Any friend can tell me how we can block website by IP address some of client we don't allow to access youtube or facebook.
How to deny/allow website by IP address in RB750 router?
Re: How to deny/allow website by IP address in RB750 router?
You could block by IP, but many sites like youtube have a slew of ip's.
Use the "Content" option in the firewall to filter based on a keyword. "Facebook.com" or "Youtube.com".
You could simply drop the traffic, but the TCP Reset option will immediately dump the client to an error screen, and not just leave the browser retrying the connection over and over.
Use the "Content" option in the firewall to filter based on a keyword. "Facebook.com" or "Youtube.com".
Code: Select all
/ip firewall filter
add chain=forward action=reject reject-with=tcp-reset protocol=tcp content="Host: www.facebook.com"
Re: How to deny/allow website by IP address in RB750 router?
Hi, As your comment we can block all in network. As I need I want to block by IP address. Some user I don't allow to access website.
You could block by IP, but many sites like youtube have a slew of ip's.
Use the "Content" option in the firewall to filter based on a keyword. "Facebook.com" or "Youtube.com".
You could simply drop the traffic, but the TCP Reset option will immediately dump the client to an error screen, and not just leave the browser retrying the connection over and over.Code: Select all/ip firewall filter add chain=forward action=reject reject-with=tcp-reset protocol=tcp content="Host: www.facebook.com"
Re: How to deny/allow website by IP address in RB750 router?
I'm confused. Did you solve the problem?Hi, As your comment we can block all in network. As I need I want to block by IP address. Some user I don't allow to access website.
If my rule didn't work as written, see http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter regarding how to write firewall rules. You can change it for your specific needs.
Re: How to deny/allow website by IP address in RB750 router?
It sounds like piseth168 wants to filter by originating user as well as destination.
So the answer is half the solution needed, and just needs a src-address or src-address-list which covers the machines that you're interested in limiting.
So the answer is half the solution needed, and just needs a src-address or src-address-list which covers the machines that you're interested in limiting.
Re: How to deny/allow website by IP address in RB750 router?
Dear tjc,
You thing is correct. Could you share me current configure?
regards.
You thing is correct. Could you share me current configure?
regards.
It sounds like piseth168 wants to filter by originating user as well as destination.
So the answer is half the solution needed, and just needs a src-address or src-address-list which covers the machines that you're interested in limiting.
Re: How to deny/allow website by IP address in RB750 router?
http://wiki.mikrotik.com. You'd be surprised what's there.
Specifically, see here: http://wiki.mikrotik.com/wiki/Manual:IP ... dress_list.
And Here: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
Specifically, see here: http://wiki.mikrotik.com/wiki/Manual:IP ... dress_list.
And Here: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
Re: How to deny/allow website by IP address in RB750 router?
better block the website on the PC itself. You can do it by adding www.facebook.com on the host file.
This i how your host file should look like.
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
127.0.0.1 localhost
::1 localhost
127.0.0.1 www.facebook.com
127.0.0.1 www.youtube.com
hope it help.
This i how your host file should look like.
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
127.0.0.1 localhost
::1 localhost
127.0.0.1 www.facebook.com
127.0.0.1 www.youtube.com
hope it help.
-
-
shahbazian
Trainer
- Posts: 169
- Joined:
- Location: Iran
- Contact:
Re: How to deny/allow website by IP address in RB750 router?
Hi
For permit access to some of web sites, you can do it by adding this commands
For permit access to some of web sites, you can do it by adding this commands
Code: Select all
/ ip proxy set enabled=yes
/ ip proxy access add dst-host=facebook.com action=deny
/ ip proxy access add dst-host=*.facebook.com action=deny
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 src-address-list=webclients action=redirect to-ports=8080 comment=Transparent_web_proxy
/ip firewall address-list add list=webclients address=first_client_ip_address
/ip firewall address-list add list=webclients address=2nd_client_ip_address
/ip firewall address-list add list=webclients address=3rd_client_ip_address-
-
jandafields
Forum Guru
- Posts: 1515
- Joined:
Re: How to deny/allow website by IP address in RB750 router?
This solution just gives you a false sense of security. It's too easy to circumvent by going to https://facebook.com (because https is encrypted so you can't read the host headers and it won't get caught).You could block by IP, but many sites like youtube have a slew of ip's.
Use the "Content" option in the firewall to filter based on a keyword. "Facebook.com" or "Youtube.com".
You could simply drop the traffic, but the TCP Reset option will immediately dump the client to an error screen, and not just leave the browser retrying the connection over and over.Code: Select all/ip firewall filter add chain=forward action=reject reject-with=tcp-reset protocol=tcp content="Host: www.facebook.com"
The best way to do this with mikrotik is to block based on content to port 53udp (DNS), this way it can't even look it up. you should also transparently reroute all dns traffic to the mikrotik, so users can't use their own dns settings and get around it.
Of course, they could edit their host file and still get to facebook. This is one bad limitation of mikrotik that cisco can easily do. Mikrotik can't firewall based on url, but cisco can. That would be great if it could!!!!
Otherwise, it's impossible to block websites because of the https issue.
Re: How to deny/allow website by IP address in RB750 router?
There's always some way around any solution... The most surefire way, then, would be to only allow HTTP traffic through a proxy that you control.This solution just gives you a false sense of security. It's too easy to circumvent by going to https://facebook.com (because https is encrypted so you can't read the host headers and it won't get caught).You could block by IP, but many sites like youtube have a slew of ip's.
Use the "Content" option in the firewall to filter based on a keyword. "Facebook.com" or "Youtube.com".
You could simply drop the traffic, but the TCP Reset option will immediately dump the client to an error screen, and not just leave the browser retrying the connection over and over.Code: Select all/ip firewall filter add chain=forward action=reject reject-with=tcp-reset protocol=tcp content="Host: www.facebook.com"
The best way to do this with mikrotik is to block based on content to port 53udp (DNS), this way it can't even look it up. you should also transparently reroute all dns traffic to the mikrotik, so users can't use their own dns settings and get around it.
Of course, they could edit their host file and still get to facebook. This is one bad limitation of mikrotik that cisco can easily do. Mikrotik can't firewall based on url, but cisco can. That would be great if it could!!!!
Otherwise, it's impossible to block websites because of the https issue.
Re: How to deny/allow website by IP address in RB750 router?
Try with Layer 7 protocol
^.+(facebook.com).*$
it works for both http/https
^.+(facebook.com).*$
it works for both http/https
-
-
jandafields
Forum Guru
- Posts: 1515
- Joined:
Re: How to deny/allow website by IP address in RB750 router?
That is a HORRIBLE thing to do. You will end up blocking LOTS of other websites! (I just tried it, and several websites that have a facebook button on them would not load, or woud halfway load). Any website that has facebook code built in ("like us on facebook, etc"). Those pages will load until they get to the facebook code, then they will hang while waiting for facebook to build the "like" link.Try with Layer 7 protocol
^.+(facebook.com).*$
it works for both http/https
Re: How to deny/allow website by IP address in RB750 router?
Actually this way worked for me....https traffic delivers an unreachable error while my squid handles the http part with a nice connection failed messageThis solution just gives you a false sense of security. It's too easy to circumvent by going to https://facebook.com (because https is encrypted so you can't read the host headers and it won't get caught).You could block by IP, but many sites like youtube have a slew of ip's.
Use the "Content" option in the firewall to filter based on a keyword. "Facebook.com" or "Youtube.com".
You could simply drop the traffic, but the TCP Reset option will immediately dump the client to an error screen, and not just leave the browser retrying the connection over and over.Code: Select all/ip firewall filter add chain=forward action=reject reject-with=tcp-reset protocol=tcp content="Host: www.facebook.com"
The best way to do this with mikrotik is to block based on content to port 53udp (DNS), this way it can't even look it up. you should also transparently reroute all dns traffic to the mikrotik, so users can't use their own dns settings and get around it.
Of course, they could edit their host file and still get to facebook. This is one bad limitation of mikrotik that cisco can easily do. Mikrotik can't firewall based on url, but cisco can. That would be great if it could!!!!
Otherwise, it's impossible to block websites because of the https issue.
Re: How to deny/allow website by IP address in RB750 router?
Guys, any news on the topic? Maybe there's already a Feature Request for the firewall based url content filtering?This is one bad limitation of mikrotik that cisco can easily do. Mikrotik can't firewall based on url, but cisco can. That would be great if it could!!!!