Is there some address list or rules for forbid users to connect via teamviewer?
i found some, but somehow it goes throguh.
Re: block teamviewer on routers
script for drop trafic for address-list
/ip firewall filter
add action=drop chain=forward comment="Drop all traffic from address on TeamviewerServers" src-address-list=TeamviewerServers
add action=drop chain=forward comment="Drop all traffic from address on TeamviewerServers" dst-address-list=TeamviewerServers
add action=drop chain=input comment="Drop all traffic from address on TeamviewerServers" src-address-list=TeamviewerServers
/ip firewall filter
add action=drop chain=forward comment="Drop all traffic from address on TeamviewerServers" src-address-list=TeamviewerServers
add action=drop chain=forward comment="Drop all traffic from address on TeamviewerServers" dst-address-list=TeamviewerServers
add action=drop chain=input comment="Drop all traffic from address on TeamviewerServers" src-address-list=TeamviewerServers
Re: block teamviewer on routers
Are you sure those address lists are correct ?
Re: block teamviewer on routers
Is this a comedy thread LOL.
First of all that is not a script just a few lines of firewall filter.
Second, what are the contents of teamviewer servers? All you have identified is the name of the List LOL.
Since TV uses ports 80 and 443 it may be a bridge too far.
The only quote I found thus far : I managed to block teamviewer by adding regexp in L7protocol, but for all IP address.
Not sure if that still applies or how CPU intensive it may be???
The most pertinent question is. WHY DO YOU WANT TO BLOCK IT??
The best answer is. If it is against company policy then you don't want to block it - you want to log it, present it to HR and discipline the culprit.
(or against Home policy......... same same).
First of all that is not a script just a few lines of firewall filter.
Second, what are the contents of teamviewer servers? All you have identified is the name of the List LOL.
Since TV uses ports 80 and 443 it may be a bridge too far.
The only quote I found thus far : I managed to block teamviewer by adding regexp in L7protocol, but for all IP address.
Not sure if that still applies or how CPU intensive it may be???
The most pertinent question is. WHY DO YOU WANT TO BLOCK IT??
The best answer is. If it is against company policy then you don't want to block it - you want to log it, present it to HR and discipline the culprit.
(or against Home policy......... same same).
Re: block teamviewer on routers
Not terribly, as these L7 rules would likely be used on DNS queries (which requires to redirect any DNS request from the client to your own DNS, which the client can beat using some counter-measure like secure DNS so you end where you began) and DNS queries are not there all the time and the relatively simple regexp matches on the very first (and only) packet.Not sure if that still applies or how CPU intensive it may be???
Well, the key is to identify that traffic; what you use that identification for is less important. Sure, to log it, it is best not to restrict it, because then you can just log outgoing connections to TCP and/or UDP port 5938 and 99.9% of them are teamviewer ones. Once you block the port 5938, the application will revert to 443 or 80, which you can only block for particular IP addresses if you can't block web access completely.If it is against company policy then you don't want to block it - you want to log it, present it to HR and discipline the culprit.
Re: block teamviewer on routers
One option would be blocking by DNS (assuming MikroTik is used as DNS server). This is not a very good way and can be relatively easy bypassed (but any VPN/Tor will bypass anything 
and there are many other remote access/screensharing tools).
P.S.
If you are using Active Directory I suggest looking at Software Restriction Policies.
If you are using Active Directory, most likely domain controller (not MikroTik) is used as DNS server.
If you are trying to block IT people, they will find a way how to bypass almost any technical restrictions (administrative measures will be more effective then).
P.P.S. I like @sindy's idea (identifying connections to port 5938 and taking administrative measures).
P.P.P.S. Instead of the unreachable route a filewall entry like this could be used to privide logging as well:
and there are many other remote access/screensharing tools). Code: Select all
/ip dns static
add address=10.1.2.3 comment="Block TeamViewer" regexp=".*\\.teamviewer\\.com\$" ttl=1h
add address=10.1.2.3 comment="Block TeamViewer" name=teamviewer.com ttl=1h
/ip route
# This is the unreachable IP address that is used for blocking
# Feel free to use any private IP address that is NOT part of your network: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
add distance=1 dst-address=10.1.2.3/32 type=unreachable
/ip firewall filter
# These rules MUST BE BEFORE ALLOW RULES - they prevent simple change in Windows settings to use different DNS servers (any internal DNS/Active Directory servers, or anything else that does independent DNS resolution must be excluded from these rules!)
add chain=forward protocol=udp dst-port=53 action=drop
add chain=forward protocol=tcp dst-port=53 action=drop
If you are using Active Directory I suggest looking at Software Restriction Policies.
If you are using Active Directory, most likely domain controller (not MikroTik) is used as DNS server.
If you are trying to block IT people, they will find a way how to bypass almost any technical restrictions (administrative measures will be more effective then).
P.P.S. I like @sindy's idea (identifying connections to port 5938 and taking administrative measures).
P.P.P.S. Instead of the unreachable route a filewall entry like this could be used to privide logging as well:
Code: Select all
/ip firewall filter
add chain=forward dst-address=10.1.2.3 protocol=tcp action=reject reject-with=tcp-reset log=yes log-prefix="TeamViewer"
add chain=forward dst-address=10.1.2.3 action=reject log=yes log-prefix="TeamViewer"