Hi Dan, It's a bit tricky to do, because all routerOS firewall rules are stored with IP address rather than domain names (for speed, of course ;) but there are a couple of tricks that you can try to use: 1) web proxy - built-in web proxy service supports use of domain names in access control lists. You don't need to cache the requests, just pass-through proxy, but it does take up a bit of CPU and memory overhead which is in relatively short supply for mAP ;) 2) content filter in firewall - you can use 'content' attribute in firewall filter rules to detect and block target data. This IS very cpu intensive (as content uses regex match against packet payload data) but if you design the filter carefully, you can minimise the overall impact. For example, make an initial rule to 'permit established' so that packets that are part of an existing tcp session are immediately accepted, then make a rule that matches destination port 80 on outbound packets but only when it is the first packet of a stream (tcp-new) and then jump to a chain with further packet inspection. Then using content matching, you can look for hostnames or even full URLs inside the packet payload data - http header almost always fits inside the first packet of the web request, and so most of what you are looking for will be in there. It's not /usually/ the sort of job you'd use mAP for, but if it is only managing a low bandwidth link (like 3G/lte) then it may work OK for what you need to do! Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Daniel Hoffman Sent: Saturday, 1 August 2015 6:36 PM To: Public@talk.mikrotik.com.au Subject: [MT-AU Public] Working with 3/4G.
I have just had to put a hap lite in to be a client to a Vodafone 4g wifi modem and bring that connection back into my network via Ethernet.
All works really well but wondering if anyone has any experience with firewall rulesets and or application filtering to block big data use such as MS/Apple updates, apple iCloud backups etc etc.
I've been thinking about just some big IP range drops for the big companies such as Apple and MS and AWS but thought maybe there is a better way.
Anyone. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au