Thanks MikroTIk, another great video! This also highlights why there may be other devices that are designed specifically for this purpose to use in conjunction with your MikroTik. Like a proper UTM based NGFW that does all the heavy lifting in the backend to figure out what all the hostnames, IPs, applications, ports, etc are and to block them seamlessly.
Indeed, it comes at a cost, do not be fooled by products claiming to do do, such as firewalla which DO NOT DO DPI of encrypted traffic, thus not all that useful.
Glad you stated that tls is not the perfect solution. Industry has certainly moved to making their sites accessible by many means such as using the QUIC protocol and a worldwide content delivery system which bypass any TLS block. Concur with Mr Berg, get another appliance if its a critical need (business environment as a front end device).
Thanks for that Normis..! So can i make a static DNS server in mikrotik for this purpose..? so any ones who want to go to tiktok will be redirected to another site..? Like my company site, is there is something like that in mikrotik..?
You can create A-Records, which maps Domain-Names to an IP or you can create an CNAME-Record which maps to another Domain-Name. So, yes, this is possible with MT-DNS.
OK, i'm confused. The filter you created was for **tiktok** . The header you showed in Wireshark appears to match **tiktok** , yet you are not stopping it?
@@mikrotik I believe you have misunderstood my comment. The purpose of you doing the Wireshark exercise was to determine what strings besides **tiktok** you needed to block to cover all the traffic, but the name you found should already have been blocked by *tiktok*. So why wasn't it already being blocked?
No, the idea is that an app like TikTok could be using servers that do not have TikTok in their address, they might use some other address, like cdn.clockapp.com, for example. So blocking TikTok may not work (but TikTok is just an example, in real life blocking just *tiktok* works fine). This is why, if using *servicename* does not work, we suggest turning to Wireshark, to see what domain the app is using.
@@mikrotik Ah, I see now. You didn't show us an "interesting" TikTok packet with a non-tiktok name because TikTok doesn't actually use such servers. What made it confusing is that you implied they did because your phone continued to work. Thanks.
Any reason you can't set port without setting protocol? Just filter all protocols that support ports and fit into "port" value. It is annoying to duplicate same rules for different protocols when you care about port only.
Is anyone still active here ? Iv tried this route with no joy, and if i capture IP using a Mangle rule then create a filter rule it seems to take my router down and stop total internet access. Pls assist -
Thanks MikroTIk, another great video! This also highlights why there may be other devices that are designed specifically for this purpose to use in conjunction with your MikroTik. Like a proper UTM based NGFW that does all the heavy lifting in the backend to figure out what all the hostnames, IPs, applications, ports, etc are and to block them seamlessly.
Indeed, it comes at a cost, do not be fooled by products claiming to do do, such as firewalla which DO NOT DO DPI of encrypted traffic, thus not all that useful.
Glad you stated that tls is not the perfect solution. Industry has certainly moved to making their sites accessible by many means such as using the QUIC protocol and a worldwide content delivery system which bypass any TLS block. Concur with Mr Berg, get another appliance if its a critical need (business environment as a front end device).
Ironically, same things make harder to bypass these blocks. But blocks are still there and working fine.
The way you finished had me laughing at the problem you just evidenced
The real question is, how do I redirect all of my company's web traffic to spicy websites?
You're a genius of evil
DNS seems to be a better way, esp. in cooperation with Umbrella or similar DNS filtration services.
Until you have clients that use dns over https.
Thanks for that Normis..!
So can i make a static DNS server in mikrotik for this purpose..? so any ones who want to go to tiktok will be redirected to another site..?
Like my company site, is there is something like that in mikrotik..?
Yes, blocking by dns name is yet another approach.
You can create A-Records, which maps Domain-Names to an IP or you can create an CNAME-Record which maps to another Domain-Name. So, yes, this is possible with MT-DNS.
for tiktok not working anymore in 2024
OK, i'm confused. The filter you created was for **tiktok** . The header you showed in Wireshark appears to match **tiktok** , yet you are not stopping it?
You can block any service or website this way, TikTok is just one example
@@mikrotik I believe you have misunderstood my comment. The purpose of you doing the Wireshark exercise was to determine what strings besides **tiktok** you needed to block to cover all the traffic, but the name you found should already have been blocked by *tiktok*. So why wasn't it already being blocked?
No, the idea is that an app like TikTok could be using servers that do not have TikTok in their address, they might use some other address, like cdn.clockapp.com, for example. So blocking TikTok may not work (but TikTok is just an example, in real life blocking just *tiktok* works fine). This is why, if using *servicename* does not work, we suggest turning to Wireshark, to see what domain the app is using.
@@mikrotik Ah, I see now. You didn't show us an "interesting" TikTok packet with a non-tiktok name because TikTok doesn't actually use such servers. What made it confusing is that you implied they did because your phone continued to work. Thanks.
Any reason you can't set port without setting protocol? Just filter all protocols that support ports and fit into "port" value. It is annoying to duplicate same rules for different protocols when you care about port only.
Is anyone still active here ? Iv tried this route with no joy, and if i capture IP using a Mangle rule then create a filter rule it seems to take my router down and stop total internet access. Pls assist -
And what can we do with TLS 1.3?
#clockblocking? I think I've heard about it before😉
how can i block reagetton music
my man! have a nice weekend
how to block regaetton music
Nice video, thanks :)
Hello! How to block access to youtube using mikrotik?
Did you watch the video?
Neat
learn how to not block social media 🙄
Sorry but this solution is useless