Community discussions
https://forum.mikrotik.com/
/ip firewall filter
add chain=forward action=reject reject-with=tcp-reset protocol=tcp content="Host: www.facebook.com"
You could block by IP, but many sites like youtube have a slew of ip's.
Use the "Content" option in the firewall to filter based on a keyword. "Facebook.com" or "Youtube.com".
You could simply drop the traffic, but the TCP Reset option will immediately dump the client to an error screen, and not just leave the browser retrying the connection over and over.Code: Select all/ip firewall filter add chain=forward action=reject reject-with=tcp-reset protocol=tcp content="Host: www.facebook.com"
I'm confused. Did you solve the problem?Hi, As your comment we can block all in network. As I need I want to block by IP address. Some user I don't allow to access website.
It sounds like piseth168 wants to filter by originating user as well as destination.
So the answer is half the solution needed, and just needs a src-address or src-address-list which covers the machines that you're interested in limiting.
/ ip proxy set enabled=yes
/ ip proxy access add dst-host=facebook.com action=deny
/ ip proxy access add dst-host=*.facebook.com action=deny
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 src-address-list=webclients action=redirect to-ports=8080 comment=Transparent_web_proxy
/ip firewall address-list add list=webclients address=first_client_ip_address
/ip firewall address-list add list=webclients address=2nd_client_ip_address
/ip firewall address-list add list=webclients address=3rd_client_ip_addressThis solution just gives you a false sense of security. It's too easy to circumvent by going to https://facebook.com (because https is encrypted so you can't read the host headers and it won't get caught).You could block by IP, but many sites like youtube have a slew of ip's.
Use the "Content" option in the firewall to filter based on a keyword. "Facebook.com" or "Youtube.com".
You could simply drop the traffic, but the TCP Reset option will immediately dump the client to an error screen, and not just leave the browser retrying the connection over and over.Code: Select all/ip firewall filter add chain=forward action=reject reject-with=tcp-reset protocol=tcp content="Host: www.facebook.com"
There's always some way around any solution... The most surefire way, then, would be to only allow HTTP traffic through a proxy that you control.This solution just gives you a false sense of security. It's too easy to circumvent by going to https://facebook.com (because https is encrypted so you can't read the host headers and it won't get caught).You could block by IP, but many sites like youtube have a slew of ip's.
Use the "Content" option in the firewall to filter based on a keyword. "Facebook.com" or "Youtube.com".
You could simply drop the traffic, but the TCP Reset option will immediately dump the client to an error screen, and not just leave the browser retrying the connection over and over.Code: Select all/ip firewall filter add chain=forward action=reject reject-with=tcp-reset protocol=tcp content="Host: www.facebook.com"
The best way to do this with mikrotik is to block based on content to port 53udp (DNS), this way it can't even look it up. you should also transparently reroute all dns traffic to the mikrotik, so users can't use their own dns settings and get around it.
Of course, they could edit their host file and still get to facebook. This is one bad limitation of mikrotik that cisco can easily do. Mikrotik can't firewall based on url, but cisco can. That would be great if it could!!!!
Otherwise, it's impossible to block websites because of the https issue.
That is a HORRIBLE thing to do. You will end up blocking LOTS of other websites! (I just tried it, and several websites that have a facebook button on them would not load, or woud halfway load). Any website that has facebook code built in ("like us on facebook, etc"). Those pages will load until they get to the facebook code, then they will hang while waiting for facebook to build the "like" link.Try with Layer 7 protocol
^.+(facebook.com).*$
it works for both http/https
Actually this way worked for me....https traffic delivers an unreachable error while my squid handles the http part with a nice connection failed messageThis solution just gives you a false sense of security. It's too easy to circumvent by going to https://facebook.com (because https is encrypted so you can't read the host headers and it won't get caught).You could block by IP, but many sites like youtube have a slew of ip's.
Use the "Content" option in the firewall to filter based on a keyword. "Facebook.com" or "Youtube.com".
You could simply drop the traffic, but the TCP Reset option will immediately dump the client to an error screen, and not just leave the browser retrying the connection over and over.Code: Select all/ip firewall filter add chain=forward action=reject reject-with=tcp-reset protocol=tcp content="Host: www.facebook.com"
The best way to do this with mikrotik is to block based on content to port 53udp (DNS), this way it can't even look it up. you should also transparently reroute all dns traffic to the mikrotik, so users can't use their own dns settings and get around it.
Of course, they could edit their host file and still get to facebook. This is one bad limitation of mikrotik that cisco can easily do. Mikrotik can't firewall based on url, but cisco can. That would be great if it could!!!!
Otherwise, it's impossible to block websites because of the https issue.
Guys, any news on the topic? Maybe there's already a Feature Request for the firewall based url content filtering?This is one bad limitation of mikrotik that cisco can easily do. Mikrotik can't firewall based on url, but cisco can. That would be great if it could!!!!