How To Block Websites Using TLS Host Without Using Layer7 Protocols On A Mikrotik Router

The mikrotik firewall has a very extensive feature set and has the ability to perform functions such as network address translation (NAT) , web filtering , stateful packet inspection  and more. You may have been assigned a task at your work place or by a client to block some websites in their network. This tutorial provides a guide on how to block http and https websites such as Facebook and Youtube by using the TLS Host feature without using the layer7 protocols feature on a Mikrotik router. The configuration can be done using  the Winbox desktop app, Mikrotik Android app or the Mikrotik command line interface (CLI).

Requirements.

In order to complete this tutorial successfully the following items are required. Please ensure to have these items available before taking implementation action on this tutorial:
1) A desktop or laptop with Windows or MacOS.
2) A mikrotik router.
3) Internet connection (optional).
4) Winbox desktop app
5) Winbox android app and / or a terminal emulation software such as PUTTY.

Overview.

1) Power on the Mikrotik Router and connect your computer to any LAN port e.g ETHER2
2) Open Winbox, login using your RouterOS credentials and go to IP > FIREWALL > FILTER RULES
3) Create firewall filter rules that will add the destination IP address for all the websites that you would like to block to an ADDRESS LIST
4) Create firewall filter rules to block any traffic destined for an IP address that is listed in the ADDRESS LIST.
5) Learn how to whitelist users.

Step 1: Configure Website Blocking The Using TLS Host Option.

1) Power up your mikrotik router and connect your computer to the ETHER 2 port on the router. Open the winbox desktop app and enter the IP ADDRESS of the router on the “CONNECT TO” field. Enter your login credentials on the “LOGIN” and “PASSWORD” fields and click on “CONNECT”

2) Go to “IP > FIREWALL” and on the “FILTER RULE” tab click on the “+”  button. This will open the “NEW FILTER RULE” window. 

 

 

3) On the CHAIN drop down, choose “FORWARD” and select “6(TCP)” on the PROTOCOL drop down menu.

Type in the port number 443 on the DST.PORT field and on the OUT INTERFACE LIST drop down menu choose the “ALL” option.

You can also add a comment for this firewall rule that will indicate the purpose of the rule. Simply click on the “COMMENT” button. Type in a comment on the popup box that appears and click OK.

4) In this tutorial the facebook and youtube websites will be used as examples.  Click on the ADVANCED tab, scroll down to the TLS HOST SECTION and type in *facebook*

5)  Click on the ACTION tab and on the ACTION drop down select the ADD DST TO ADDRESS LIST option. On the ADDRESS LIST text input box, type in a name that can be used to identify entries in the Mikrotik address list then set the TIMEOUT option to 30d 00:00:00

Click on APPLY then click on OK.

Create a second mikrotik firewall rule, but on the TLS HOST option type *youtube*. and type in the words “YOUTUBE SERVERS ADDRESS LIST” on the ADDRESS LIST text box.

Click on APPLY the click on OK to proceed.

6)  To view the list of IP addresses that RouterOS has added to its address list, click on IP > FIREWALL then click on the ADDRESS LIST tab. You will see a list of IP addresses as well as comment of whether that IP address belongs.

The next step is to add a firewall filter rule that will block all traffic destined to these IP address so if any user on your network tries to visit these website they will not be able to access them

7) Click on IP > FIREWALL and click on the FILTER RULES tab. Click on the blue ‘+’ button to open a NEW FIREWALL FILTER window.

On the GENERAL tab set the CHAIN to forward and the SRC. ADDRESS to your LAN network address, in my case it is 192.168.55.0/24. Set the OUT. INTERFACE LIST option to ALL.

8) Click on the ADVANCED tab and set the DST. ADDRESS LIST option to FACEBOOK SERVERS ADDRESS LIST. Click on the ACTION tab and set the ACTION option to drop.

Click on APPLY then Click on OK.

Create a seperate firewall filter rule for each address list that you have created and remember to set the DST. ADDRESS LIST and to set the ACTION option on the ACTION tab to drop.

9) Open a new browser tab and try to browse to any of the websites that have been blocked by the RouterOS filter rules. In this case its facebook.com and youtube.com You should get a connection failure or connection time out error message.

Step 2: White Listing Users.

10) If there are users on the network that need to access the blocked websites for various reasons. They can be granted access by adding a white list rule on the RouterOS filter rules.

Click on IP > FIREWALL then click on the FILTER RULES tab. Double click on each rule that is blocking access to a website and click on COPY.

Type in the IP ADDRESS of the users device on the SRC. ADDRESS input box click on the ACTION tab and set the ACTION option to allow.

Click on APPLY then click on OK.