MikroTik

Posted: **Mon Aug 16, 2021 12:40 pm**

Is there a solution to prevent the "Your Freedom" app from unauthorized access to the internet in my network through a firewall or something like that other than using pppoe server

Posted: **Mon Aug 16, 2021 12:53 pm**

In general routers are not APP blocking specific, that is the domain of PC software and or usage agreements by users.

Posted: **Mon Aug 16, 2021 2:06 pm**

If you know the IP address of the server its connecting to, you can drop all traffic to that IP address.

Posted: **Tue Aug 17, 2021 11:39 am**

I'm not sure what means "unauthorized access to the internet in my network". Does that mean that your users should have access only to the resources of that network itself but should not have any access to the internet at all, and by means of that VPN application, they can overcome the restriction and get to internet? Or that you just want/need to know what sites their visit and the VPN hides this information from you? Or that you have set some bandwidth limitations for different services, and the customers use the VPN to overcome these limitations?

If it's the first case, i.e. where internet access should be completely blocked, there's something wrong with your firewall rules.

If it's the second case, why do you only have problem with one particular VPN app? There are plenty of them, and people who don't want to be spied on will simply move to the next one once you block the one they use, so at the end of the day you'd end up with the first case if you wanted to block them all.

If it's the third case, you have to change the order of matching of your bandwidth limiting rules, so that the higher bandwidth was assigned for explicitely listed destinations and the lower one to all the rest.

I've also got no idea what's the idea behind using pppoe server, can you elaborate?

Posted: **Wed Aug 18, 2021 9:49 am**

I think the OP is blocking certain sites, and users are overcoming those limits by using VPN.

Posted: **Wed Aug 18, 2021 3:54 pm**

https://www.your-freedom.net/

Its impossible to block someone who liks to get on the net 100% without removing internet.
Users will always fin a way around any block you make.

Ultrasuft i a tool to have when some has locked your network.
https://ultrasurf.us/d

Posted: **Wed Aug 18, 2021 4:08 pm**

Terms of Reference and usage agreement.

1. Any use of VPNs to bypass router settings will result in loss of use of services.

Posted: **Wed Aug 18, 2021 5:05 pm**

@anav, administrative measures sound great if you are a company IT admin, but it still requires an ability to identify the forbidden kind of traffic beyond any doubt so that you could apply the administrative sanctions. And if you can identify it beyond any doubt, you can as well block/throttle it rather than applying the sanctions. So it again boils down to the ability to tell a TLS VPN from a normal HTTPS traffic, as both use remote TCP port 443 and both are encrypted. So either you do the man-in-the middle attack on HTTPS sessions, which you can only do as a company IT admin and only in some countries/states, or you cannot tell one from the other.

As an ISP with uplink bandwidth limitations, you probably don't want to lose customers. So whilst you have the problem of classification as well, blocking/throttling the trespassing traffic is also a better option than terminating the customer contract. Hence the only way is to throttle everything but a few known exceptions rather than to let everything go and throttle/block only few exceptions, and even that way is only possible under favourable conditions (basically when all the "unlimited" destinations are within your own network).

If politics comes into play, and the government orders you to block some sites, there is no working solution. DNS filtering can be overcome using DoH, destination address filtering can be overcome using VPN, so either you implement the government requirement only formally and it is sufficient for them, or they insist on a working solution without understanding the technical reality, and then you become a "passive criminal" as you haven't done enough to obey the law.

Some government was installing their own root certificates on all citizens' devices in order to be able to decrypt TLS (mostly HTTPS) sessions without the end user getting a warning, so big players stopped trusting root certificates issued by that government.

Posted: **Wed Aug 18, 2021 6:23 pm**

Raw idea on how identify VPN traffic from point a to point b, if the tunnel use https or other non-standard methods and non-standard ports

some clue:
the traffic is encrypted (ehm...)
the traffic do not come from netflix, youtube, amazon video, etc.
connection-tracking session longer, very longer, with big amount of bytes exchanged,
mysteriously no other type of traffic...
more download than upload,
pause between traffic / no continuosly download

Posted: **Wed Aug 18, 2021 7:30 pm**

My network is programmed so that whoever wants to access the Internet must buy a card and log in through this page*.. The problem is that this application bypasses the page and connects to the Internet without logging in.. During each month I lose more than 50 dollars as a result of this hack because the Internet prices in my country are expensive

*

The picture is for clarification

Posted: **Wed Aug 18, 2021 7:49 pm**

The problem is that this application bypasses the page and connects to the Internet without logging in..

If so, it is the "first case" in my discussion above - your firewall rules for users who haven't succesfully completed the login quest are not tight enough. How is that done - using Mikrotik's hotspot functionality or using some other solution?

There are VPNs that connect to DNS ports, VPNs that use ICMP echo/echo response as transport packets, ...

Posted: **Wed Aug 18, 2021 8:04 pm**

@rextended, a great thank you in the name of all the less clever censors who didn't know until now what to look for

I would not take "more download then upload" as a reliable criterion, and "traffic does not come from popular entertaining services" is also less reliable (no matter how surprising that may be, some people may not use these services at all). The rest of the points is valid unless the VPN generates some extra traffic to make it less obvious.

Luckily for people who need freedom of information, automation of such a traffic analysis is resource-hungry and therefore expensive, so it will hopefully not be implemented in mass volume in near time.

Posted: **Wed Aug 18, 2021 8:05 pm**

Some programs for bypass hotspot use item already presents on walled garden, like google...
You block google or permit something can be used to bypass the firewall?

Posted: **Wed Aug 18, 2021 10:03 pm**

Just more proof that understanding the requirrments of the OP is the most important step and until that is done, talking config is a waste of time.
On topic, does Hotspot usage prevent bypassing said page? It sounds like OP is bypassing hotspot ;-PPP for some other turnkey solution.

Okay pink text, what is so special about August 23rd? You turn 60?

Posted: **Wed Aug 18, 2021 10:45 pm**

You turn 60?

No

, the age on my profile is true, is for the RouterOS 7.0.4 (stable) is present on all new distribuited devices.

Posted: **Wed Aug 18, 2021 11:58 pm**

You turn 60?
No , the age on my profile is true, is for the RouterOS 7.0.4 (stable) is present on all new distribuited devices.

So young!!

Posted: **Thu Aug 19, 2021 12:17 pm**

The problem is that this application bypasses the page and connects to the Internet without logging in..
If so, it is the "first case" in my discussion above - your firewall rules for users who haven't succesfully completed the login quest are not tight enough. How is that done - using Mikrotik's hotspot functionality or using some other solution?

There are VPNs that connect to DNS ports, VPNs that use ICMP echo/echo response as transport packets, ...

The problem is that the basic settings of the firewall from Mikrotik are not enough to repel these attacks, so I made some settings by other programmers, but the problem is that they work for a certain period and then fail to repel the attacks, especially when the owners of the application update the application
This is the last script that was uploaded

/ip firewall layer7-protocol
add name=AKfreedom regexp="^.+(1yf.de|2yf.de|53r.de|93.ye|YF.de|8u6.de|f.de|fer.net|resolution.de|freedom.net) |your-freedom|your-freedom.de|www.your-freedom.de|www.your-freedom.net)"

---------------------------

/ip firewall filter
add action=drop chain=input layer7-protocol=AKfreedom comment=Freedom_akrm.alqadsi
add action=drop chain=pre-hs-input layer7-protocol=AKfreedom comment=Freedom_akrm.alqadsi

Posted: **Thu Aug 19, 2021 12:32 pm**

The problem is that this application bypasses the page and connects to the Internet without logging in..
If so, it is the "first case" in my discussion above - your firewall rules for users who haven't succesfully completed the login quest are not tight enough. How is that done - using Mikrotik's hotspot functionality or using some other solution?

There are VPNs that connect to DNS ports, VPNs that use ICMP echo/echo response as transport packets, ...

I apologize for taking up some of your time
But what do you think of this article?
Would if I did it make my router better and safer?
https://help.mikrotik.com/docs/display/ ... d+Firewall

Posted: **Thu Aug 19, 2021 2:27 pm**

Too much novels.

Put on forum your config:

/export hide-sensitive file=export

Remember to open the file with notepad for see if something sensitive is left.
DO NOT DELETE ANYTHING!!!, just censore true IPs, e-mail, and what hide-sensitive left, with ***

Posted: **Fri Aug 20, 2021 12:51 pm**

But what do you think of this article?
Would if I did it make my router better and safer?

There are only two strategies that succeed in long-term. Either to start understanding how the firewall actually works, or to hire a consultant.

The documentation page you refer to describes a firewall for a home/SOHO router, where the router itself and all the devices on its LAN are allowed to get anywhere and all restrictions are applied only on connections initiated from the internet (WAN) side.

For your use case (providing internet connectivity to paying customers), you need to be able to restrict also connections initiated by the "LAN" clients, both to the router itself (you don't want your customers to change settings of your router) and to the internet. Whereas there is no difference between clients that have authenticated themselves via your login page and those who haven't when it comes to access to management of the router itself, there is a big difference between these two states when it comes to internet connections: those who have already logged in can get anywhere, including any VPN service, whereas those who haven't logged in can get nowhere at all (except the login page).

Again - in your scenario, there is no need to block "Your Freedom" selectively. Until a client has authentified himself via your login page, you can block everything except the login page. Once he has authentified himself, there is no need to block anything for him, as your interest is only to be able to charge a particular customer account for the traffic volume, and you don't care what kind of traffic it is.

Obviously, what currently fails is the part "block everything except the login page".

So as @rextended wrote - post the export of your configuration if you want a working solution. See my automatic signature for a mini-howto.

Posted: **Fri Aug 20, 2021 2:22 pm**

Again - in your scenario, there is no need to block "Your Freedom" selectively. Until a client has authentified himself via your login page, you can block everything except the login page. Once he has authentified himself, there is no need to block anything for him, as your interest is only to be able to charge a particular customer account for the traffic volume, and you don't care what kind of traffic it is.

Well, that is not entirely true. In many cases where you want portal detection to work correctly, you need to enable DNS traffic even to unauthenticated users.
So most of these environments have DNS enabled all the time. You need at least to allow DNS towards the DNS servers advertised in the DHCP reply (maybe the router itself, maybe google DNS) so the client device can resolve DNS names outside your network and check the presence of a portal.

Now this opens a gap for a special VPN app that uses only DNS traffic, either to its own servers (you could block that) or to DNS in general.
You would need a quite tricky firewall rule to e.g. limit the number of DNS queries available to unauthenticated users. Not something that a user who needs to ask here is going to be able to create himself.

And indeed, according to their webpage, "your freedom" offers this mode of operation (alongside easily blocked techniques like PPTP).

Posted: **Fri Aug 20, 2021 5:00 pm**

In many cases where you want portal detection to work correctly, you need to enable DNS traffic even to unauthenticated users.

It depends on the overall environment. In public wireless networks - yes, the client types in any web page address, and to get redirected to the hotspot page, they must first be served a DNS response for that page so that their device would ever send a HTTP request that could be redirected to the hostspot page. Which is an approach that already fails as browsers remember that particular web pages use https and skip the initial connections to port 80 for these urls. And in this case, the DNS response must be correct, because the client device caches it, so once it gets past the login phase, it must be able to reach the actual server rather than land at the hotspot page again.

But even in this scenario, there is a way, I just don't want to describe it to all the censors of the world. So @Sahafi2001, if your configuration export confirms that this is actually your issue, we'll have to set up a private communication channel. Same offer to @pe1chl of course.

Posted: **Fri Aug 20, 2021 5:44 pm**

Why the big secret.
If its a legitimate use of the MT OS, to ensure that any user on your Router gets redirected to the hotspot portal then it should be okay??

My question was is the OP, attempting to do this through the MT provided hotspot or through some other 3rd party portal system.
If so, isnt the right response use the MT provided portal??

Posted: **Fri Aug 20, 2021 5:55 pm**

@Sahafi2001
Where is Pablo Vidal, your MikroTik Certified Consultant?
Are you on forced leave for Covid?
He was fired?
He has been missing since May 30, 2018....

Posted: **Fri Aug 20, 2021 5:56 pm**

If so, isnt the right response use the MT provided portal??

No, it is not, because as @pe1chl has pointed out, you need to provide DNS service to clients not yet logged in order that any kind of captive portal worked, be it the Mikrotik one or a 3rd party one.

Posted: **Fri Aug 20, 2021 6:00 pm**

If so, isnt the right response use the MT provided portal??
No, it is not, because as @pe1chl has pointed out, you need to provide DNS service to clients not yet logged in order that any kind of captive portal worked, be it the Mikrotik one or a 3rd party one.

Hmmm, so someone directly connected to the MT via an access point, has to go outside the router (to the internet) to get back to the router???
That is confusing to me, in other words, its not logical.
The only avenue for external DNS should be via hotpot portal after connection.
AKA
user/client not signed in ----------> no external DNS ------> go directly to internal hotspot login process (which may or may not include radius server etc).
user/client signed in ------------> traffic flow to hotspot (checks if logged in - yes) use DNS allocated to hotspot.
at no point in time should use ever be allowed to bypass hotspot control and use their own DNS.

Who designed this hotspot anyway LOL (okay so it boils down to I dont understand networking but an explanation to see the light would be most appreciated)

Posted: **Fri Aug 20, 2021 6:11 pm**

For all VPN by ICMP and DNS...

For block ICMP VPN, just limit all ICMP on HotSpot client side to 1 for second and drop ICMP with payload over 1500Bytes,
and VPN using ICMP port is not impossible, but is extremely slow.

For block "port 53" VPN, redirect all DNS call to 53 TCP and 53 UDP with NAT to RuterOS, and use RouterOS to solve the DNS,
any packet that are not DNS are discarded because uncomphrensible, and VPN using DNS port are impossible.
OR
Check all traffic directed to port 53 TCP and 53 UDP and DROP anything not matched by this layer 7 matcher, than match only valid DNS query:

/ip firewall layer7-protocol
add name=prot-dns regexp="^.\?.\?.\?.\?[\\x01\\x02].\?.\?.\?.\?.\?.\?[\\x01-\?][a-z0-9][\\x01-\?a-z]*[\\x02-\\x06]\
    [a-z][a-z][a-z]\?[a-z]\?[a-z]\?[a-z]\?[a-z]\?[a-z]\?[a-z]\?[a-z]\?[a-z]\?[a-z]\?[a-z]\?[\\x01-\\x10\\x1C][\\x01-\\x04\\xFF]"

Posted: **Fri Aug 20, 2021 11:06 pm**

hahah, what does all that code say in plain italian......... (assuming its not in the 2021 MT Users Manual for Dummies.)

Posted: **Sat Aug 21, 2021 4:01 am**

Is there a solution to prevent the "Your Freedom" app from unauthorized access to the internet in my network through a firewall or something like that other than using pppoe server

Freedom App uses DNS as a transport. So block all TCP/UDP port 53, besides to 1.1.1.1 and 8.8.8.8

Posted: **Sat Aug 21, 2021 11:02 am**

hahah, what does all that code say in plain italian.........

Is a POSIX regular expression (regex) describing the start of packet containing DNS request.
f the packet are not matched, is not a valid DNS request, can be a VPN packet, for example...

^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[\x01-\x10\x1C][\x01-\x04\xFF]

Posted: **Sat Aug 21, 2021 11:02 am**

Freedom App uses DNS as a transport. So block all TCP/UDP port 53, besides to 1.1.1.1 and 8.8.8.8

Do they use direct DNS traffic to their own servers? Is it only "the use of port 53" or is it real DNS traffic?

Because, it is perfectly possible to use real DNS traffic as a transport protocol and it would also work when you do it via another DNS resolver!
So such blocks will accomplish nothing if they do that.

Posted: **Sat Aug 21, 2021 11:05 am**

If you limit the DNS packet, for example, to max 64B, and max request to 1 per seconds, the VPN is extremely slow...
Just the space for the fake domain name and some extra bytes

Posted: **Wed Aug 25, 2021 1:00 pm**

Thank you for your efforts and cooperation
I contacted a well-known programmer and he did hack protection, I'm not sure how it works, but I think he blocked port 80 and 67 and they worked if the hotspot page was logged in

Posted: **Fri Jan 28, 2022 5:00 am**

Is there a solution to prevent the "Your Freedom" app from unauthorized access to the internet in my network through a firewall or something like that other than using pppoe server

can you post the solution that your friend has provided you with ? plz

MikroTik

"Your Freedom" app😡

"Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app 😎

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡

Re: "Your Freedom" app😡 [SOLVED]

Re: "Your Freedom" app😡