Thanks MikroTIk, another great video! This also highlights why there may be other devices that are designed specifically for this purpose to use in conjunction with your MikroTik. Like a proper UTM based NGFW that does all the heavy lifting in the backend to figure out what all the hostnames, IPs, applications, ports, etc are and to block them seamlessly.

@Anavllama

3 ай бұрын

Indeed, it comes at a cost, do not be fooled by products claiming to do do, such as firewalla which DO NOT DO DPI of encrypted traffic, thus not all that useful.

The way you finished had me laughing at the problem you just evidenced

Glad you stated that tls is not the perfect solution. Industry has certainly moved to making their sites accessible by many means such as using the QUIC protocol and a worldwide content delivery system which bypass any TLS block. Concur with Mr Berg, get another appliance if its a critical need (business environment as a front end device).

@olegandreych

Жыл бұрын

Ironically, same things make harder to bypass these blocks. But blocks are still there and working fine.

my man! have a nice weekend

Nice video, thanks :)

DNS seems to be a better way, esp. in cooperation with Umbrella or similar DNS filtration services.

@dan__________________

Жыл бұрын

Until you have clients that use dns over https.

And what can we do with TLS 1.3?

Thanks for that Normis..! So can i make a static DNS server in mikrotik for this purpose..? so any ones who want to go to tiktok will be redirected to another site..? Like my company site, is there is something like that in mikrotik..?

@mikrotik

Жыл бұрын

Yes, blocking by dns name is yet another approach.

@Problembaer4

Жыл бұрын

You can create A-Records, which maps Domain-Names to an IP or you can create an CNAME-Record which maps to another Domain-Name. So, yes, this is possible with MT-DNS.

#clockblocking? I think I've heard about it before😉

Neat

how can i block reagetton music

The real question is, how do I redirect all of my company's web traffic to spicy websites?

@CDR24

Жыл бұрын

You're a genius of evil

Any reason you can't set port without setting protocol? Just filter all protocols that support ports and fit into "port" value. It is annoying to duplicate same rules for different protocols when you care about port only.

Is anyone still active here ? Iv tried this route with no joy, and if i capture IP using a Mangle rule then create a filter rule it seems to take my router down and stop total internet access. Pls assist -

how to block regaetton music

for tiktok not working anymore in 2024

OK, i'm confused. The filter you created was for **tiktok** . The header you showed in Wireshark appears to match **tiktok** , yet you are not stopping it?

@mikrotik

Жыл бұрын

You can block any service or website this way, TikTok is just one example

@chumgrinder25

Жыл бұрын

@@mikrotik I believe you have misunderstood my comment. The purpose of you doing the Wireshark exercise was to determine what strings besides **tiktok** you needed to block to cover all the traffic, but the name you found should already have been blocked by *tiktok*. So why wasn't it already being blocked?

@mikrotik

Жыл бұрын

No, the idea is that an app like TikTok could be using servers that do not have TikTok in their address, they might use some other address, like cdn.clockapp.com, for example. So blocking TikTok may not work (but TikTok is just an example, in real life blocking just *tiktok* works fine). This is why, if using *servicename* does not work, we suggest turning to Wireshark, to see what domain the app is using.

@chumgrinder25

Жыл бұрын

@@mikrotik Ah, I see now. You didn't show us an "interesting" TikTok packet with a non-tiktok name because TikTok doesn't actually use such servers. What made it confusing is that you implied they did because your phone continued to work. Thanks.

Hello! How to block access to youtube using mikrotik?

@mikrotik

6 ай бұрын

Did you watch the video?