MikroTik

Posted: **Thu Jan 26, 2017 12:08 pm**

Hi, i block facebook on firewall layer7 protocol "^.+(facebook.com).*$"; but firewall block "facebook.com" from my personal domain page, even i cant send mail to abc.user@facebook.com from my webmail. please help...

Posted: **Thu Jan 26, 2017 2:57 pm**

Yes, this is why L7 rules are not meant for webpage blocking.

Posted: **Fri Jan 27, 2017 7:46 am**

Yes, this is why L7 rules are not meant for webpage blocking.

so... how can i block https?

Posted: **Fri Jan 27, 2017 12:03 pm**

Hi,

would you be kind enough to elaborate what do you want to achieve ?

kind regards,

Posted: **Fri Jan 27, 2017 3:05 pm**

He wants to block HTTPS Facebook. I suggest blocking by DNS name.

Posted: **Sun Jan 29, 2017 12:42 am**

Create a DNS name like:

/ip dns static add name=www.facebook.com address=127.0.0.1

Or to an IP with web server and block page.
It's a solution instead of layer 7, like normis said.

Sent from my XT1225 using Tapatalk

Posted: **Sun Jan 29, 2017 5:11 am**

Create a DNS name like:
Code: Select all
/ip dns static add name=www.facebook.com address=127.0.0.1
Or to an IP with web server and block page.
It's a solution instead of layer 7, like normis said.

Sent from my XT1225 using Tapatalk

OK, I create DNS name, but how to block facebook.com? can I need firewall rule?, if so how to make firewall rules. pl details............

Posted: **Sun Jan 29, 2017 5:37 am**

The only way to block facebook.com, block on BGP the prefix with AS32934...

Posted: **Sun Jan 29, 2017 5:38 am**

The only way to block facebook.com, block on BGP the prefix with AS32934...

No you can't: can be used one proxy like 2.3.4.5 on brasil for access!

Posted: **Sun Jan 29, 2017 5:40 am**

The only way to block facebook.com, block on BGP the prefix with AS32934...
No you can't: can be used one proxy like 2.3.4.5 on brasil for access!

No, you can not use one proxy for HTTPS pages! Facebook is near all https

Posted: **Sun Jan 29, 2017 5:40 am**

Ok, I'm not mad, is how usually this type of tread go.....

Posted: **Sun Jan 29, 2017 5:43 am**

If you need block facebook "for dummies" block both facebook.com and http://www.facebook.com and other variants.....

But the user can still change the DNS on the machine,
also some programs change the DNS arbitrally.........
you must force on the NAT the routerboard to be the DNS server,
but you go fastly under DNS DDoS or similar, you need to protect routerboard DNS form "WAN" or you connection go out of service after 5mins....

Posted: **Sun Jan 29, 2017 3:24 pm**

Create a DNS name like:
Code: Select all
/ip dns static add name=www.facebook.com address=127.0.0.1
Or to an IP with web server and block page.
It's a solution instead of layer 7, like normis said.

Sent from my XT1225 using Tapatalk
OK, I create DNS name, but how to block facebook.com? can I need firewall rule?, if so how to make firewall rules. pl details............

/ip firewall nat add chain=dst-nat protocol=udp dst-port=53 in-interface=$YOUR_LAN action=redirect to-ports=53

It will redirect all connections but, you can create a list for the users that won't blocked acccess. Like this:

/ip firewall nat add chain=dst-nat protocol=udp dst-port=53 in-interface=$YOUR_LAN action=redirect to-ports=53 src-address-list=!no-block

And always remember:
Protect your routerboard from attacks in UDP/53 port on WAN!

Posted: **Sun Jan 29, 2017 5:43 pm**

For protect:

/interface list
add name=internet comment="List of WAN"

/interface list member
add interface=ether1 list=internet comment="WAN 1"
add interface=ether2 list=internet comment="WAN 2"


/ip firewall filter
add action=drop chain=input dst-port=53 in-interface-list=internet protocol=tcp connection-state=new comment="TCP DNS Protection"
add action=drop chain=input dst-port=53 in-interface-list=internet protocol=udp connection-state=new comment="UDP DNS Protection"

add action=drop chain=forward dst-address-list=internal_public_IP dst-port=53 protocol=tcp in-interface-list=internet connection-state=new comment="Other Public IP protection used inside LAN"
add action=drop chain=forward dst-address-list=internal_public_IP dst-port=53 protocol=udp in-interface-list=internet connection-state=new

/ip firewall nat
add action=dst-nat chain=dstnat dst-addresses=!192.168.88.1 src-address-list=!do_not_redirect_DNS dst-address-list=!do_not_block_this_DNS dst-port=53 protocol=tcp to-addresses=192.168.88.1 to-ports=53 comment="DNS Redirect"
add action=dst-nat chain=dstnat dst-addresses=!192.168.88.1 src-address-list=!do_not_redirect_DNS dst-address-list=!do_not_block_this_DNS dst-port=53 protocol=udp to-addresses=192.168.88.1 to-ports=53


/ip firewall address-list
add address=192.175.48.1 comment=prisoner.iana.org list=do_not_block_this_DNS
add address=192.175.48.6 comment=blackhole-1.iana.org list=do_not_block_this_DNS
add address=192.175.48.42 comment=blackhole-2.iana.org list=do_not_block_this_DNS

add address=192.168.88.1 comment=Router list=do_not_redirect_DNS

Posted: **Thu Apr 06, 2017 4:02 am**

Create a DNS name like:
Code: Select all
/ip dns static add name=www.facebook.com address=127.0.0.1
Or to an IP with web server and block page.
It's a solution instead of layer 7, like normis said.

Sent from my XT1225 using Tapatalk

Hi, I did this redirecting facebook requests to my web server 192.168.0.3 (IIS)
With IE all fine as when you write http://www.facebook.com it requests http://www.facebook.com and shows my warning webpage hosted in my webserver
but in chrome it redirects to https://www.facebook.com and there it shows an error (page cannot be displayed)
Same with http://www.youtube.com and https://www.youtube.com for instance

How can I make Routeros to always redirect to http and not https so that everytime a client asks for facebook.com from any browser it shows my warning webpage?

Posted: **Fri Apr 07, 2017 8:13 pm**

using regexp instead ?

/ip dns static add regexp=.facebook.com address=127.0.0.1

MikroTik

Firewall Filter Restriction

Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction

Re: Firewall Filter Restriction