Last day someone asked me howto block Adult websites in mikrotik. There is no builtin way to do it as it involves URL filtering and its not the job of ROUTER to do such task. Dedicated proxy server can do it effectively since they are built for such purposes like caching/URL filtering/redirecting etc.
We are using Microsoft TMG in our organization which filters URL based on category, so its easier for us to just select the required category that we want to block , for example Porn / Gambling / Spywares etc but Microsoft charge for this service on annual basis (Which I guess is about 15$ per user annually) , It does the job perfectly and very efficiently but its not a cost effective solution specially if you dont have much budget to pay Microsoft.
However following is the free, neat and clean method to block almost 99$ of porn web sites using OpenDNS server as your primary DNS server in your router/proxy or even desktop PC.
Use the below DNS server as your primary dns server in mikrotik / isa server / router or even a desktop. If you are using Mikrotik or other Server, make sure clients are using your server ip as there DNS server, because opendns will work only if the client / router is using there dns server. You can also force users to use your DNS server by adding redirect rule so every request for dns should be redirected to your local server.
208.67.222.123
208.67.220.123
If you are using mikrotik server, then it would look alike something below image . . .
Now if you will try to open any adult web site , it wont open and will give you the default browser ‘Could not open’ error, or the request will will be redirected to OpenDNS block page informing you that your request was blocked by OpenDNS.
As showed in the image below . . .
.
You can also show your own page explaining that Adult web sites are blocked and with your Advertisement. For this purpose, you have to enable web.proxy and redirect user traffic to local proxy, then in proxy access, block the http://www.blocked-website.com / block.opendns.com and redirect it to local web server page.
Category Base Filtering …
If you have fix public ip address , then you can create account at http://www.opendns.com and then you can do category base filtering.
as showed in the image below …
Howto Enable Web Proxy in Mikrotik and redirect opendns error page to local error page.
/ip proxy set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \ cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=\ 600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \ parent-proxy-port=0 port=8080 serialize-connections=no src-address=\ 0.0.0.0 /ip proxy access add action=deny disabled=no dst-host=www.blocked-website.com dst-port="" \ redirect-to=101.11.11.240/nonpayment/nonpayment.htm</pre> /ip proxy access add action=deny disabled=no dst-host=opendns.blockdns.com dst-port="" \ redirect-to=101.11.11.240/nonpayment/nonpayment.htm
Replace the 101.11.11.240 and the full path with your local web server.
Now enable NAT rule to redirect user traffic to local proxy.
Now Redirect All User Traffic to Local Proxy
/ip firewall nat add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp \ to-ports=8080
Make sure you move this rule in NAT section above the default masquerading rule. so it captures the http traffic & redirect it, before masquerading it to outside world.
As showed in the image below . . .
If you dont want to use proxy for all request, but for only http://www.blocked-website.com , then use the below rule that will only redirect blocked-website.com traffic to local web proxy, all other traffic will go directly.
/ip firewall nat add action=redirect chain=dstnat disabled=no dst-address=208.69.33.135 \ dst-port=80 protocol=tcp to-ports=8080
Now when the user will try to open any adult web site, he will be redirected to local proxy, and proxy will (using access rules we defined above) redirect the request to our local web server page showing our info page.
As showed in the image below . . .
How to force users to use specific DNS Server
↓
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 protocol=tcp dst-port=53 add chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 protocol=udp dst-port=53
only udp is required i guess
Regard’s
Syed Jahanzaib
Syed Jahanzaib - Personal Blog to Share Knowledge ! 
is there any way to block anonymox plugin or hotspot shield or anu other way to hide ip? please help if its possible
LikeLike
Comment by Zeeshan — November 24, 2012 @ 6:20 PM
Aoa,
if user use open proxies/change proxies so this method will be working or not? example youtube block all over pakistan but user use differ proxies and access easily youtube
Kind Regard’s
Shanan
Date: Thu, 22 Nov 2012 05:10:11 +0000 To: jshanan@msn.com
LikeLike
Comment by Shanan Varind — November 25, 2012 @ 12:58 PM
Hey, there’s more easy way to block porn: http://www.safedns.com
They have good Windows client, and it’s easy for non-tech people to use it.
LikeLike
Comment by Mullen — November 29, 2012 @ 10:47 PM
its for desktop end, and in the article, I talked about centralized filtering using opendns server on Proxy/Mikrotik server.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — November 30, 2012 @ 8:59 AM
Alsalam Alaikum …
Sir… I’m using RB450G with v6.0rc11 , configured WAN with static IP address and LAN for Hotspot 10.5.50.0/24
I want to block facebook.com and redirect it to google.com and I already did thatby enabling proxy and added http://www.facebook.com in dst-hot in access rules, and putted the the redirect rule in NAT above hotspot masquerading rule (not above the hotspot rules) , but the problem is not all clients redirected to google.com and others redirected ok.
is there a rule to guarantee redirecting facebook.com or block it?
and how can block facebook application in andriod mobile ?
Thanks.
LikeLike
Comment by esalehnet — March 5, 2013 @ 10:42 PM
I dont know what rules you have in place at your server, either post your NAT rules.
Some workarounds are to redirect all hotspot clients to local web proxy, and there you filter all traffic as per your requirements.
You dont need to put this rule on top, but before any other NAT rule for sure. before default masquerade rule.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — March 6, 2013 @ 8:57 AM
Simple and great!
Thank you
LikeLike
Comment by Andrea — September 12, 2013 @ 7:34 PM
Teltonika GSM Modem Device k price kia hain or Karachi main kahan se mile gi?
LikeLike
Comment by Muhammad Haris — September 13, 2013 @ 5:51 AM
Asalam u alaikum , youtube is banned in pakistan but people open it through hotspot shield , for example i want to make my on n/w so than how can i deny my clients to open youtube in ACL ( access control list ) http and TCP.
LikeLike
Comment by sikandar — October 8, 2013 @ 5:53 PM
is there any way to block hotspod sheild in FTMG 2010
LikeLike
Comment by umer — October 24, 2013 @ 7:15 PM
[…] policy to block access to adult web sites and facebook. Blocking adult web sites was easy by using OPENDNS and force users dns traffic to pass from it, but blocking facebook was a bit tricky as it uses HTTPS […]
LikeLike
Pingback by Blocking http/https Facebook via automated address-list | Syed Jahanzaib Personnel Blog to Share Knowledge ! — February 11, 2014 @ 9:18 AM
first of all thank u very much… I hav question how can i some ips to bypass means they can access all sites.
LikeLike
Comment by jishan — March 26, 2014 @ 2:28 PM
yes create an redirect rule for those user ips (in src addresses or list) and redirect there dns request to public dns like Google 8.8.8.8
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — March 27, 2014 @ 10:34 AM
could you give me an example please! Because i have an open dns working, and on a few pc i changed the dns to google to bypass open dns…but with webproxy on my mikrotik every pc gets blocked despite the google dns being put manually on a few pcs!
Thanks!
LikeLike
Comment by ezajkul — October 28, 2014 @ 2:23 PM
also i have dns redirect on for a few ip-s, not all of them…but with webproxy on they all get redirected!
LikeLike
Comment by ezajkul — October 28, 2014 @ 2:25 PM
Asalam o Alaiqum… Great work throughout Mr. Z@ib…
BUT OPENDNS is NO MORE FREE….. Its acquired by CISCO… CISCO Buy all great things which may make hurdle to its business path.. SOURCEFIRE is the good example of it.. now OPENDNS this year on July its gone… Kindly update us with any other good option which could not be acquirable by any one and should be available cost free for everyone, likewise Wikipedia… Thanks..
LikeLike
Comment by a1technoman — December 8, 2015 @ 12:23 PM
till date , as of writing, openDNS is still working fine. I still have its free service using web portal, and all functions are working Ok.
but cant say for tomorrow, once it will go PAID, will look for alternative , but none can beat opendns as its free and well managed 😦
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — December 8, 2015 @ 12:27 PM
i think that day is come. becoz its not even working on landlines’ Broadband too, i mean PTCL. all inappropriate materials are openning without any hurdle. you can check it by using PTCL’s DNS IPs.. I found something for home safe web. These provide DNS services with security It can be use for our internal network until we get controlable DNS..
Links Are:
https://dns.norton.com/configureRouter.html
https://www.comodo.com/secure-dns/
DNS available on these links are working.
I’m now Using Norton Connect safe DNS:
Preferred DNS: 199.85.126.30
Alternate DNS: 199.85.127.30
LikeLike
Comment by Ahmed Hanif — December 9, 2015 @ 4:49 PM
That day is come. Because controlling DNS for internal network is no free. I made account on it, but didn’t get any control panel. It just gave me DNS Update checker client.
So, I searched n found 2 DNS servers which can keep our internal network safe from inappropriate contents and secure from Malwares, Bots, Viruses, etc.
Links for these are:
https://dns.norton.com/configureRouter.html
https://www.comodo.com/secure-dns/
I’m using Norton Connect safe and its working fine on my network
• Preferred DNS: 199.85.126.30
• Alternate DNS: 199.85.127.30
LikeLike
Comment by a1technoman — December 9, 2015 @ 5:04 PM
well, openDNS is still working like a charm. i have its control panel (free) and i can select any category for blocking.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — December 10, 2015 @ 8:09 AM
Thanx Mr. Z@ib.. Its working. there was other technical issue while i was triyng.. its resolved now…
LikeLike
Comment by a1technoman — December 14, 2015 @ 2:44 AM
Alsalam Alaikum …
Sir i have problem how to blok gambling script in mikrotik??example beat online ….thanks
LikeLike
Comment by ahmad — September 17, 2016 @ 9:05 AM
Its not the job of ROUTER to do web filtering. you should install some dedicated proxy like squid or other with content or category base filtering and route all your http traffic from the mikrotik the proxy.
however as a workaround you can create account at opendns and then forcefuly route all dns traffic to the opendns servers , this way you can filter lot of web traffic based on category. I wrote about it in details at following post.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — September 18, 2016 @ 3:57 PM
Asslam o Alikum
Jahanzaib bahi i hope you are fine.
i am using open DNS in my Mikrotik server and its working perfect just 1 problem i am facing that i redirect open dns in firewall so that clients only can use open dns but i want to allow myself and to boss google dns means don’t want restriction on myself please tell me the steps i will be grateful to you.
LikeLike
Comment by irum — July 5, 2017 @ 2:52 PM
there are few ways to bypass open dns for specific clients.
Example:
Fist make an address list and add your and boss IP in it , lets say Google_DNS_Clients List.
Now redirect this address list to Google DNS.
Second rule will redirect to opendns for all clients.
In mikrotik rules processed with order wise
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — July 5, 2017 @ 3:00 PM
thanks for your quick response.
can you please tell me the steps to do this task?
just like you have explained opendns steps
LikeLike
Comment by irum — July 5, 2017 @ 3:27 PM
I can but I would like you to learn, do some R&D and implement rules, when they dont work, come back with what you have done so far and what not working.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — July 5, 2017 @ 3:41 PM
alright
i am trying to do
LikeLike
Comment by irum — July 5, 2017 @ 3:46 PM
its working thanks a lot sir you saved my life really many many thanks
you are my teacher i have learn many things from you. bundle of thanks
LikeLike
Comment by irum — July 5, 2017 @ 4:48 PM
I am glad it worked for you.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — July 6, 2017 @ 8:56 AM
I will try this sir, thanks before
LikeLike
Comment by Cara Mudah Memblokir Situs dengan MikroTik — June 2, 2018 @ 8:48 PM