Pete's Tech Blog: How to setup site blocking and url redirection with Mikrotik

It's actually pretty easy to setup site blocking and url redirection with a Mikrotik router. In this post I will assume that you already have a Mikrotik router setup with NAT, DHCP and all the basic stuff.

The first thing you have to do is setup a transparent proxy

Setup the web proxy

/ip proxy set enabled=yes src-address=0.0.0.0 port=8080 parent-proxy=0.0.0.0 parent-proxy-port=0 cache-administrator="youremail@infowest.com" max-cache-size=none cache-on-disk=no max-client-connections=700 max-server-connections=700 max-fresh-time=2d always-from-cache=no cache-hit-dscp=4 serialize-connections=no

Make it transparent

/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.100.1 to-ports=8080

Substitute 192.168.100.1 with your router's LAN IP.

Now make sure the proxy is working. You shouldn't notice anything different about how the internet works for the clients connected to the router. In winbox, go to IP>Web Proxy and click on the connections tab. You will see a list of connections there as client devices access internet resources.

If you are setting this up remotely you can set your browser to use the Mikrotik router's WAN IP as it's proxy server. If everything is setup correctly you should be able to browse the internet normally using the Mikrotik as your proxy server. This should raise all sorts of red flags for many of you, but don't worry, we'll lock it down later. :)

Now we can start blocking stuff

This will block everything on somehdmoviesite.com

/ip proxy access add dst-host=*.somehdmoviesite.com action=deny

This will block only the video directory on somehdmoviesite.com

/ip proxy access add dst-host=*.somehdmoviesite.com path=/video/* action=deny

This will redirect any requests for anything on somehdmoviesite.com to infowest.com

/ip proxy access add dst-host=*.somehdmoviesite.com action=deny redirect-to=infowest.com

You can see that there are a lot of options here.

Lock it down

Now that we are done blocking sites and we know it's all working we can lock the web proxy down so that it won't be an open proxy that anyone in the world could use.

/ip firewall filter add chain=input in-interface=ether1-gateway src-address=0.0.0.0/0 protocol=tcp dst-port=8080 action=drop

Substitute ether1-gateway for the name of the WAN interface on your Mikrotik.

6 comments:

sswfarm said...: Will this stop programs like ultrasurf from connecting with their servers?; 6:57 PM
gabaUSA said...: how can i redirect just one pc and not all the traffic?; 4:28 PM
gabaUSA said...: how can i redirect just one pc and not all the traffic?; 4:28 PM
Valik said...: thx, i will try this, but how to redirect proxy cache on another server; 7:35 AM
Unknown said...: for one pc just enter the IP address of the pc in SOURCE or the portnumber
:P; 9:37 AM
sw said...: how to keep method and uri?; 11:38 PM

Pete's Tech Blog

Thursday, March 10, 2011

How to setup site blocking and url redirection with Mikrotik

6 comments:

About Me

Links