Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
U
U
username2016-01-11 09:13:37
Mikrotik
username, 2016-01-11 09:13:37

How to restrict access to all sites on Microtik RB951G, except for a specific list?

There is a piece of iron Microtik RB951G.
The task is to open access to a certain list of sites, to block everything else.
How to implement this using RouterOS?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
M
Maksim, 2016-01-11
@chumayu

Well, I think there are a lot of options, but I would do this: 1. I
canceled the main routing rule on Mikrotik (i.e. turn off the 0.0.0.0/0 rule)
2. Register only those routes that you need.
The method is basically clumsy but it works.

Report
T
Taras M, 2016-01-11
@kalduntus

Hmm, add a nat/or out prohibition rule to the farwall for a list of addresses, for example, allow-sites with the label ! (except) and all.
add allowed ones to the list, there is no load on the percentage, everything works? but add only ip
or use the banned list, but it's more difficult, plus there will be a lot of routine work. well, or use layer 7, and play, mikrotik can do anything

Report
P
paxlo, 2016-01-21
@paxlo

For example like this:

/ip firewall layer7-protocol
add name=ya regexp="^.*(ya.ru|yandex.ru).*\$"
add name=all-websites regexp="^.+(.).*\$"
/ip firewall filter
add chain=forward dst-port=80,443 layer7-protocol=ya protocol=tcp
add action=reject chain=forward dst-port=80,443 layer7-protocol=all-websites protocol=tcp reject-with=tcp-reset

Pay attention to the position of these rules in the general chain of rules. Those. these deny rules must come BEFORE the allow rules. Use place-before.

Report
F
Fumoffu, 2016-01-11
@Fumo

Raise the proxy on the router itself, since RouterOS allows it.

Report
S
shaazz, 2016-01-12
@shaazz

As you know, the Firewall list is processed from top to bottom. Therefore, for the desired network, add line-by-line accept on top for all sites from the white list (content="site_from_white_list.com") and, at the end of this list, for the rest tcp 80,443 action=reject reject-with=tcp-reset
True, through winbox it is inconvenient view such a list.

Report
A
Alexander Romanov, 2016-01-17
@moneron89

And why not use a transparent proxy (the easiest way). And the second one is not much more difficult - create a list in the address list with ip of allowed sites, and add /ip firewall filter add chain=forward dst-address-list=!allowed action=drop in the firewall and raise it higher. And the firewall will be more convenient to read, and the load on the percent will hardly increase (it will not drive the packet according to all the rules for a dst-ip match), and you can sign comments everywhere.
And incomparable scripting in Mikrotik allows you to do everything that is difficult to implement in ROS. For example: habrahabr.ru/post/242143/. Take it as a basis, finish it for yourself.

Similar questions
R
romli2016-09-29 04:42:54
VPN on Mikrotik, how to disable internal resources? 2Reply
S
Systemshik2019-03-01 15:01:33
How to block Fortnite servers on Mikrotik? 5Reply
D
Dmitry2019-03-04 03:48:23
Are you using METRouter? 1Reply
I
Igor Krivintsov2020-11-28 20:11:40
Why does GateWay disappear from the Route List table? 0Reply
D
DenZel2016-10-08 12:28:57
Building a Wi-Fi network using Mikrotik equipment to organize access for 1000 clients when organizing a festival? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question