Mikrotik Hotspot, Block website based on User Profile

December 3, 2012 @ 4 Comments

Previously on Mikrotik Hotspot we’ve been limiting user’s connections based on user profile, today we gonna block specific website based on user profile. Please kindly re-read my previous for for instruction on trapping user address into address list. Since we also use the address list for current post.

Our local internet regulation forced us to block specific websites for specific users. Mostly social media and adults website. Blocking adults website are the most easier task. I’ts applied to all of us, i just need to put the list into squid proxy server. Blocking social media in the other hand are harder then it seems. Since it applied only to specifics user, the rule have to be placed on mikrotik hotspot firewall.

mikrotik block social media

The problem is the social media website used multiple ip address and mikrotik hotspot also ignoring mangle rule. That’s mean i have to find all the ip address of the social media website and put all the ip address to firewall address list manually. Yup, not an easy task, and i’m not kind of person who like manually do a computer things.

Layer 7 Protocol

But you know there is a layer 7 protocol which is used to search pattern with regular expressions (RegExp) filter for ICMP, TCP and UDP connection streams. In this way we can put part of url address of a website using regular expression on layer 7 and all matched pattern can be proceed into firewall rule.

Example new RegExp

1. Go to IP->Firewal->Layer 7 Protocols

2. Click “+” button to add new RegExp.

3. A small windows will poped up, put a name for the new RegExp (for example Facebook).

4. In RegExp form put:

^.+(facebook.com).*$

This will match all facebook.com address

facebook regexp

5. Click Apply

New Firewall Filter Rule

1. Go to IP->Firewall->Filter Rules

2. Click “+” button to add new Filter Rule

3. Set:

General Tab

Chain = "Forward"
Src. Address = "your client network address here"

Advanced Tab

Please read how to trap user address based on profile in related to address list

Src. Address List = "User Address List"
Layer 7 Protocol = "facebook"  #the RegExp name you've create before.

Action Tab

Action = "Reject" #you can also simply put Drop on it
Reject With = "ICMP Network Unreachable" #Only if you choose Reject

mikrotik firewall filter

4. Click Apply.

This filter will apply only to user’s ip address who trapped into the above address list. Other users will normally access the website without any limitation. If you want to block more website simply copy the the RegExp on layer 7 protocol and change the RegExp name and website name into the name of website to be blocked. And you need also copy the firewall rule and change the Layer 7 Protocol to the new protocol created.

M Riza

Article by M Riza

Is a blogger since 2007, founder and editor of Oa Ultimate. Working as a network administrator, computer technician, database and web maintainer | Twitter | G+

4 Comments → “Mikrotik Hotspot, Block website based on User Profile”

  1. Jahidur Rahman

    Hi this is nice web and very helpful.

    i am using Mikrotik RB450G. I can’t block hotspot shield. Plz help.
    or
    layer 7 protocols for hotspot shield?

  2. simon

    I followed your 2 tutorials (this one and the one related to capturing ip addresses) and i can succexsfully capture the hotspot users ip address but the user can still go to the website.

    Is there any specific config for the user profile ?
    or do I need to place the filter rule in any particular order?
    could you upload a sample working config pf the whole setup?

    Thanks for your great site

    • M Riza

      Hi simon,
      Please make sure that you don’t have any conflict filter setting for the target list. For example, you have this filter configured but you also have another filter that allow access for the whole network (including the target).
      If you’re not sure, try move the filter to the very first position on the filter rules list. I hope this solve your problem.


Leave a Reply

*

Loading Google+ Comments ...
Loading Facebook Comments ...