How to add a site to an exception on Mikrotik?

C

Cyril2017-05-10 15:36:38

network hardware

Cyril, 2017-05-10 15:36:38

For the Mikrotik office, I block all connections on ports 80 and 443, and pass all traffic through a proxy server. That is, any site is only accessible through a proxy.

But an exception had to be made. One site needs to be made directly accessible. Not through a proxy.

Blocking rules for ports 80 and 443 are standard:

add action=reject chain=forward dst-address=0.0.0.0/0 dst-port=80 \
    in-interface=ether1 protocol=tcp reject-with=\
    icmp-network-unreachable src-address-list=no_http

add action=reject chain=forward dst-address=0.0.0.0/0 dst-port=443 \
    in-interface=ether1 protocol=tcp reject-with=\
    icmp-protocol-unreachable src-address-list=no_http

Everyone who is in the no_http list is cut traffic on ports 80 and 443.

How to add an exception to such a rule? For example, so that only one single site is available on port 443. For example, vk.com. And all other traffic on 443 and 80 ports was cut.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

I

iilin, 2017-05-10
@iilin

Mikrotik does not know how to use DNS names in the firewall.
Create an IP address list with exceptions
And correct the rule
dst-address-list=!http

G

Gregory, 2017-05-13
@Maxlinus

Starting from version v6.36, you can add domain names to address lists!
*) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);