How MikroTik Firewall blocks websites
MikroTik Firewall blocks websites using a filter rule. The MikroTik filter rule consists of two parts.
Conditional part that takes various conditional properties like string, source address, destination address, protocol, source port, destination port, Layer7 protocol, etc. to meet the conditions.
The part of the action that simply removes the action to block a website.
If the conditional part of the filter rule is met, MikroTik Firewall will drop this connection. Therefore, no user can access this website through the MikroTik router.
Why Layer7 Protocol
MikroTik Firewall is able to block any website not only with source or destination address but also with Layer7 protocol. The Layer7 protocol uses a Perl regex (regular expression) to match each keyword in a URL. If there is a match, the filter rule that uses this Layer7 protocol takes effect.Since we want to block any website that serves keywords like facebook, youtube etc, we create a layer7 protocol with regex and then use this layer7 protocol in our filter rule. Block
Facebook and YouTube with MikroTik filter rule
Now let's create a filter rule that will block websites like Facebook, YouTube or any other website you want. The whole process of creating a filter rule can be divided into two phases.
Step 1: Create a layer 7 protocol to choose the desired site.
Step 2: Create a firewall rule to block the selected site.
Step 1: Create a layer 7 protocol to select the desired site.
Before you create a rule For the filter, we need to create a layer 7 protocol with regex because this layer 7 protocol is used by the filter rule to match each keyword in the URL.The following process shows you how to create a Layer7 protocol using Regex.
Open Winbox and log in with your access data.
Go to IP > Firewall, and then click the Layer 7 Protocols tab.
Click on the PLUS SIGN (+) to create a new Layer7 protocol with Regex. The new L7 Firewall log window is displayed.
Enter a descriptive name like Facebook in the name input field.
Now type ^.+(facebook.com).*$ regex in the input field of the regexp text box if you want to block facebook. If you want to learn more about Perl Regex, you can find it here.
Now click Apply and OK.
If you want to block YouTube, follow steps 4, 5 and 6 but change Facebook.com z youtube.com, np. ^.+(youtube.com).*$.You can enter any keywords like sex, porn, etc. You want to block in this regular expression in parentheses
Website Blocking Layer 7 Protocol Regex
We have created our own layer 7 protocols that are used in the filter rule to block the websites of our choice. Now let's create our firewall filter rule.
Step 2: Create a filter rule to block the selected website using Layer7 protocol.
Now that we have created the layer 7 protocol, let's create a filter rule that will block the selected website. The following
steps will show you how to create a filter rule to block any website.
Now click on the Filter Rules tab and then click on the PLUS SIGN (+) to create a new filter rule.The New Firewall Rule window appears.
On the General tab, first select String from the drop-down menu.
We keep both Src intact. address and ext. address as we want to block all users.If you want to block for a specific user, enter their IP address in Src. Enter the address input field. If you want to block an IP block, place that IP block in Src. address input field.
Click the Protocol drop-down menu and select TCP from the Protocol drop-down menu.
Set port 80 443 in Dst.Port entry field. The value must be separated by commas.
Click the Advanced tab, then select the Layer 7 protocol you created earlier from the Layer 7 Protocol drop-down menu.
Click on the "Action" tab and select "Share" from the "Action" drop-down menu.
Click Apply and OK.
Likewise, you can create another filter rule to block any other website.
Web Filter Blocking Rule
The web filter blocking rule was created. The above rule prevents all users from accessing our requested website. However, sometimes it may be necessary to visit this site for a specific user. In this case, create another filter rule where the user's IP address must be included in the source address and the filter action is accepted.
How to allow a specific user to access a blocked website.
The filter rule created above blocks all users on your local network.But sometimes there might be certain users who need to access blocked website like Facebook, YouTube etc. The following steps will show you how to grant a specific user access to a blocked site.
Click the Filter Rules tab and then click the PLUS SIGN (+) to create a new filter rule. The New Firewall Rule window appears.
On the General tab, first select String from the drop-down menu.
In the address field, enter the IP address of the user who should access the blocked site.
Click the Protocol drop-down menu and select TCP from the Protocol drop-down menu.
Set port 80 443 in Dst. Port input field.
Click the Advanced tab and then select the Layer7 protocol to allow the user from the Layer7 Protocol drop-down menu.
Now click on the "Action" tab and select "Accept" from the "Action" drop-down menu.
Click Apply and OK.
Likewise, you can add another IP address (user) to access a blocked website.
Note: The allowed rule must be placed before the forbidden rule. Otherwise, the authorized user falls under the deleted rule.Therefore, he cannot access the requested website.
Allow Blocked Websites IP
Hope you can block any unwanted website by using MikroTik Firewall Layer7 protocol and filtering rule if you follow above steps correctly. However, if you are unsure about the above steps, check out my video on the MikroTik Block website (Facebook, YouTube, etc.). I hope this reduces the confusion.
This article explains how to block websites (Facebook, YouTube, etc.) using MikroTik firewall rule and Layer7 protocol.I hope you can now block any website or grant access to any user so that they can easily access any blocked website. However, if you have an issue with a blocked website, you can discuss it in a comment or contact me through the
contact page. I will do my best to stay with you.
whatsapp Now +92-3343372326
Comments
Post a Comment