Last day someone asked me howto block Adult websites in mikrotik. There is no builtin way to do it as it involves URL
filtering and its not the job of ROUTER to do such task. Dedicated
proxy server can do it effectively since they are built for such
purposes like caching/URL filtering/redirecting etc.
We are using Microsoft TMG in our organization which
filters URL based on category, so its easier for us to just select the
required category that we want to block , for example Porn / Gambling /
Spywares etc but Microsoft charge for this service on annual basis
(Which I guess is about 15$ per user annually) , It does the job
perfectly and very efficiently but its not a cost effective solution
specially if you dont have much budget to pay Microsoft.
However following is the free, neat and clean method to block about 80-90% of porn web sites using OpenDNS server as your primary DNS server in your router/proxy or even desktop PC.
Use the below DNS server as your primary dns server in mikrotik / isa
server / router or even a desktop. If you are using Mikrotik or other
Server, make sure clients are using your server ip as there DNS server,
because opendns will work only if the client / router is using there dns
server. You can also force users to use your DNS server by adding
redirect rule so every request for dns should be redirected to your
local server.
If you are using mikrotik server, then it would look alike something below image . . .208.67.222.123
208.67.220.123
Now if you will try to open any adult web site , it wont open and will give you the default browser ‘Could not open’ error, or the request will will be redirected to OpenDNS block page informing you that your request was blocked by OpenDNS.
As showed in the image below . . .
.
You can also show your own page explaining that Adult web sites are blocked and with your Advertisement. For this purpose, you have to enable web.proxy and redirect user traffic to local proxy, then in proxy access, block the http://www.blocked-website.com and redirect it to local web server page.
↓
↓
Howto Enable Web Proxy in Mikrotik and redirect opendns error page to local error page.
↓
1
2
3
4
5
6
7
8
9
10
| /ip proxy set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \ cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=\ 600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \ parent-proxy-port=0 port=8080 serialize-connections=no src-address=\ 0.0.0.0 /ip proxy access add action=deny disabled=no dst-host=www.blocked-website.com dst-port="" \ redirect-to=101.11.11.240/nonpayment/nonpayment.htm |
Now enable NAT rule to redirect user traffic to local proxy.
Now Redirect All User Traffic to Local Proxy
1
2
3
| /ip firewall nat add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp \ to-ports=8080 |
As showed in the image below . . .
If you dont want to use proxy for all request, but for only http://www.blocked-website.com , then use the below rule that will only redirect blocked-website.com traffic to local web proxy, all other traffic will go directly.
1
2
3
| /ip firewall natadd action=redirect chain=dstnat disabled=no dst-address=208.69.33.135 \dst-port=80 protocol=tcp to-ports=8080 |
As showed in the image below . . .
↓
↓
How to force users to use specific DNS Server
↓
1
2
3
| /ip firewall natadd chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 protocol=tcp dst-port=53add chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 protocol=udp dst-port=53 |
↓
Regard’s
naveed ahmad
0 comments:
Post a Comment