list address-list=blogspot address-list-timeout=none-dynamic chain=forward comment="\"Identify blogspot Servers (blogspot)\"" connection-state=new out-interface-list=WAN protocol=tcp tls-host=*blogspot*
add action=add-dst-to-address-list address-list=blogspot address-list-timeout=none-dynamic chain=forward comment="\"Identify blogspot Servers (blogger)\"" connection-state=new out-interface-list=WAN protocol=tcp tls-host=*blogger*
----------------------------------------------------------------------
Step 2: Blocking Traffic from blogspot
You can Filter, aka Drop the blogspot Connection between "LAN -> Internet" or "Internet -> LAN" (or theoretically both)
Most people Block via the "Internet -> LAN" filtering.
If performance is an issus, you may want to look at blocking the Upload insteed ("LAN -> Internet")

Exemple : Block LAN -> WAN
/ip firewall filter
add action=drop chain=forward comment="Drop: Blogspot (LAN --> WAN) " connection-state=related,new dst-address-list=blogspot out-interface-list=WAN
Exemple : Block WAN -> LAN
/ip firewall filter
add action=drop chain=forward comment="Drop: Blogspot (WAN --> LAN) " connection-state=related,new in-interface-list=WAN src-address-list=blogspot
----------------------------------------------------------------------
Step 3: integrate Block-List
If and only if performance is an issus,
It may help to only have 1 address-List for Facebook, Blogspot , instagram, tik-tok and Co.
And only use 1 Firewall-Rule to Block unwanted Services insteed of 5+
 
YordanY1
newbie
Topic Author
Posts: 35
Joined: Tue Sep 07, 2021 2:54 am
Location: Bulgaria

Re: Blocking Blogspot.com ?

Wed Oct 20, 2021 11:15 pm

Thank You for spending time trying to help me! :)

Well.. I did this but still - the counters never triggers. Here a screenshot:
Image

here for instance this blog, which is not affected by any way of the changes:
https://olympiacos-blog.blogspot.com
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Blocking Blogspot.com ?  [SOLVED]

Thu Oct 21, 2021 12:49 am

Thank you for the Link, it helped a lot !

Problem #1: L7-Filter rules
I tried to be smart and only have the L7-Filter check "New" Connection... This was a mistake!
/ip firewall filter
add action=add-dst-to-address-list address-list=blogspot address-list-timeout=none-dynamic chain=forward comment="Identify blogspot Servers (blogspot)" out-interface-list=WAN protocol=tcp tls-host=*blogspot*

add action=add-dst-to-address-list address-list=blogspot address-list-timeout=none-dynamic chain=forward comment="Identify blogspot Servers (blogger)" out-interface-list=WAN protocol=tcp tls-host=*blogger*

Problem #2: Firewall Block rules
I never hat to Block in both directions before, but here it is necessary.

If it helps a View of the Firewall i used :
You do not have the required permissions to view the files attached to this post.
 
YordanY1
newbie
Topic Author
Posts: 35
Joined: Tue Sep 07, 2021 2:54 am
Location: Bulgaria

Re: Blocking Blogspot.com ?

Thu Oct 21, 2021 1:28 am

O lords. I think it worked !
I am stupid. I just needed to move a bit higher the indentificators.

THANK YOU ConnyMercier !!! <3
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Blocking Blogspot.com ?

Thu Oct 21, 2021 3:21 am

No Problem!!

Maybe POST a Feedback in a couple of days!
I would like to know if you see any performance degradation with the new L7-Rules

Who is online

Users browsing this forum: Bing [Bot], CGGXANNX, godel0914, h3x00r and 66 guests