MikroTik

hi

i have a router RB750 with update 6.39.2
i have 1 lan and 3 wan link
lan =192.168.10.0/24
wan1=192.168.1.2 dns=192.168.1.1
wan2=192.168.2.2 Dns = 192.168.2.1
wan3=192.168.3.2 dns=192.168.3.1

now i want to block all website except :
188.209.176.6
188.209.176.7
188.209.176.6:462
188.209.176.9:7302
farzin.com
google.com
mikrotik.com

i have rule in magle for divided clients to 3 group for example :
ip firewall magle -> chain:prerouting --> src.address : 192.168.10.125 -> action : mark routing --> new routing mark : Group A

Route --> Gatwaye : 192.168.1.1 --> routing mark : Group A
how can i do it ?
i read a lot of topic but i was unsuccessful

You could use Web Proxy if it's not HTTPS.

If you block all except google they can't search anything because you are dropping all searchs.

You could use Web Proxy if it's not HTTPS.

BTW, why can't you block it if to use HTTPS?

If you block all except google they can't search anything because you are dropping all searchs.

You could use Web Proxy if it's not HTTPS.

BTW, why can't you block it if to use HTTPS?

I ment: you can't use https on a transparent proxy.

If you block all except google they can't search anything because you are dropping all searchs.

You could use Web Proxy if it's not HTTPS.

BTW, why can't you block it if to use HTTPS?

I ment: you can't use https on a transparent proxy.

Okey! now yes. I have a question about that, maybe you can reply me correctly. If I want to use a transparent proxy (squid for example), I will see all traffic on my net, right? Don't care that they use port 80 or 443 (https), or will I see only traffic using port 80 without SSL?
Thanks.

No. Your transparent proxy setup involves a NAT rule where you redirect only TCP Port 80 to the proxy. You will not redirect port 443, because SSL can't be proxied like that.

No. Your transparent proxy setup involves a NAT rule where you redirect only TCP Port 80 to the proxy. You will not redirect port 443, because SSL can't be proxied like that.

Thanks normis, what way could I audit SSL traffic? not content of course.

Thanks normis, what way could I audit SSL traffic? not content of course.

I use GPO to force proxy settings on my users. This way I can use proxy for port 80, 443...

please answer my question ???

Is more easy with out Webproxy, because You can use another services in any port (443, etc).
Step 1: Make an address list with a correct sites, remember now is possible add domain mame directly Ver. 6.34 over the address list. (Aproved)
Step 2: An address list with your local network addresses. (Local-lan)
Step 3: Make a filter rule (On first order) for accept the trafic for all local-lan ti local-lan. Any port, any protocol.
Step 4: Make a filter rule (On second order) for drop all trafic diferent to ! Aproved address list. Remember ! Aproved. (Any port, any protocol)
In this moment I'm writing frontera my cell phone and nota is possible send you the script, but maybe more later is possible.

Yeah! it is really good solution that you have provided.
Thank you for sharing.

Xaman