/ Unlabelled / Mikrotik Hotspot, Block website based on User Profile

Monday, 15 February 2016

Mikrotik Hotspot, Block website based on User Profile

Author -  Admin Date - 

Previously on Mikrotik Hotspot we’ve been limiting user’s connections based on user profile, today we gonna block specific website based on user profile. Please kindly re-read my previous for for instruction on trapping user address into address list. Since we also use the address list for current post.
Our local internet regulation forced us to block specific websites for specific users. Mostly social media and adults website. Blocking adults website are the most easier task. I’ts applied to all of us, i just need to put the list into squid proxy server. Blocking social media in the other hand are harder then it seems. Since it applied only to specifics user, the rule have to be placed on mikrotik hotspot firewall.
mikrotik block social media
The problem is the social media website used multiple ip address and mikrotik hotspot also ignoring mangle rule. That’s mean i have to find all the ip address of the social media website and put all the ip address to firewall address list manually. Yup, not an easy task, and i’m not kind of person who like manually do a computer things.

Layer 7 Protocol

But you know there is a layer 7 protocol which is used to search pattern with regular expressions (RegExp) filter for ICMP, TCP and UDP connection streams. In this way we can put part of url address of a website using regular expression on layer 7 and all matched pattern can be proceed into firewall rule.

Example new RegExp

1. Go to IP->Firewal->Layer 7 Protocols
2. Click “+” button to add new RegExp.
3. A small windows will poped up, put a name for the new RegExp (for example Facebook).
4. In RegExp form put:
^.+(facebook.com).*$
This will match all facebook.com address
facebook regexp
5. Click Apply

New Firewall Filter Rule

1. Go to IP->Firewall->Filter Rules
2. Click “+” button to add new Filter Rule
3. Set:
General Tab
Chain = "Forward"
Src. Address = "your client network address here"
Advanced Tab
Please read how to trap user address based on profile in related to address list
Src. Address List = "User Address List"
Layer 7 Protocol = "facebook"  #the RegExp name you've create before.
Action Tab
Action = "Reject" #you can also simply put Drop on it
Reject With = "ICMP Network Unreachable" #Only if you choose Reject
mikrotik firewall filter
4. Click Apply.
This filter will apply only to user’s ip address who trapped into the above address list. Other users will normally access the website without any limitation. If you want to block more website simply copy the the RegExp on layer 7 protocol and change the RegExp name and website name into the name of website to be blocked. And you need also copy the firewall rule and change the Layer 7 Protocol to the new protocol created.

Share this