i want to block the facebook in my internal network

onlysuraj · Wed Aug 31, 2011 8:51 am

hi friends
some customer compained me that they want to block the facebook and orkut like social site
from our end.
these customer are connected to the access point (2.4)and all are using static internal ip
that are provided by us .
now i am not able to do that bcos if configure the firewall on radio(access point 2.4)then all client that are connected to that ap are not able to use facebook and other social sites .

kindy tell me what should to by giving me an example?????????????

i am also submittng the diagram of my network
with regard
from suraj

EHCorp · Wed Aug 31, 2011 9:40 am

If customers are assigned static IPs then it is so easy for you to add dropping rules through MT firewall, first of all your schema is a bit unclear but what I understood is that you need to block facebook for some clients knowing that these clients are assigned Static IPs, therefore collect the IPs you want to block and them to MT Firewall under Address List + add a filter Rule dropping facebook for instance to these specific clients, hope I was clear

and if any further help needed please post back.

laithmikrotik · Wed Aug 31, 2011 2:51 pm

If customers are assigned static IPs then it is so easy for you to add dropping rules through MT firewall, first of all your schema is a bit unclear but what I understood is that you need to block facebook for some clients knowing that these clients are assigned Static IPs, therefore collect the IPs you want to block and them to MT Firewall under Address List + add a filter Rule dropping facebook for instance to these specific clients, hope I was clear and if any further help needed please post back.

hellow
do you mean that some ip addresses should determined then block the facebook just for the determined ips

onlysuraj · Wed Aug 31, 2011 3:23 pm

If customers are assigned static IPs then it is so easy for you to add dropping rules through MT firewall, first of all your schema is a bit unclear but what I understood is that you need to block facebook for some clients knowing that these clients are assigned Static IPs, therefore collect the IPs you want to block and them to MT Firewall under Address List + add a filter Rule dropping facebook for instance to these specific clients, hope I was clear and if any further help needed please post back.

onlysuraj · Wed Aug 31, 2011 3:30 pm

If customers are assigned static IPs then it is so easy for you to add dropping rules through MT firewall, first of all your schema is a bit unclear but what I understood is that you need to block facebook for some clients knowing that these clients are assigned Static IPs, therefore collect the IPs you want to block and them to MT Firewall under Address List + add a filter Rule dropping facebook for instance to these specific clients, hope I was clear and if any further help needed please post back.

thanks for your fast reply
but bad luck for me i tried too much but not succeed after all.

tell me any example that states how to restrict using from facebook for this ip 10.210.2.14/24

no nat
no hotspot
no pppoe server

simple rb 433 (access point )bridged accessspoint 2.4

and wds bridge for point to point ??????????

cbrown · Wed Aug 31, 2011 8:33 pm

Try something like this.

/ip firewall filter add action=drop chain=forward content=facebook disabled=no src-address=10.210.2.14

onlysuraj · Thu Sep 01, 2011 8:37 am

Try something like this.

/ip firewall filter add action=drop chain=forward content=facebook disabled=no src-address=10.210.2.14

thanks for fast reply
but it is not working any more
kindly post some specific codes

cbrown · Thu Sep 01, 2011 3:37 pm

Check the order of your rules. Put the rule I gave you at the top and see if that works. You could have another rule accepting the traffic before it is suppose to get dropped.

CCDKP · Thu Sep 01, 2011 4:36 pm

Due to the nature of SSL, using Content=facebook isn't always going to capture facebook traffic and has a fairly high false-positive rate (in theory you could be dropping packets for any webpage that uses facebook connect, or the "like this on facebook" button).

The only reliable method for blocking facebook with a mikrotik is to block at the DNS level.
Enable DNS server on the mikrotik, add invalid entries for facebook.com, the capture blacklisted users' DNS requests. This only works if aren't already providing a DNS server behind the mikrotik, and the mikrotik isn't providing DNS caching already.

/ip dns 
set servers=<public DNS server1>,<public DNS server2> allow-remote-requests=yes

/ip dns static
add address=127.0.0.1 disabled=no name=facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=www.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=glib1.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=glib2facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=mail.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=dns.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns0.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns1.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns2.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns3.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns4.facebook.com ttl=5m
add address=127.0.0.1 disabled=no name=ns5.facebook.com ttl=5m

/ip firewall nat
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=udp src-address-list=DNSBlacklist to-ports=53
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=tcp src-address-list=DNSBlacklist to-ports=53

/ip firewall address-list
add address=<Client Static IP to be blocked> list=DNSBlacklist comment="Added to DNS block list on request of <Customer name>"

--CC_DKP

onlysuraj · Fri Sep 02, 2011 10:47 am

Check the order of your rules. Put the rule I gave you at the top and see if that works. You could have another rule accepting the traffic before it is suppose to get dropped.

how fool i am

thanks man it's wirking
now the 10.210.2.14 can not access the facebook.early moring customer told me that they were not able to acces the facebook any more.
thanks

now i am finding more solutions.
hope you will help me

MCT · Fri Sep 02, 2011 6:19 pm

Ever consider a different approach such as blocking any outgoing DNS request that contains facebook?

mhosts · Fri Sep 02, 2011 11:10 pm

Why don't you just drop all traffic to their network?

http://bgp.he.net/AS32934#_prefixes

Create an address list with all of those prefixes and drop the traffic in a firewall rule.

cbrown · Sun Sep 04, 2011 2:44 am

Ever consider a different approach such as blocking any outgoing DNS request that contains facebook?

Yep and you could also setup web-proxy. There are many different ways to achieve this.

Chupaka · Sun Sep 04, 2011 4:43 pm

you could also setup web-proxy

you can transparently inspect DNS requests. you can NOT transparently inspect https traffic - it's encrypted

p.s. https://kproxy.com

albotik · Fri Sep 23, 2011 10:03 am

Hi all,
After i blocked traffic for facebook, a need to know how to redirect the request for facebook to another webpage, like myhomepage.com?
Can anybody help me in this issue?

Chupaka · Fri Sep 23, 2011 10:50 am

so, how did you do blocking?

albotik · Sat Sep 24, 2011 2:48 pm

I've blocked facebook in this way:
[nnnn@xxxxx] /ip firewall layer7-protocol> pr det
0 name="facebook" regexp="facebook"
[nnnn@xxxxx] /ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; drop facebook
chain=forward action=drop src-address=0.0.0.0/0 layer7-p

i used layer7 protocol as with simple filter content it will affect many other websites who has facebook content

Chupaka · Sat Sep 24, 2011 4:27 pm

you can redirect only when using some proxy. L7 matches already established connection, you cannot redirect in the middle of connection

albotik · Sat Sep 24, 2011 8:33 pm

OK, I will try do it with proxy even i don't have experience of using proxy, any help here is welcomed

by the way many thnx Chupaka.

dexlaine · Thu Dec 01, 2011 6:08 am

Hello,

I tried to block facebook and youtube and its working fine..

Is there a way... to unblock certain IP only lets say computer of my boss... hehe.. cause now he is included in the block

suggestion is highly appreciated

Thanks

Dex

dexlaine · Thu Dec 01, 2011 6:12 am

This is the way I do my FACEBOOK and YOUTUBE block

/ip firewall filter
add action=drop chain=forward comment="Drop facebook" content=facebook.com disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop facebook" content=www.facebook.com disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop facebook" content=apps.facebook.com disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop facebook" content=facebook disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop facebook" content=facebook.* disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop youtube" content=youtube.com disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop youtube" content=www.youtube.com disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop youtube" content=apps.youtube.com disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop youtube" content=youtube disabled=no out-interface=LAN11
add action=drop chain=forward comment="Drop youtube" content=youtube.* disabled=no out-interface=LAN11
/

studyete · Fri Nov 16, 2012 9:37 am

Halo all,

I found many post regarding facebook block here in this forum. So i don't want to open a new blog. So i'm sharing the problem with blocking here hoping somebody will share the solution.

I'm blocking facebook from firewall filter rule. I've created adress list of my local network like this. 192.168.1.0/24 and named list as facebook. Then from ip-->firewall-->filter-->forward chain-->content facebook.com-->dst-addlist-->facebook-->action reject.

tis way i can block facebook and I've created another rule above it which allowed a single ip to access facebook. The problem occur when https comes. The above rule can't stop https facebook.

I've tried blocking facebook with facebook ip but my sys admin told me facebook might change their ip and they do all the time, so it is not efficient way to block facebook though i succeed blocking facebook booth http and https.

so can any one share a solution so i can block a site without above rule both for https and http?

Chupaka · Fri Nov 16, 2012 1:04 pm

http://bgp.he.net/AS32934#_prefixes

studyete · Sat Nov 17, 2012 8:34 am

can you explain what can i do with the link?

http://bgp.he.net/AS32934#_prefixes

Chupaka · Mon Nov 19, 2012 9:43 am

block all Faceboox prefixes - they should not change frequently

grizly · Wed Dec 12, 2012 6:07 am

can you explain what can i do with the link?

My implementation:

/ip firewall address-list
add address=31.13.24.0/21 comment=\
    "Facebook IP Subnets from: http://bgp.he.net/AS32934#_prefixes" disabled=\
    no list=Facebook
add address=31.13.64.0/24 disabled=no list=Facebook
add address=31.13.64.0/19 disabled=no list=Facebook
add address=31.13.65.0/24 disabled=no list=Facebook
add address=31.13.66.0/24 disabled=no list=Facebook
add address=31.13.69.0/24 disabled=no list=Facebook
add address=31.13.70.0/24 disabled=no list=Facebook
add address=31.13.71.0/24 disabled=no list=Facebook
add address=31.13.72.0/24 disabled=no list=Facebook
add address=31.13.73.0/24 disabled=no list=Facebook
add address=31.13.74.0/24 disabled=no list=Facebook
add address=31.13.77.0/24 disabled=no list=Facebook
add address=31.13.75.0/24 disabled=no list=Facebook
add address=31.13.76.0/24 disabled=no list=Facebook
add address=31.13.78.0/24 disabled=no list=Facebook
add address=31.13.79.0/24 disabled=no list=Facebook
add address=31.13.80.0/24 disabled=no list=Facebook
add address=31.13.81.0/24 disabled=no list=Facebook
add address=31.13.82.0/24 disabled=no list=Facebook
add address=31.13.96.0/19 disabled=no list=Facebook
add address=66.220.144.0/21 disabled=no list=Facebook
add address=69.63.176.0/21 disabled=no list=Facebook
add address=69.63.176.0/24 disabled=no list=Facebook
add address=69.63.184.0/21 disabled=no list=Facebook
add address=69.171.224.0/20 disabled=no list=Facebook
add address=69.171.239.0/24 disabled=no list=Facebook
add address=69.171.240.0/20 disabled=no list=Facebook
add address=69.171.255.0/24 disabled=no list=Facebook
add address=74.119.76.0/22 disabled=no list=Facebook
add address=103.4.96.0/22 disabled=no list=Facebook
add address=103.4.96.0/22 disabled=no list=Facebook
add address=173.252.64.0/19 disabled=no list=Facebook
add address=173.252.70.0/24 disabled=no list=Facebook
add address=173.252.96.0/19 disabled=no list=Facebook
add address=204.15.20.0/22 disabled=no list=Facebook
/ip firewall filter
add chain=forward action=log dst-address-list=Facebook log-prefix="Faceboke Traffic" disabled=no
add chain=forward action=drop dst-address-list=Facebook disabled=no
add chain=forward action=drop src-address-list=Facebook disabled=no

It works.. wish there was an easier way to import them, but building a list with find&replace wasn't that hard.
FYI: boke means puke in Doric..

Xanadu · Thu Jan 03, 2013 6:23 am

Hi Guys, I'm pretty new using Mikrotik.
But thanks to the manual and some forums I've learned a bit, I'm now tangled with the issue of blocking facebook.

I have block facebook by web proxy , but as you know well I can prevent users from entering https://ww.facebook.com.
So as you explain here I decided to apply this rule:

 > ip firewall filter add action = drop chain = forward comment = "Block Facebook" dst-address = 66
.220.144.0/20
> Ip firewall filter add action = drop chain = forward comment = "Block Facebook" dst-address = 69
.63.176.0/20
> Ip firewall filter add action = drop chain = forward comment = "Block Facebook" dst-address = 20
4.15.20.0/22
> ip firewall filter add action = drop chain = forward comment = "Block Facebook" dst-address = 69.171.224.0/19

This prevents all users from accessing network https://ww.facebook.com, now the problem is that some users need to access that page, for this I used:

 > add action = accept chain = forward src-address = 192.168.1.62 dst-address = 66.220.1.0/20
> add action = accept chain = forward src-address = 192.168.1.62 dst-address = 69
.63.176.0/20
> add action = accept chain = forward src-address = 192.168.1.62 dst-address = 20
4.15.20.0/22
> add action = accept chain = forward src-address = 192.168.1.62 dst-address = 69.171.224.0/19

This is only a test, I know that to include all users with permission to access https://ww.facebook.com.I have to make an
addres-list to avoid entering the ip address of each user.
Anyway still fails! Privileged users can not access https://ww.facebook.com

I hope someone help me with the problem and thank you very much!

cbrown · Thu Jan 03, 2013 1:40 pm

Make sure your accept rules are before your drop rules.

Xanadu · Thu Jan 03, 2013 3:34 pm

Make sure your accept rules are before your drop rules.

Thanks, works perfectly

Xanadu · Thu Jan 03, 2013 5:24 pm

I tried to do exactly the same with https://twitter.com/, but didn't work

And never is going to work 'cause their ip addresses are subject to sudden change without notice, so I tried block by content and is not working neither.

Anyone have a suggestions? Please

Chupaka · Sun Jan 06, 2013 12:36 am

to do exactly what? we're not telepathists

http://bgp.he.net/AS13414#_prefixes

by the way, you'd better use Address Lists for such things - it's managed much easier

Xanadu · Mon Jan 07, 2013 4:52 pm

If you see my previous posts in this topic, I talk about blocking Facebook by IP range and right now it's working perfectly. Then I tried to do the same with twitter, I even used same link that you posted for the IP range but isn't working. Also I tried to block twitter by content and isn't working either.

Chupaka · Mon Jan 07, 2013 5:07 pm

I tried to block twitter by content and isn't working either.

it won't work: as far as I can see, twitter uses encrypted connections. but blocking by IP ranges sould work, recheck your config

Xanadu · Tue Jan 08, 2013 8:51 pm

I actually ended up deleting my twitter rule and did it again. Right now is working perfectly.
But now I can't access facebook my web browser says server not found, until yesterday my Facebook rule was working perfectly,
allowing access to privilege users and denying regular users. I think is something about DNS

Chupaka · Wed Jan 09, 2013 1:24 am

use traceroute from the PC to know for sure

cbrown · Wed Jan 09, 2013 3:52 am

And also double check the order of your rules again, just incase

Xanadu · Wed Jan 09, 2013 10:55 pm

Actually I can tracert without problem and my rules are in order :s I don't know what is going on

cbrown · Wed Jan 09, 2013 11:29 pm

Post /export compact so we can take a look.

binyo66 · Fri Feb 15, 2013 1:07 pm

Try something like this.

/ip firewall filter add action=drop chain=forward content=facebook disabled=no src-address=10.210.2.14

Its kind of working to me. But how can I extend to multiple-ip (such as group in profile) so that the specific profile can not access facebook? (I did try, to set inside the hotspot user profile, address list like block_facebook), and then assign it in the ip firewall filter, advanced, source list), and it didn't work

letabawireless · Thu May 23, 2013 10:51 am

Hi there

I have found a way:

chain=prerouting action=add-dst-to-address-list src-address=192.168.x.0/24 dst-address-list=!LAN address-list=FACEBOOK
address-list-timeout=0s content=facebook

Then you do :

chain=forward action=drop dst-address-list=FACEBOOK

You will see I said in dst addr list !LAN. Here I specify my internal range, otherwise if you have local DNS server, access will be blocked to it as well.

What I also did, is write a script to clear the address list everyday, so if there was any incorrect entry, it will be cleared.

Hope this helps.

cbrown · Fri May 24, 2013 2:34 pm

How is that any different than just simply dropping anything with content=facebook? You are still going to get many false positives.

cusco · Fri Jun 07, 2013 10:50 pm

I created address list using the same method

on linux:
whois -h whois.radb.net -- '-i origin AS32934'|grep ^route:|while read a b; do echo "/ip firewall address-list add address=$b list=facebook"; done

theaubolgs · Mon Jul 01, 2013 9:58 pm

for all
really i tried too much hard to block facebook by all ways u offered me and doesnt work
what do u think me to do

theaubolgs · Mon Jul 01, 2013 10:09 pm

please help me \
i tried all these previous ways no working with me what to do now?