what is the simplest way if you just wanna block a certain website adress
This rule works perfectly for me:
add action=reject chain=blocklist comment="block youtube" protocol=tcp reject-with=icmp-network-unreachable tls-host=*youtube*
please don't use l7 rules for blocking webpages
A tls-host matcher is a powerful tool to block HTTPS-based websites, but for example, Youtube is using QUIC (UDP-based protocol) instead of normal HTTP/2 (TCP-based protocol). TLS-host does not work with QUIC as it depends on TCP connection.
Allows matching HTTPS traffic based on TLS SNI hostname. Accepts GLOB syntax for wildcard matching. Note that the matcher will not be able to match hostname if the TLS handshake frame is fragmented into multiple TCP segments (packets).
Thats all I needed, not transparent to users,,,,,,, not viable at home, just businessesyou'd configure web browser to use SOCKS proxy provided by admin.
@SoB is right – more pointing out Normis false hope it's just one config line. Useful feature, incomplete as comprehensive web blocking tool.Thats all I needed, not transparent to users,,,,,,, not viable at home, just businessesyou'd configure web browser to use SOCKS proxy provided by admin.
I wouldn't recommend SOCKS either. Or even trying to solve this "problem" on a Mikrotik – focus on managing the bandwidth. If you need to restrict user in fine grain manner, look beyond the Mikrotik. But if you looking for novel Mikrotik approach that do something to block website (how much YMMV), MT offer something LOTS to do and try, but never be "definitive solution".I don't know if someone will reinvent this, and if it has any chance to become popular. I wouldn't bet on it, but who knows...
how can you say it works perfectly, when MikroTik's own manual says it can fail?add action=reject chain=blocklist comment="block youtube" protocol=tcp reject-with=icmp-network-unreachable tls-host=*youtube*
Corporate Policy. - Use of company internet for non-business needs constititues grounds for a warning, second office is firing.It is better to yield and stop wanting to block sites.
replace youtube by pornhub and having kidsHouse Policy - Why block youtube, the educational aspects are amazing.......... Other uses of youtube are up to parental education.It is better to yield and stop wanting to block sites.
That's the point: What do you achive with blocking pornhub? There is redtube, xvideos, xhamster and many, many more.replace youtube by pornhub and having kids
thaught the same thing, thanks for the clarification / conformationWhen you have done all that, they can just setup a VPN or Proxy.
Why not just turn off secure filter on google or bing search. Then just search for any pron you like and select pictures.When you have done all that, they can just setup a VPN or Proxy.
are you sure this rule also work with youtube app users?This rule works perfectly for me:
add action=reject chain=blocklist comment="block youtube" protocol=tcp reject-with=icmp-network-unreachable tls-host=*youtube*
please don't use l7 rules for blocking webpages
The mission of the internet app developers over the past years has been to prevent network administrators from fiddling with their applications.How unfortunate that this is not working anymore.
Thanks, I will check this out.Please read this post until you understand what it says.........
viewtopic.php?t=166748#p819025
(PS. I hurl flatulence at the direction of Normis for creating fake news in this thread)
The mission of the internet app developers over the past years has been to prevent network administrators from fiddling with their applications.How unfortunate that this is not working anymore.
Put everything in https, make DNS encrypted, add additional measures to https to make filtering even more difficult (encrypted SNI), make it more difficult to do state tracking by using UDP (QUIC), move everything to "content delivery" services that you cannot block because you would block more than one app or site, introduce services like "login using twitter" or "login using facebook" that make it impossible to block those services because you would block their login facility as well, etc etc.
So now your position has been reduced to a facilitator of network traffic. Influencing what your users are doing is made impossible for you.
Anyway, there is no reason to block Youtube. If you want a datacap, make that. Do not try blocking sites because they cause too much traffic for you, their role will be replaced by other sites that do the same.
When you want to show some config, use export. No need to show everything, but do not show in a screenshot what you can show in 1-3 export lines.
excellent explanationThe mission of the internet app developers over the past years has been to prevent network administrators from fiddling with their applications.
Put everything in https, make DNS encrypted, add additional measures to https to make filtering even more difficult (encrypted SNI), make it more difficult to do state tracking by using UDP (QUIC), move everything to "content delivery" services that you cannot block because you would block more than one app or site, introduce services like "login using twitter" or "login using facebook" that make it impossible to block those services because you would block their login facility as well, etc etc.
That isn't possible (anymore) either! See, there is no way you can let through "a site". You may think that to make www.somesite.domain working, the only thing you need to do is to lookup its address and allow access to that address.I am trying to prevent my children going on these sites like youtube. I guess for this time, I will have to close the full connection and only let through specific sites.
Don't pay attention, they are those of the "TLS 1.2-" solution as long as it goes & I don't give a damn about blocking the other services on the same IP too...Are you sure that unconditional blocking port 443/UDP is a good step?
/ip firewall raw
add action=drop chain=prerouting dst-port=443 protocol=udp
/ip firewall filter
add action=add-dst-to-address-list address-list=googlevideo address-list-timeout=none-dynamic chain=forward content=googlevideo.com dst-port=443 protocol=udp
Can anyone tell me if above Normis way to block youtube works ? And what is exactly the "chain=blocklist" ? I would like to give it a try but don't know what is the chain he chose.This rule works perfectly for me:
add action=reject chain=blocklist comment="block youtube" protocol=tcp reject-with=icmp-network-unreachable tls-host=*youtube*
please don't use l7 rules for blocking webpages