I want to deny completely deny access to the internet for certain devices.
However. Router Os doesn't block certain websites, such as youtube, facebook, google, and so on.
And some websites it blocks fine.
And let me say this again I'm trying to block access to the internet completely, not just certain websites...
Take a look at the config and see what's wrong, I'm all out of ideas...
Edit:I just wanted to add that it worked initially when I first set it up, but after a reboot it stopped working.
My config isnt propperly working :(
You do not have the required permissions to view the files attached to this post.
Re: My config isnt propperly working :(
The only thing you are blocking is the two devices on the My Stuff address list (192.168.1.3 & 192.168.1.10); and whatever roblox is (never heard of that). If those are the two IPs you are trying to block, they should not be getting to anything that passes through the router. You do not have a "Drop everything" at the end of the Forward chain, so anything that gets to the end of the Forward chain will by default be accepted. You have a somewhat disjointed collection of accept and drop rules. General recommendation is to specifically accept what you want and then have a drop everything rule at the end of the chain. Yes, even with that concept there can be specific blocks that are needed.
Re: My config isnt propperly working :(
Firewall rules fixed up......
ORDER IS IMPORTANT!!! (within a chain).
First get rid of your raw rules.........
/ip firewall raw
add action=drop chain=prerouting comment="Test block 192.168.1.3" disabled=\
yes src-address=192.168.1.3
add action=drop chain=prerouting comment="Block Zile" disabled=yes \
src-address-list=zile
This rule has been removed because its purpose is unknown. Unless its for a service that exists on the MT its misguided..........
add action=accept chain=input comment="defconf: accept LMT provisioning" \
dst-port=8081 protocol=tcp src-address=212.93.97.83
EDIT: Okay so this is for some ACS service and you are using TR069 ??? OKay, but I thought it was for Https, as far as I know 8081 is not an HTTPS port ????
I took out the roblox rule there but not sure what it does...... or even if the Forward chain is the right spot for this rule. Nothing is going to hit your LAN from port 80 or 443 unless you let it!
add action=drop chain=forward comment="block roblox" dst-port=80,443 \
layer7-protocol=Roblox protocol=tcp
ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment="allow internet traffic" { added rule }
add action=accept chain=forward connection-nat-state=dstnat comment="allow port forwarding" { modified }
add action=drop chain=forward comment="drop all else" { added rule }
THEN test your traffic and report back.
Now to block 192.168.1.3 from the internet simply do this!!! Which amounts to blocking specific user(s) access JUST BEFORE allowing everyone else access to the internet!!
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward scr-address=192.168.1.3 out-interface-list=WAN comment="drop userX from internet access"
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment="allow internet traffic"
add action=accept chain=forward connection-nat-state=dstnat comment="allow port forwarding" { modified }
If you have a number of IPs that you wish to prevent accessing the internet then make up a firewall address list call it NoInternet
Then the rule would be
add action=drop chain=forward scr-address-list=NoInternet out-interface-list=WAN comment="drop userX from internet access
ORDER IS IMPORTANT!!! (within a chain).
First get rid of your raw rules.........
/ip firewall raw
add action=drop chain=prerouting comment="Test block 192.168.1.3" disabled=\
yes src-address=192.168.1.3
add action=drop chain=prerouting comment="Block Zile" disabled=yes \
src-address-list=zile
This rule has been removed because its purpose is unknown. Unless its for a service that exists on the MT its misguided..........
add action=accept chain=input comment="defconf: accept LMT provisioning" \
dst-port=8081 protocol=tcp src-address=212.93.97.83
EDIT: Okay so this is for some ACS service and you are using TR069 ??? OKay, but I thought it was for Https, as far as I know 8081 is not an HTTPS port ????
I took out the roblox rule there but not sure what it does...... or even if the Forward chain is the right spot for this rule. Nothing is going to hit your LAN from port 80 or 443 unless you let it!
add action=drop chain=forward comment="block roblox" dst-port=80,443 \
layer7-protocol=Roblox protocol=tcp
ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment="allow internet traffic" { added rule }
add action=accept chain=forward connection-nat-state=dstnat comment="allow port forwarding" { modified }
add action=drop chain=forward comment="drop all else" { added rule }
THEN test your traffic and report back.
Now to block 192.168.1.3 from the internet simply do this!!! Which amounts to blocking specific user(s) access JUST BEFORE allowing everyone else access to the internet!!
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward scr-address=192.168.1.3 out-interface-list=WAN comment="drop userX from internet access"
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment="allow internet traffic"
add action=accept chain=forward connection-nat-state=dstnat comment="allow port forwarding" { modified }
If you have a number of IPs that you wish to prevent accessing the internet then make up a firewall address list call it NoInternet
Then the rule would be
add action=drop chain=forward scr-address-list=NoInternet out-interface-list=WAN comment="drop userX from internet access