Community discussions

MikroTik App
  4. RouterOS
  5. General

How to limit some users to some IP (website, IM, etc)?

Post Reply
 
yudigadget
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Fri Mar 23, 2007 1:09 pm

How to limit some users to some IP (website, IM, etc)?

Thu Sep 11, 2008 10:02 am

For example you have 3 divisions in office: Accounting, HRD and Management

How to limit access of Accounting division:
- IP of government bank (to check foreign exchange rate)
- other specific accounting related website

Then HRD:
- Yahoo! Messenger
- MSN Messenger
- Human Resources Recruitment website

And last Management:
They can access any website, ym, im, etc


I think i must play with IP - Firewall Filter, address list and scheduler.

Scheduler -> Address List: (example for accounting division)
{
:foreach i in=[/ip dns cache find] do={
:if ([:find [/ip dns cache get $i name] "xe.com"] > 0) do={
:log info ("xe.com: " . [/ip dns cache get $i name] . " (ip address " . [/ip dns cache get $i address] . ")")
/ip firewall address-list add address=[/ip dns cache get $i address] list=list_Accounting disabled=no comment="www.xe.com"
}
}
}

{
:foreach i in=[/ip dns cache find] do={
:if ([:find [/ip dns cache get $i name] "bi.go.id"] > 0) do={
:log info ("bi.go.id: " . [/ip dns cache get $i name] . " (ip address " . [/ip dns cache get $i address] . ")")
/ip firewall address-list add address=[/ip dns cache get $i address] list=list_Accounting disabled=no comment="www.bi.go.id"
}
}
}

etc (for HRD division and management)

Now, how do i create the filter? so, allow Accounting division can only access that address list (list_Accounting), HRD is list_HRD, and then allow all for management.

nb: I think it can not be done with web proxy, i already set allow for some IP and deny the others... but the user can still access Yahoo Messenger, mIRC, Skype, MSN, etc..
I think i know, because i only set:
3 chain=dstnat in-interface=local src-address=172.16.0.0/16 protocol=tcp
dst-port=80 action=redirect to-ports=3128

4 chain=dstnat in-interface=local src-address=172.16.0.0/16 protocol=tcp
dst-port=3128 action=redirect to-ports=3128
so, they can run other software with other port and get connected to the internet.

Please help me, thanks a lot! thanks for provide the example codes.. because i already test with many trick of filter but no luck!!
Top
 
yudigadget
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Fri Mar 23, 2007 1:09 pm

Re: How to limit some users to some IP (website, IM, etc)?

Fri Sep 12, 2008 4:37 am

no help? come on.. it should an easy question for you guys... please share your knowledge..
Top
Post Reply
  4. RouterOS
  5. General