Community discussions

MikroTik App
 
M1keBT
just joined
Topic Author
Posts: 10
Joined: Mon May 09, 2022 11:20 am

Blocked/Allowed Websites by Firewall Filter Rules

Wed Jun 08, 2022 12:49 pm

Hello,
I configured my Routerboard V.7.x as a web proxy server and made a filter rule in the firewall to drop all requests from all websites as following:
ip firewall filter add chain=forward dst-port=80,443 protocol=tcp action=drop

then i wanted to allow specific websites as Allowed websites as following:
  • Chose forward from Chain dropdown menu
    tcp from Protocol dropdown menu
    Dst. Port 80,443
    put a group name (such as Allowed Websites) in Dst. Address List
    chose accept from Action dropdown menu.
then
  • in the Address Lists tab
    Chose the created group name (Allowed Websites) from Name dropdown menu
    • Put website’s URL (such as www.fast.com) that I want to add this group in Address input field
I put the allowed rule above the blocked one so allowed is no.1 and the blocked is no.2
the problem is every website is still blocked despite allowing it and the packet counters of blocked website rule is being counted and not the allowed websites rule.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocked/Allowed Websites by Firewall Filter Rules

Wed Jun 08, 2022 4:17 pm

All you do is useless, nowaday (near) all sites use HTTPS and http(not S) web proxy can't do anything.
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: Blocked/Allowed Websites by Firewall Filter Rules

Thu Jun 09, 2022 12:01 am

All you do is useless, nowaday (near) all sites use HTTPS and http(not S) web proxy can't do anything.
True for MT perhaps but not universal. If you break TLS inspection can be done. We do this with squid which works great.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocked/Allowed Websites by Firewall Filter Rules

Thu Jun 09, 2022 12:03 am

Let's wait for TLS 1.3 and then let's see...
 
M1keBT
just joined
Topic Author
Posts: 10
Joined: Mon May 09, 2022 11:20 am

Re: Blocked/Allowed Websites by Firewall Filter Rules

Thu Jun 09, 2022 1:41 am

That's why i blocked the 443 ports if you see in my original post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocked/Allowed Websites by Firewall Filter Rules

Thu Jun 09, 2022 1:47 am

Ignoring the order of the rules, e.g. allow must be put before denying,
if the site is provided by CDN, which for each individual DNS request the IP can vary,
go to the situation that some websites work even if they are not allowed, and others don't work even if they are allowed...
For example, if you allow whatsapp, you probably allow also facebook and vice-versa because the IPs are mostly shared between CDN...
Also allowing gmail progbably allow anything about google and youtube.
 
M1keBT
just joined
Topic Author
Posts: 10
Joined: Mon May 09, 2022 11:20 am

Re: Blocked/Allowed Websites by Firewall Filter Rules

Thu Jun 09, 2022 1:52 am

Yes i already put the allow request at first then the deny request below it.
What is the ideal way to use MK as https proxy? As i am requested to use it instead of software based one.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocked/Allowed Websites by Firewall Filter Rules  [SOLVED]

Thu Jun 09, 2022 1:55 am

As long as you don't "hack" the devices with your certificate, you can't make an httpS proxy,
and in any case you can't do it with MikroTik, at least as long as you can install something in the future containers in v7...
You need another device, with, for example, the suggested software from @Kindis
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocked/Allowed Websites by Firewall Filter Rules

Thu Jun 09, 2022 1:59 am

Ah, another consideration...
Using a VPN, any smartphone, tablet or computer can easily pass any port 80 or 443 block...

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], K0NCTANT1N, mkx and 80 guests