ONE SOLUTION ON THE LAST COMMENT

HI, I've been reading about different ways to block sites and implementing them. (just one of them worked for me)
I use two sites for the tests:

speedtest.net --> http
facebook.com -->https

Today at morning I had success by using this: The setup was:
Internet (ADSL) ---> Modem/Router Linksys X1000 ---> MikroTik RB952Ui-5AC2nd (6.41.x)
And it worked! I couldn't open speedtest nor facebook! (I didn't use TLS- Host)

After that, I changed the config on the routers. The X1000 wasn't as Bridge, so I put it on Bridge mode, put my PPPoE user and pass on the MikroTik and updated RouterOS from 6.41.x to 6.42.3.
Now I can't block even speedtest, and it's HTTP.
I tryed using this ^.+(speedtest).*$ and this ^.+(speedtest.net).*$.


I'm out of ideas.. I'm just starting with MikroTik, so it's probably that there is something that I have to touch to finally activate the blocking. I mean, it was working this morning (and the code was copied from the terminal to WhatsApp Web).


On the terminal, I have to use this "\" here regexp="^.+(speedtest).*\$" for the code to be applied, right? Because I was manually putting ^.+(speedtest).*$ (or.net, ca't remember, but was the one that worked) on the layer7 protocol because it ended up blank.

Hello, don' use layer 7, use this instead :

/ip firewall filter
add chain=forward dst-port=443 protocol=tcp tls-host=*.facebook.com action=reject
add chain=forward dst-port=80 protocol=tcp tls-host=*.speedtest.net action=reject

May I suggest an alternative that has worked for me?

Problem with most online services these days is that they make use of a large amount of IP addresses and CDN nodes that turn the strategy of firewall blocking them into a quagmire of multiple lists of IPs that may change in the future.

Additionally on smaller mikrotik devices I have found that heavy firewall rules etc really put a strain on them and eventually they cannot keep up.

For instance; take a look at the difficulty of firewall blocking facebook.com. Facebook has a massive list of IP addresses.

What I do is DNS based blocking, and that involves a few methods, some on-router, and some offloading the DNS workload to another service.

We use umbrella at our clients with great success, but there is OpenDNS which is a free service for home or private users. If you use OpenDNS or Umbrella you can add your own custom block lists to your login and then block services without needing to keep track of their IPs and network changes.

In broad terms what I do:

• Sign up for OpenDNS

• Set up the OpenDNS dynamic IP script (if you have a dynamic IP) on your mikrotik via system/scheduler

• Set the Mikrotik Default DNS server to the OpenDNS DNS servers on ip/dns

• On youd DHCP networks set the DNS servers to your Mikrotik

• Two firewall rules to forward all TCP and UDP port 53 requests to your mikrotik DNS <= (This part I do because Android and iOS devices use their own DNS regardless of what you specify in your DHCP settings, Android keeps using 8.8.8.8 and 8.8.4.4, but if you force the port 53 requests to your mikrotik via Firewall you can make sure rules apply to them as well.)

Those are the broad strokes, but for us they have resulted in easier management, and less load on our Mikrotik devices, especially where we inherit clients who may still have an old RB 750UP (I just swapped out one of my newer ones for one that is on my desk here) or other smaller MT routers that won't be able to keep up with having to manage tons of work done with a firewall.

Hope this helps, if you need I can provide some more detailed info on the how later on.

Hello, don' use layer 7, use this instead :

/ip firewall filter
add chain=forward dst-port=443 protocol=tcp tls-host=*.facebook.com action=reject
add chain=forward dst-port=80 protocol=tcp tls-host=*.speedtest.net action=reject

Hello. One question. Do I have to do something for the filter to take effect? Because I copied it and I can still enter to both sites.
Thanks for the reply!

May I suggest an alternative that has worked for me?

...

In broad terms what I do:

• Sign up for OpenDNS

• Set up the OpenDNS dynamic IP script (if you have a dynamic IP) on your mikrotik via system/scheduler

• Set the Mikrotik Default DNS server to the OpenDNS DNS servers on ip/dns

• On youd DHCP networks set the DNS servers to your Mikrotik

• Two firewall rules to forward all TCP and UDP port 53 requests to your mikrotik DNS <= (This part I do because Android and iOS devices use their own DNS regardless of what you specify in your DHCP settings, Android keeps using 8.8.8.8 and 8.8.4.4, but if you force the port 53 requests to your mikrotik via Firewall you can make sure rules apply to them as well.)

Those are the broad strokes, but for us they have resulted in easier management, and less load on our Mikrotik devices, especially where we inherit clients who may still have an old RB 750UP (I just swapped out one of my newer ones for one that is on my desk here) or other smaller MT routers that won't be able to keep up with having to manage tons of work done with a firewall.

Hope this helps, if you need I can provide some more detailed info on the how later on.

Hi quin. I am gonna try it and see if I can make it work. Thanks for the guide!

Absolute pleasure.

To help you along, I used the script from here for Opendns:

https://support.opendns.com/hc/en-us/ar ... ate-Script

and below are some firewall rules I used:

chain=dstnat action=dst-nat to-addresses=10.1.1.1 to-ports=53 protocol=udp src-address=10.1.1.0/24 dst-port=53 log=no log-prefix=""

chain=dstnat action=dst-nat to-addresses=10.1.1.1 to-ports=53 protocol=tcp src-address=10.1.1.0/24 dst-port=53 log=no log-prefix=""

(I have various VLANS, one of which bypasses OpenDNS for testing, and thus I had to specify the vlans in the dstnat rule.)

chain=input action=accept protocol=tcp in-interface-list=!breakout dst-port=53 log=no log-prefix=""

chain=input action=accept protocol=udp in-interface-list=!breakout dst-port=53 log=no log-prefix=""

("Breakout" is an interface list on my firewall that I put my WAN connections in on this particular router, so it was cleaner for me to have an interface list as opposed to adding a rule excluding each interface. Additionally, you may or may not need this rule, I found it works for me better than just setting the DNS to "accept" and gives me peace of mind when I have a PPP connection that would ecpose port 53 to the world, so an explicit rule is what I chose to use.)

NOTES: Your network name in opendns must not have a space in it, the script will not update if there is a space in the name. It may take a while for the network to show as "active" and when creating the network make sure to select it as "dynamic".

Hello, don' use layer 7, use this instead :

/ip firewall filter
add chain=forward dst-port=443 protocol=tcp tls-host=*.facebook.com action=reject
add chain=forward dst-port=80 protocol=tcp tls-host=*.speedtest.net action=reject

Hello. One question. Do I have to do something for the filter to take effect? Because I copied it and I can still enter to both sites.
Thanks for the reply!

At which position in firewall you have these rules?
You should post your firewall rules here. Because the traffic is probably accepted by above rule and therefore does not reach those rules.
Move these tls-host rules higher in forward chain...

OpenDNS which is a free service for home or private users.

FYI: For commercial use, OpenDNS asks for subscription payments. So, for a public WISP, I did a simple clone of OpenDNS, to save the $$.
In case of interest, lemme know.

Hi, sorry for the long time with no response.. I forgot about the thread.

I found something that worked on another thread
I don't understand quite well why this works, but it does. And You can just change "facebook" for almost any site and it works (doesn't work with telegram and web.whatsapp, but I didn't try a lot either)