Answer the question
In order to leave comments, you need to log in
Is it possible to completely block access to social networks using Mikrotik?
Hello! The situation is as follows: we have a microt as a router and several access points. Is it possible to somehow completely cover access to social networks on microte? At the moment, this is implemented as follows: a rule has been created in the firewall that drops all packets going to addresses from the "black" list for all users. BUT in applications on mobile devices, the packages go. Can this matter be somehow corrected? Thank you in advance.
Answer the question
In order to leave comments, you need to log in
Completely - no. Because there are hundreds of "gateways" for social networks that redirect traffic. You need a proxy with bumping, you need to configure the entire network so that everyone goes only through it and a couple of demonstrative issuances of people that will not go.
In general, as always - if you solve the administrative and technical problem in only one way - you get exactly what you get - half the solution :)
Well, mobile versions of social networks probably just hang on other IPs or APIs for mobile applications
for teamviewer, ammy and other bans I use this rule, maybe you can also block some social networks
/ip firewall filter
add action=drop chain=forward connection-mark=Block_list_conn
/ip firewall mangle
add action=mark-connection chain=prerouting layer7-protocol="DROP remote" new-connection-mark=Block_list_conn passthrough=yes
/ip firewall layer7-protocol
add name="DROP remote" regexp="^.+(ammyy|teamviewer|anydesk|aeroadmin|logmein|beyondtrust|remotetopc|ultraviewer|litemanager|join.me).*\$"
Of course there is a way.
I will describe the main steps:
step 1. make an address list with the ip addresses of all sites you want to block access to. Address list on modern ROS can resolve domain names.
step 2. Mark connections to these ip addresses.
step 3. mark the routes based on the previous step.
step 4. wrap all traffic in a blackhole route, or wherever you want, everything is up to you
step 5. (optional) Based on step 3, use the L7 filter to determine dns requests in packet headers and block them
Something like this. ;)
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question