Page 1 of 1
Block many websites
Posted: Tue Jan 16, 2018 2:08 pm
by tasn
Hello community,
I am in search of a solution to my problem and i would like to ask some questions before.
I would like to block access from my lan to a list of websites (around 1000) which i have in an excel file.
I know there are some ways to block websites like Layer 7 or Web proxy etc.
So my main question is if i can use a mikrotik device and how efficient will it be and which way you think would be better.
The other question is if i can somehow easily import the list i have to an excel file into the mikrotik device. Or do i need to make a script.
I don't want the solution, i just want directions.
Thank you
Re: Block many websites
Posted: Tue Jan 16, 2018 2:16 pm
by normis
L7 will kill your router, and is very inefficient. You can also block by IP address, that would be much easier and faster, if most of those websites have known list of fairly static IP addresses.
Re: Block many websites
Posted: Tue Jan 16, 2018 2:29 pm
by tasn
Thanks Normis,
By ip you mean to block the ip addresses of websites in Firewall->Filter Rules right?
I ll try that
Re: Block many websites
Posted: Tue Jan 16, 2018 2:49 pm
by ivicask
Thanks Normis,
By ip you mean to block the ip addresses of websites in Firewall->Filter Rules right?
I ll try that
/ip firewall address-list
add address=facebook.com list=blocked_web
add address=youtube.com list=blocked_web
add address=whatever.com list=blocked_web
etc continue the list from your excel table
Add this to block them all.
/ip firewall filter
add action=reject chain=forward comment="Block Web Sites" \
dst-address-list=blocked_web reject-with=icmp-network-unreachable
Simple as that
Re: Block many websites
Posted: Tue Jan 16, 2018 2:51 pm
by pe1chl
That is indeed very simple, but unfortunately it will not work correctly!
One IP address can handle multiple websites, so when you block this way you will block other sites as well.
Re: Block many websites
Posted: Tue Jan 16, 2018 2:58 pm
by ivicask
That is indeed very simple, but unfortunately it will not work correctly!
One IP address can handle multiple websites, so when you block this way you will block other sites as well.
Well than in that case you can do DNS block
/ip dns static
add address=127.0.0.1 regexp=facebook.com
etc
And in order to enforce Mikrotik as DNS so users cant use any other i use
add action=drop chain=forward comment="BLOCK OTHER DNS SERVERS" disabled=yes \
dst-address=!192.168.1.244 port=53 protocol=tcp
add action=drop chain=forward disabled=yes dst-address=!192.168.1.244 port=53 \
protocol=udp
Where 244 is IP of my mikrotik serving as DNS server.
Re: Block many websites
Posted: Tue Jan 16, 2018 3:00 pm
by normis
New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST:
/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com
Re: Block many websites
Posted: Tue Jan 16, 2018 3:07 pm
by ivicask
New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST:
/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com
What about sites who dont use SSL?Or does sites SSL certificate needs to be named same name as site?How reliable that is?
Re: Block many websites
Posted: Tue Jan 16, 2018 3:10 pm
by normis
Sites without SSL you can block in other ways already. And also, there aren't many sites without SSL.
Can you name an example of a popular site that has SSL certificate issued for a different domain? I don't think that is even possible.
Re: Block many websites
Posted: Tue Jan 16, 2018 5:04 pm
by sri2007
Hi!!! I believe that it can work by configuring your Mikrotik and your network to work with OpenDNS, in that site you can block anything, and really need to do extra things in the Mikrotik, as for example, denying any proxy communication, denying any VPN port, denying UltraSurf and doing a dst-nat to force any DNS request sent to a different server and redirect it to the OpenDNS server
Re: Block many websites
Posted: Tue Jan 16, 2018 7:06 pm
by tasn
I have in mind OpenDNS but i would like first to try a more "mikrotik" solution.
The list does not contain very common websites like facebook google etc so most of them have only 1 ip.
I will try that and see if it suits me.
Btw
New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST:
Code: Select all
/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com
I tested it and it does not match any traffic. I tried some diffs of the command provided but couldn't find sth working.
Anyway thank you all for your ideas - knowledge
Re: Block many websites
Posted: Thu Jan 18, 2018 2:51 pm
by AlainCasault
MikroTik made a MUM presentation that might help you with that. Look for the title "my holy war against masquerade". It helped me a lot!!
Sent from Tapatalk
Re: Block many websites
Posted: Sun Jan 21, 2018 9:09 pm
by Zacharias
That is indeed very simple, but unfortunately it will not work correctly!
One IP address can handle multiple websites, so when you block this way you will block other sites as well.
What do you mean by that? Can you give me an example of an IP Address that handles more than one Websites?
Re: Block many websites
Posted: Mon Jan 22, 2018 11:58 am
by BartoszP
Read this:
https://httpd.apache.org/docs/2.4/vhosts/examples.html
It should explain you a bit what virtual host for WWW is.
IMHO all hosting companies share one IP for many sites. There is no enough IP4 addresses to host each possible WWW site with it's own address.
Re: Block many websites
Posted: Tue Jan 23, 2018 11:27 am
by Zacharias
Re: Block many websites
Posted: Thu Jan 25, 2018 2:09 am
by AlainCasault
Btw
New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST:
Code: Select all
/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com
I tested it and it does not match any traffic. I tried some diffs of the command provided but couldn't find sth working.
Anyway thank you all for your ideas - knowledge
Dito here!!
/ip firewall filter
add action=log chain=forward log-prefix="====================" protocol=tcp tls-host=*.facebook.com
Not matching anything. Normis, am I doing something wrong??
Re: Block many websites
Posted: Thu Jan 25, 2018 11:22 am
by pe1chl
I think you need to apply those matchers in the mangle chain, to set a mark on the connection, and then use a filter in the forward chain to block packets for those marked connections.
This is because such matches operate on "peeking into a session" and by the time they identified the traffic, it has already passed through.
You cannot drop the actual TLS exchange, but you can drop the further traffic when you have marked the connection.
Re: Block many websites
Posted: Thu Jan 25, 2018 3:40 pm
by reinerotto
ivicask gave the simplest and most complete solution to the problem. Also works for https-sites, of course.
Re: Block many websites
Posted: Thu Aug 16, 2018 2:26 pm
by TAD
New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST:
/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com
Hi Normis i have tested this but Facebook stil open
Re: Block many websites
Posted: Fri Sep 07, 2018 8:58 am
by chebedewel
Hi, try with this :
/ip firewall filter add action=reject chain=forward comment="Reject FB" protocol=tcp reject-with=icmp-network-unreachable tls-host=*.facebook.com
Same for v6 :
/ipv6 firewall filter add action=reject chain=forward comment="Reject FB" protocol=tcp reject-with=icmp-no-route tls-host=*.facebook.com
Re: Block many websites
Posted: Sun Oct 07, 2018 4:46 pm
by yalex
Hi
I have a problem on my network with CoinMainer.ha malware. this one made me crazy
it have many sub domains and not use SSL. How can I block all traffic in/out from coinhive.com and subdomains like ws006.coinhive.com, ws084.coinhive.com,wsxyz.coinhive.com... there is many server with many IPs for this malware and I have many client/server infected with that.