Answer the question
In order to leave comments, you need to log in
How to restrict access to all sites on Microtik RB951G, except for a specific list?
There is a piece of iron Microtik RB951G.
The task is to open access to a certain list of sites, to block everything else.
How to implement this using RouterOS?
Answer the question
In order to leave comments, you need to log in
Well, I think there are a lot of options, but I would do this: 1. I
canceled the main routing rule on Mikrotik (i.e. turn off the 0.0.0.0/0 rule)
2. Register only those routes that you need.
The method is basically clumsy but it works.
Hmm, add a nat/or out prohibition rule to the farwall for a list of addresses, for example, allow-sites with the label ! (except) and all.
add allowed ones to the list, there is no load on the percentage, everything works? but add only ip
or use the banned list, but it's more difficult, plus there will be a lot of routine work. well, or use layer 7, and play, mikrotik can do anything
For example like this:
/ip firewall layer7-protocol
add name=ya regexp="^.*(ya.ru|yandex.ru).*\$"
add name=all-websites regexp="^.+(.).*\$"
/ip firewall filter
add chain=forward dst-port=80,443 layer7-protocol=ya protocol=tcp
add action=reject chain=forward dst-port=80,443 layer7-protocol=all-websites protocol=tcp reject-with=tcp-reset
As you know, the Firewall list is processed from top to bottom. Therefore, for the desired network, add line-by-line accept on top for all sites from the white list (content="site_from_white_list.com") and, at the end of this list, for the rest tcp 80,443 action=reject reject-with=tcp-reset
True, through winbox it is inconvenient view such a list.
And why not use a transparent proxy (the easiest way). And the second one is not much more difficult - create a list in the address list with ip of allowed sites, and add /ip firewall filter add chain=forward dst-address-list=!allowed action=drop in the firewall and raise it higher. And the firewall will be more convenient to read, and the load on the percent will hardly increase (it will not drive the packet according to all the rules for a dst-ip match), and you can sign comments everywhere.
And incomparable scripting in Mikrotik allows you to do everything that is difficult to implement in ROS. For example: habrahabr.ru/post/242143/. Take it as a basis, finish it for yourself.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question