How do I block a website in layer 7 mikrotik?

adispy

just joined

Posts: 12Joined: Wed Dec 18, 2019 4:31 pm

Blocking websites not working

Wed Dec 18, 2019 4:46 pm

Hello to all,
I have a problem at a client site. I have configured the router to block Facebook, but unfortunately it is not working. Testing in my lab at home it was working from the start.

I have created a layer 7 protocol rule [ ^.+[facebook.com].*$ ], added a new rule in firewall and moved the rule right on top, just to be sure it is processed first. Looks like it is not. If I look at the packets count it still stays to zero. I really don't know what to do anymore so maybe someone has a clue on how to fix this, since in my lab at home is working.
I even imported the same firewall rules from the client's router to my router, and at home is still working.

Client router 6.43.5
Home lab router 6.45.3

2019-12-18_16-42-34.png

Let me know if you need an export of the firewall rules in txt.

Thanks in advance,
Adrian

You do not have the required permissions to view the files attached to this post.

Zacharias

Forum Guru

Posts: 3468Joined: Tue Dec 12, 2017 12:58 amLocation: Greece

Re: Blocking websites not working

Thu Dec 19, 2019 3:08 am

Even if you block it using L7, what about the mobile apps ? You block nothing there...
Its not an effective way, it consumes CPU and it causes problems to other sites too...

adispy

just joined

Topic Author

Posts: 12Joined: Wed Dec 18, 2019 4:31 pm

Re: Blocking websites not working

Thu Dec 19, 2019 9:32 am

Thanks for the reply Zacharias, but I don't have mobile apps. My client has just three or four boxes that it wants to filter, so I don't stress about the CPU consumption.
It's just curious tough, that even if the rule is on top it is not hit by any traffic. I taught that rules are processed in order in firewall.

skylark

Member Candidate

Posts: 144Joined: Wed Feb 10, 2016 3:55 pm

Re: Blocking websites not working

Thu Dec 19, 2019 9:43 am

There are several similar topics, you just have to search them.

In case, you can ty this:

regexp="^.+[www.facebook.com|facebook.com|login.facebook.com|ww\
    w.login.facebook.com|fbcdn.net|www.fbcdn.net|fbcdn.com|www.fbcdn.com|static.ak.fbcdn.net|static.ak.connect.facebook.com|connect.facebook.net|www.connect.facebook.net|apps.facebook.com].*\$"

Edit: Note that only unencrypted HTTP can be matched.

adispy

just joined

Topic Author

Posts: 12Joined: Wed Dec 18, 2019 4:31 pm

Re: Blocking websites not working

Thu Dec 19, 2019 9:50 am

The regexp is good since it is working in my home lab, the problem at the client site is that the rule is not even hit by any traffic even if it is on top.
I tried yours, but same result.

Zacharias

Forum Guru

Posts: 3468Joined: Tue Dec 12, 2017 12:58 amLocation: Greece

Re: Blocking websites not working

Thu Dec 19, 2019 12:25 pm

The most effective way is to block all its IPv4 subnet blocks used... and yes it can be done...
That way you block all the http traffic as well as any mobile application...

adispy

just joined

Topic Author

Posts: 12Joined: Wed Dec 18, 2019 4:31 pm

Re: Blocking websites not working

Thu Dec 19, 2019 1:33 pm

Man...don't want to be arrogant or rude here, but what's up with you and the mobile applications? I told you nobody use them in that office.
All I want to know is why the firewall rule that is on top is not applying, since that rule is the one that blocks the social media sites I need.

Zacharias

Forum Guru

Posts: 3468Joined: Tue Dec 12, 2017 12:58 amLocation: Greece

Re: Blocking websites not working

Thu Dec 19, 2019 1:40 pm

Man...don't want to be arrogant or rude here

But you are...
Am just saying to you the most effective way to block 100% that site, but obviously you don't care...

Just to know, i can in less than 1 minute connect my tablet or phone through usb on your computer that you think you ve blocked that site and just bypass all what you think you have blocked by just sharing the Computers internet connection... so in terms of blocking everything must be taken into consideration... otherwise you blocked nothing, you think you did...

Anyways, good luck...

WeWiNet

Long time Member

Posts: 587Joined: Thu Sep 27, 2018 4:11 pm

Re: Blocking websites not working  [SOLVED]

Thu Dec 19, 2019 2:04 pm

Try to disable fastpath.
Mangle and some other advanced firewall options are not compatible with fastpath, and prevents the FW to look
into those packets.
I would give it a try...

**
MTCNA
Chateau 5G: high speed

meets ROS7 , the perfect match... .
Having an Audience? Use wifiwave2!!! [the more people complain, the faster it gets fixed ]

tarzq28

just joined

Posts: 10Joined: Wed May 17, 2017 2:34 pmLocation: Indonesia Contact:

Re: Blocking websites not working

Thu Dec 19, 2019 2:41 pm

I more prefer with ip raw, use content to block whatever you like to block then assign it to new dst address list but remember you also had to make sure dst address list in advanced tab is not your lan ip address, otherwise your lan ip address also included in block list, and the last step is to make dropping rule to get your job done. Good luck

Sent from my Redmi 5 using Tapatalk

afuchs

Frequent Visitor

Posts: 80Joined: Wed Jul 03, 2019 11:10 am

Re: Blocking websites not working

Thu Dec 19, 2019 2:52 pm

If no other rule matches before [e.g. raw, prerouting] than the rule simple dosen't match.
First, do you try from 192.18.10.96? Your rule matches only traffic form this source.
What happen, wenn you set up a passthroug rule with log and only your Layer-7 regex?

adispy

just joined

Topic Author

Posts: 12Joined: Wed Dec 18, 2019 4:31 pm

Re: Blocking websites not working

Thu Dec 19, 2019 6:09 pm

Thank you WeWiNet, problem solved. After I disabled fastpath everything started working as it should.
I used the command in this post to disable it. viewtopic.php?t=112127

Thanks a lot again, much apprech.

How do I block a website on MikroTik Layer 7 protocol?

How can I block certain websites in MikroTik?

What is Layer 7 protocol in MikroTik?

How can I block all websites except one in MikroTik?