MikroTik

Hello everyone, I bought a mikrotik hAP lite router, and with that I tried to block some sites, but unfortunately it is failed.

I watched some tutorials, videos about layer 7 block, or creating a new firewall rule with action drop etc... but it failed again.

So please help me how to block sites like facebook or twitter, youtube I hope I can get some working solutions, or if you can please post a working tutorial here. Thanks.

The problem with all of those is that they're HTTPS sites, not HTTP ones. With HTTPS sites, you can't inspect anything that's part of the request, and the domain itself is part of the request.

There are only two ways to block HTTPS sites:
1. Drop the DNS query for the domain or return a DNS reply that points to a different web server (that you control).

This works for the vast majority of users, but there's a workaround (that only power users know) - one can edit their "hosts" file to include the real IP of the blocked site. That way, no DNS query is made, and yet the blocked site is connected with the domain supplied in the request.

To redirect to a different IP, simply add an item in "/ip dns static".

2. Block the set of IPs where the site is hosted.

There's no workaround for this one, but it has it's own problem - many big corporations (notably Google) share the same IPs for all of their sites, so if you decide to block YouTube by blocking it's IPs, you're also implicitly blocking Google Drive and other Google services (I think only Google search is on its own dedicated set of IPs...). While I haven't personally made any tests in this regard, I wouldn't be surprised if in a similar fashion, blocking Facebook also blocks Instagram.

To block a set of IPs, you'd use the firewall filter.

Thanks. And with http sites? Does this layer 7 blocking method work? How and what should i need to configure? Can you post a tutorial or screenshots of its steps?
Thanks

Yes, layer7 is one way with HTTP sites. A better way for the typical case is with HTTP proxy. See this manual page for details on it.

To ensure everyone uses it regardless of the proxy settings on their device, you just redirect all port 80 traffic to the proxy port (via firewall NAT).

Layer7 can work regardless of the HTTP port, but is far less efficient. Unless the HTTP site you're trying to block uses a non-standard HTTP port, you should stick to proxy.

Thanks. Its very strange. I tried layer 7 for facebook and its worked. How? But a few hours ago it's failed. Maybe the problem was that the rule was not in the first place.

No. The problem is the browser's cache.

The first time you access Facebook, you access it over HTTP, which then does a "permanent" redirect to HTTPS.

Next time, the browser sees that there was a "permanent" redirect, meaning it decides not to visit the HTTP page, but go directly to the HTTPS one.

However, if you directly type out the HTTP URL (with the scheme), you go to there in spite of the redirect. The result is that blocking might appear inconsistent, as you're seeing. If you clear your browser cache NOW (with the filter in place), you won't get to facebook, except through Google, which links to the HTTPS home page directly (skipping the redirect altogether).

No you are not right. I cleared my browsers cache, and after that tired facebook, even with https method even through google all the three of them failed, also checked with other brwoser still failed to load the page (facebook) I can send you pictures:

Ah. I see your layer7 filter is too broad.

The reason this works is that your layer7 rule matches the contents of the DNS packet (same as in the 1st HTTPS solution), so it blocks those, in turn rendering the site blocked... And it should also block any HTTP page that mentions "facebook.com" within its first 2KB of content (including HTTP headers!), or block logins to FTP sites where you have a file containing the name "facebook.com" within your root folder, etc.

If you were to instead match "Host: facebook.com", the rule would not work through Google's HTTPS links.


To double check that yourself, disable the filter for a moment, go to facebook.com, check out your router's DNS cache (in "/ip dns cache"), and add to your "hosts" file the IP of facebook.com. Then reenable the rule, clear your browser cache, and see how the HTTPS links now "magically" work again, despite the rule (because no DNS query is performed now).

Im happy that its working. Im really new in mikrotik but i love these options, so Im planning to go in deep in it. But for start its enough for me. Thanks for helping.

Hi to all..

I tryed this tutorial to block torrent sites, but not working at all.. when try to open the site, opening without problem..

http://mikrotikinfo.weebly.com/home/blo ... -downloads

Please tell me what is wrong with this? Please note that i modify the Ragexp for site that is not HTTPS. For ex. zamunda is HTTP not HTTPS but still not block when i set the Layer7 filter, and Firewall rules.

Try with my method, it should work, just copy the regexp and change the domain to "thepiratebay" without the quotes after that make sure that the new filter rule is in the top place.

Hello, can you post the regexp in clear text? I cannot see it in the picture very clear!

Thanks!

Block torrents like this guy:
http://forum.mikrotik.com/viewtopic.php?t=73462
(read through the thread - the solution got tweaked a little)