Answer the question
In order to leave comments, you need to log in
K
K
Kenny002019-03-28 15:30:45
Kenny00, 2019-03-28 15:30:45
How to allow only Windows Update via MikroTik for windows 10?
There is a computer that is not included in the domain, and is considered a guest, it stands separately, it broke, they just brought another one.
In the room there is only Mikrotik 951G-2HnD, which is responsible for the Internet.
The task is to block any traffic, except for Windows Update and https://my.site.ru/
Regular on L7 cannot work according to the scheme, everything except the expression.
^.+(http://windowsupdate.microsoft.com|http://*.windowsupdate.microsoft.com|https://*.windowsupdate.microsoft.com|http://*.update.microsoft.com|https://*.update.microsoft.com|http://*.windowsupdate.com|http://download.windowsupdate.com|http://download.microsoft.com|http://*.download.windowsupdate.com|https://*my.site.ru).*$How to solve this issue? No proxy. And if a proxy, then so as not to prescribe it on Windows.
Block all Forward and allow only regular.
5 answer(s)
@Kenny00
What you need is not the task of a router, but a proxy server.
@Ziptar
- Use mangle to mark connections corresponding to attempts to connect this computer to windows update servers and the desired site on prerouting or on forward, with passtrought unchecked
- In the firewall on forward, allow connections marked in this way, and prohibit all others for this computer (do not forget to allow dns and ntp of course)
@poisons
Shield?
1 rule
ip firewall filter add chain=forward action=drop layer7-protocol=!regexp
i.e. drop everything that does not fall under l7
@rionnagel
K
Kirill Vasiliev, 2019-04-04 @Kenny00
Yes, there are such troubles with dynamic names, I would do so in your case.
Raised a proxy server on Mikrotik (it comes out of the box),
Firewall banned all traffic from this machine to the Internet (forward) ,
Firewall banned access to the proxy to everyone except this host (input)
On the host, I would explicitly register to use a proxy server.
proxy would be configured in the likeness
/ip proxy access
add dst-host=*.windowsupdate.com
add dst-host=*.update.microsoft.com
add dst-host=*.update.microsoft.com
add action=denyWhat you need is not the task of a router, but a proxy server.
Z
Ziptar, 2019-03-28 @Ziptar
Regular on L7 cannot work according to the scheme, everything except the expression.
- Use mangle to mark connections corresponding to attempts to connect this computer to windows update servers and the desired site on prerouting or on forward, with passtrought unchecked
- In the firewall on forward, allow connections marked in this way, and prohibit all others for this computer (do not forget to allow dns and ntp of course)
P
poisons, 2019-03-28 @poisons
Regular on L7 cannot work according to the scheme, everything except the expression.
Shield?
1 rule
ip firewall filter add chain=forward action=drop layer7-protocol=!regexp
i.e. drop everything that does not fall under l7
R
rionnagel, 2019-03-29 @rionnagel
In Ip-firewall-address list, for some time now it can understand dns names and dynamically add or remove ip addresses if they change. On l7, you won't whitelist anything, since the traffic is https and the header is encrypted. In the rule that you allow to go to the Internet, there is dst in the advanced tab. address list for example. If the percent will be eaten strongly - add the marking of the packages, as written above.
Similar questions
F
P
V
M
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question