/ Guides

Web filtering on Mikrotik / Routerboard

If you are using a Routerboard and have children then there is a good chance that you would like to implement some sort of filtering on your internet connection to protect them from some of the darker elements of the internet. Luckily due to the power and versatility of RouterOS you are able to do this very simply and elegantly.

In this guide I’m going to talk through how to accomplish several different things necessary to achieve good quality, almost teenager proof, filtering. By the end of it you’ll have done the following:

  • Setup a DNS server on the router to handle DNS queries from your LAN.
  • Configured the router to use Norton ConnectSafe DNS (a free filtered DNS service) for DNS queries.
  • Added a destination NAT rule to prevent anyone using alternative DNS servers to work around DNS level filtering.
  • Learnt how to block specific websites using a Layer7 protocol and firewall filter. Useful for websites such as Tumblr which aren’t blocked by Norton but are good candidates for blocking due to large amounts of adult material.
  • Optionally hidden the Norton ConnectSafe block page if you don’t want users to see that the page was blocked.

So, let’s get started.

For the purpose of this example assume the local LAN is 10.10.2.0/24 on bridge interface bridge1 – your settings will be different so substitute with your own values.

All the commands in this are written as if being entered from the command line, however they are just as easily entered via the web GUI; by reading each entry carefully it is clear which menu entries and fields to fill in.

1. Setup a recursive DNS server for the LAN

Tell the DNS server in the Routerboard to allow remote DNS requests.

ip dns set allow-remote-requests=yes

Add a firewall rule (if necessary) to allow DNS requests on the input chain. This will need to go above any drop commands on the input chain.

ip firewall filter

add chain=input comment="TCP DNS" connection-state=new dst-port=53 protocol=tcp src-address=10.10.2.0/24
add chain=input comment="UDP DNS" connection-state=new dst-port=53 protocol=udp src-address=10.10.2.0/24

Configure the LAN to use the router as the DNS server via DHCP. This is probably already happening, but check your DHCP server configuration to be sure.

2. Configure Norton ConnectSafe DNS

There are several levels of filtering with Norton ConnectSafe DNS, these settings will filter high risk websites such as phishing and pornography.

ip dns set servers=199.85.126.20,199.85.127.20

For more information about the Norton ConnectSafe service check out the website.

3. Add a destination NAT rule to force DNS to Norton ConnectSafe

This destination NAT rule will force all TCP and UDP DNS traffic to be redirected to the Norton ConnectSafe DNS servers instead. This will prevent a local user manually setting a DNS server other than the router itself.

ip firewall filter add action=dst-nat chain=dstnat comment="Force filtered DNS" dst-port=53 in-interface=bridge1 protocol=tcp to-addresses=199.85.127.20 to-ports=53

ip firewall filter add action=dst-nat chain=dstnat comment="Force filtered DNS" dst-port=53 in-interface=bridge1 protocol=udp to-addresses=199.85.127.20 to-ports=53

4. Block specific sites using a Layer7 protocol.

Firstly, add a Layer7 pattern to match a website, in this case Tumblr (a common source of inappropriate material often not included in filtering).

ip firewall layer7-protocol add name=Tumblr regexp="^.+(tumblr.com).*\$"

Secondly, add a firewall rule to block traffic that matches the created Layer7 rule.

ip firewall filter add action=drop chain=forward comment="Block Tumblr" in-interface=bridge1 layer7-protocol=Tumblr

Repeat these steps for each website that you wish to block.

7. Block the Norton block page.

There are some scenarios where you may not wish to show the block page to overtly state that the page has been blocked. Conveniently Norton redirects the traffic to blocked pages to a single IP address so it’s easy to hide.

ip firewall filter add action=drop chain=forward comment="Drop Norton block page" dst-address=54.200.80.90 in-interface=bridge1 out-interface=ether12

Naturally Norton may well use other IPs that I just haven’t encountered yet, so you may need to add more rules if you encounter another block page that you wish to hide.

Final Remarks

DNS filtering isn’t perfect, a VPN would overcome this particular method. It also will also be unable to filter out things such as P2P or proxies. That said, this method will be absolutely fine for the average home user wanting to prevent their children getting access to undesirable content on the internet too easily. More effort would be required if you have particularly clever teenagers to control.