C
C
cahya2016-11-23 10:22:57
System administration
cahya, 2016-11-23 10:22:57

Mikrotik. How to block social networks and other Internet pages for certain IPs in the local network?

I have been working with Mikrotik for a long time. So, roughly speaking, I start everything from scratch.
Computer network without a domain
Task: It is
necessary to block access to social networks for a certain circle of people. networks and leave only access to work portals (sites)
The rest of the employees should have full access to the Internet, without any restrictions.

Answer the question

In order to leave comments, you need to log in

6 answer(s)
G
Gregory, 2016-11-23
@Maxlinus

Starting from version v6.36, you can add domain names to address lists!
*) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);
if the PC is not much then
in IP > Firewall. > Address_Lists add the desired sites with the name of one group.

/ip firewall address-list
add address=mail.ru list=web_block
add address=drom.ru list=web_block

and a firewall rule
/ip firewall filter
add action=drop chain=forward dst-address-list=web_block src-address=192.168.100.2
add action=drop chain=forward dst-address-list=web_block src-address=192.168.100.5

I used to block social networks like this:
it-pages.ru/mikrotik-blokirovka-sajjtov-s-pomoshhy...

D
Dmitry Shitskov, 2016-11-23
@Zarom

Options 2 - opaque proxy or firewall. If the working portals are without https, a transparent proxy is also possible.
The first method will require proxy settings in browsers. Allow selected users access where possible and prohibit everything else.
Something all the mana on the Internet is on a transparent proxy, so the official Wiki is also suitable. We just do not wrap traffic on the proxy.
wiki.mikrotik.com/wiki/Manual:IP/Proxy

S
Spheniscus, 2016-11-23
@Spheniscus

If they want, they will find a way around. If the network is heavily loaded, then you can configure the shaper to addresses and kill the speed at the most reluctant. And you can log traffic with the provision of statistics to management and penalties for visiting social networks.
And yes, no one forbids using phones and other gadgets

M
Max, 2016-11-23
@WarStyle

add chain=forward comment="accept VK" content=vk.com src-address-list=allowsocial allowed everyone to enter VK from the "allowsocial" aderslist, add allowed IP addresses there
add action=reject chain=forward comment="drop vk.com "content=vk.com src-address=192.168.0.0/24 - banned for everyone.

S
st0ner, 2016-11-23
@st0ner

I advise through layer 7 protocol
ip firewall filter add chain=forward src-mac-address= layer7-protocol=social action=drop
or src-address - by IP
and in the tab you create a rule with such an entry, for example
^.*(get|GET ).+(vk.com|odnoklassniki.com|facebook.com|twitter.com).*$

I
Ivan, 2016-11-23
@LiguidCool

In the absence of a domain, this is so easy that even secretaries manage ...

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question