cyber deal
RouterOS v7 Advanced Security Book
Study material for the MTCSE Certification Course, updated to RouterOS v7
$19,97
Add to cart
How to Block HTTPS Sites Effectively with MikroTik TLS Host
- Kevin Moran
- No comments
- Share this article
Facebook
Twitter
LinkedIn
WhatsApp
Telegram
La tls-host option in MikroTik RouterOS is a firewall feature that allows TLS traffic to be filtered based on the domain name of the server it is directed to.
This can be useful for blocking access to malicious or unwanted websites, or for controlling the flow of traffic on your network.
However, it is important to note that using tls-host has some limitations and precautions:
Limitations
- Only works with TLS traffic: It does not affect HTTP traffic or any other protocol other than TLS.
- Requires domain name resolution: The firewall needs to resolve the server's domain name in order to apply the rule. If resolution fails, traffic could pass through unfiltered.
- May be vulnerable to bypass attacks: Attackers can use techniques to hide the server's real domain name, making the tls-host rule ineffective.
- Disable hardware download: When using tls-host, hardware offloading for processing TLS packets is disabled, which can decrease network performance.
Precautions
- Don't block legitimate websites: Make sure tls-host rules don't accidentally block websites your users need.
- Be careful with wildcards: Avoid using wildcards in tls-host rules, as this could block more traffic than you want.
- Keep MikroTik updated: Make sure your MikroTik RouterOS is updated with the latest security patches to avoid vulnerabilities.
Alternatives
- IP based filters: You can filter traffic based on the server's IP address, which can be more effective in some cases.
- Using access lists: You can use access lists to specify which servers or domains are allowed or blocked.
- Implementation of a web proxy: A web proxy can filter the content of web pages and block access to malicious websites.
The tls-host option can be a useful tool for filtering TLS traffic in MikroTik RouterOS, but it is important to use it with caution and be aware of its limitations.
Consider alternatives and follow appropriate security practices to protect your network effectively.
Most websites now use https and blocking https websites is much more difficult with MikroTik RouterOS version lower than 6.41. But starting with RouterOS v6.41, MikroTik Firewall introduces a new property called TLS Hos t which is able to match https websites very easily.
Therefore, blocking https websites like Facebook, YouTube, etc. It can be easily done with MikroTik Router if the RouterOS version is higher than 6.41.
Filtering based on host names
You can use “tls-host” in firewall rules to filter traffic based on hostnames instead of IP addresses. This can be beneficial if the IP addresses of the servers you communicate with are prone to changing and you prefer to use hostnames that remain constant.
/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=example.com action=accept
In this example, the rule will allow outbound TLS traffic to port 443 destined for “example.com.”
Certificate and hostname management
By using the “tls-host” option, you can make it easier to manage SSL/TLS certificates on your network. If the certificates change or are renewed and the hostname remains the same, you will not need to update the firewall rules with new IP addresses.
Reducing dependency on fixed IP addresses
In some cases, especially when interacting with cloud-hosted services or with service providers that may change assigned IP addresses, using “tls-host” provides an abstraction layer that reduces reliance on fixed IP addresses.
/ip firewall filter add chain=forward dst-port=8443 protocol=tcp tls-host=cloud-service.com action=accept
Here, outgoing TLS traffic to port 8443 destined for “cloud-service.com” will be allowed regardless of the current IP address of the service.
It is important to note that for the “tls-host” option to be effective, the remote service must support the use of host names instead of IP addresses. Not all services or applications allow this flexibility, so it is crucial to review the documentation for the specific service you are using.
How to Block HTTPS Websites with TLS Host Matcher
- Go to the IP > Firewall menu item and click the Filtering Rules tab and then click the PLUS SIGN (+). The New Firewall Rule window appears.
- Choose forward from the String drop-down menu.
- Choose tcp from the Protocol drop-down menu.
- Click Dst. Port and port entry box 443.
- Click on the Advanced tab and click on the TLS Host input box and put the domain name you want to block (such as *.facebook.com) in this box.
- Click the Action tab and choose drop from the Action drop-down menu.
- Click Apply and the OK button.
Firewall rule by Command
/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.facebook.com action=drop
Brief knowledge quiz
What do you think of this article?
Do you dare to evaluate your learned knowledge?
Recommended book for this article
Related Posts
Related Posts
Microlabs
(ML-001) How to properly manage multiple public or private IPs on the edge router
$8,99
(ML-002) Ways to assign public IP addresses to clients with MikroTik
$9,99
(ML-003) Guide to configure Internet exit routes with two or more providers (failover and recursion in PCC balancing)
$8,99
(ML-004) Filter implementation strategies to restrict access to web pages with MikroTik
$7,99
Other topics that may interest you
Ways to Assign IPv6 Addressing (Part 2)
March 25th, 2024
WireGuard on MikroTik RouterOS: A Secure and Efficient VPN Solution
March 13th, 2024
Ways to Assign IPv6 Addressing (Part 1)
March 11th, 2024
Do you want to suggest a topic?
Every week we post new content. Do you want us to talk about something specific?
Upcoming online courses
MTCINE OnLine
$187,00
MTCNA Online
$187,00
MTCRE Online
$187,00
Pack 4 MikroTik RouterOS books
$68,47
