Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
G
G
Genadiy2018-06-04 16:45:24
Mikrotik
Genadiy, 2018-06-04 16:45:24

Website blocking?

There is a grid, with a bunch of PCs.
Router MikroTik RouterOS 6.37.3.
ip are distributed from the router based on DHCP.
It is necessary to block social networks and other necessary sites.
Here I found some solutions, but they do not work correctly, something works and something does not.
Need something new. Thanks in advance.
PS I'm not very good at Mikrotik.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
Z
Ziptar, 2018-06-04
@Ziptar

In the role of https-proxy, Mikrotik is not able to work, and dns substitution has many workarounds.
So, depending on the skill of users, either close workarounds for dns spoofing, which is often difficult, and not always realistic at all, or do https-proxy NOT on Mikrotik.
Threat in the presence of a domain, a white list of applications, and the exclusion of loading extensions for browsers - dns substitution is quite a working option.

Report
P
poisons, 2018-06-04
@poisons

For http, you can use the built-in proxy, for https sites, you can use a firewall, in the latest versions you can not use l7 filters, there is a SNI field ready, but you need to understand that this actually remains an l7 filter, i.e. resources will eat up.
This is quite a working solution, but now every second person in his pocket has a phone with a screen of 5 inches and 3g, i.e. such blocking will not help in the situation of "lazy brutes, instead of working in VKontakte they are sitting."

Report
C
CityCat4, 2018-06-04
@CityCat4

This is unrealizable only with the help of Mikrotik, unless it is a top model.
Why.
Mikrotik router. Hence it is optimized for routing tasks. The proxy in it is "for show", it is useless to use it, and https in general simply resets it. Yes, you can gut https requests for SNI, but firstly, there may not be anything there, and secondly, the L7 filter that will implement this - it eats a lot of resources!
You can stupidly ban IP - feel like Roskomnadzor :)
You can put a proxy in front of Mikrotik - and then you can safely blame everyone on the proxy. If statistics are not needed, then bumping is not needed, you can do without replacing certificates

Report
T
Tank_66, 2019-07-03
@Tank_66

Hello.
The address list in routeros can resolve dns names.
tested on 6.45.1
Everything is simple.
ip firewall address-list add address=www.ya.ru list=block_website
ip firewall filter add chain=forward action=reject reject-with=tcp-reset protocol=tcp dst-address-list=block_website
ps action=drop better not to use .
If you use drop, then for the browser the block with the domain name www.ya.ru will fall off by timeout. If you use reject then the router will respond that there is no connection with this host and the browser will not download this block.
ps2, the client's dns must have the address of the router where the blocking occurs.

Similar questions
I
Igor2015-06-15 19:29:25
(Lots of pictures) Network bridge and 2 Mikrotik router. Not all packets get through. Why? 4Reply
V
Vladimir Paziy2015-06-17 07:12:32
How to set up a VPN client on Mikrotik, for only one port and at the same time have a VPN server on Mikrotik itself? 3Reply
G
Grustnui2015-06-17 19:39:45
Can OSPF be used to reserve links between 2 routers? 1Reply
A
Anton Ulanov2017-05-31 03:01:50
How to reset rbwap2nd? 1Reply
S
serzhiio2015-06-19 11:46:49
Mikrotik and wifi printer HP ENVY - how to make a computer see a printer from a different subnet? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question