This question is common for network administrators who use Mikrotik to control the internet. After all, the action of blocking pornography and violence sites helps to prevent children's exposure to explicit content in home networks and children's schools, or in the waste of employees' time in corporate networks.
Whatever the environment, this subject is always discussed between forums and groups and so we decided to list 3 ways to block pornography and violence with Mikrotik, along with the advantages and disadvantages of each.
- Tip 1: Keyword lock using Layer7 Protocol with Webfig
- Tip 2: Integration with OpenDNS
- Tip 3: Integration with Lumiun DNS
Tip 1: Keyword lock using Layer7 Protocol with Webfig
In this first tip, we will show you how to block pornography and violence sites using the Layer7 protocol through Mikrotik management software known as Webfig.
Step 1: Access the webfig panel
Visit the web interface of your Mikrotik router, for example http://192.168.88.1 , and login.
Step 2: At the top of the page, click the webfig button
Step 3: Access the Firewall Settings page
Access the IP menu → Firewall
Step 4: Access Form to Create Layer7 Protocol Rule (layer 7)
Visit the “Layer7 Protocols” tab and click the “Add New” button to display the form.
Step 5: Create rules with keywords
In the “name” field, type a name for the rule and in the “Regexp” field, let's add a regular expression that contains the main keywords of pornography sites.
Step 6: Creating URL Filtering Rules
In this step you will create the filter rule to apply the rules by added in the previous step.
Visit the "Filter Rules" tab and click the "Add New" button.
On the register page, you find the “Layer7 Protocol” field from the “Advanced” section and select one of the rules created in Step 5.
Still on the Rule Registration page, in the "Action" field select the "Drop" option and click the "Apply" button at the top of the page to finish the registration.
Repeat the action to create a filtering rule for all its Layer7 rules.
Step 7: Test the lock
In an anonymous tab of your browser, open Google, do a search for the term "porn" and try to access the sites that appear in the results.
Benefits
- Rapid to implement
- No additional cost
- Low maintenance
Disadvantages
- You can block useful websites
- You must access the internal network to change the rules
- No block reports
Tip 2: OpenDNS
OpenDNS is a website filtering and classification service that can be integrated with Mikrotik by configuring DNS on webfig.
Check out the step-by-step to apply OpenDNS to block pornography and violence sites.
Step 1: Create an OpenDNS account
For this tip, we will create a free account on the OpenDN Home .
Step 2: Confirm registration via email
After registration, you will receive an OpenDNS email with a registration confirmation link. Click this link to confirm and open the control panel.
Step 3: Create new network
After clicking the confirmation link, you will be redirected to the OpenDNS control panel. On this page, we will create a new network through the "Add a Network" button.
Step 4: Inform Network IP
If the system does not automatically fill the IP, enter the network IP you want to filter and click the "Add This Network" button.
Step 5: Select Lock Level
After adding the network, click on the "Settings" tab, select the newly created network in the "Settings for" field, check the "Moderate" option that includes porn and violence categories and finish by clicking the "Apply" button.
Step 6: Copy OpenDN IPs to apply to Mikrotik
Still in the OpenDNS control panel, at the bottom of the page, copy the two IPs that will be applied in the Mikrotik configuration: “The OpenDNS Nameservers are 208.67.222.222 and 208.67.220.220 ”.
Step 7: Access DNS Configuration Page on Mikrotik WebFig
In Mikrotik's WebFig panel go to the IP menu → DNS.
Step 8: Access DNS Configuration Page on Mikrotik WebFig
Click twice on the arrow down next to the word "Servers" to open two new fields and inform OpenDNS IPs, check the "Allow Remote Requests" option and click the "Apply" button.
Step 9: Disable “User Peer DNS” option
If you are using ISP Provider DNS information or some other router and information on the “Dyamic Servers” field from IP → Mikrotik DNS, go to the IP → DHCP Client menu, click on the interface information, uncheck the “User Peer DNS” option and click the “Apply” button.
Step 10: Complementary Settings
To finalize the integration with OpenDNs follow the complementary steps of safety and redirect in the NAT .
Step 11: Test the lock
In an anonymous tab of your browser, go to the Xvideos.com and see that the OpenDNS lock screen will be displayed.
Advantages of OpenDNS
- Free
- No need to maintain lists
- Cloud filter management
- No need for extra equipment
Disadvantages of OpenDNS
- Free version with 3 net limit
- No support in Portuguese
- Local lists are not normalized for the Brazilian public
- Very basic report
Tip 3: Lumiun DNS
Lumiun Lumiun DNS is a new DNS filtering and content classification service, which can easily be integrated into Mikrotik through WebFig to facilitate the process of blocking pornography and violence sites.
Check out the step-by-step to install Lumiun DNS .
Step 1: Create an account on Lumiun DNS
Visit https://dns.lumiun.com/register to create your free account. By the time I write this article, you can take the free test of all features for 14 days with the possibility and expand to another 30 days by answering a feedback questionnaire.
Step 2: Confirm registration via email
After registering, confirm your account using the “Verify your email” button in the email that was sent to you. If the email is not in your inbox, check your Spam folder and mark it as “Not Spam” to receive the next ones.
Step 3: Create new policy
Lumiun DNS control panel . To facilitate the experience, a page with 3 steps is displayed.
The first step is to create a policy. Through the policy you can select locations, activate filters and block applications and websites.
Step 4: Register new location
In Lumiun DNS a location identifies a network, device or place that you want to control and protect.
To register a place fill in the name field, select the spindle, mark the policy created in the previous step and click the "Next" button.
Step 5: Installing Lumiun DNS on Mikrotik
After creating the place, you will be redirected to the installation page. Select the “Mikrotik” tab and we will follow the installation instructions for this new location.
Step 6: Check that the “Use Peer DNS” option of DHCP Client is enabled
At Mikrotik's WebFig panel, go to the IP menu → DHCP Client and make sure the “Use Peer DNS” option is enabled for your internet link interface.
If not, you can click on the line, check the option and click the "Apply" button.
Step 7: Enter DOH Address
Copy the DOH address on the Lumiun DNSinstallation page.
On the webfig DNS page click on the “User Doh Server” arrow, glue the address and click the "Apply" button.
Step 8: Clean cache
Still on the IP menu → DNS click the "Cache" button and then click "Flush Cache".
Step 9: DNS Servers
Visit the IP menu → DHCP Server. Click on the Networks tab. Click on the network below, for example, 192.168.88.0/24.
Fill in the “DNS Servers” option with the same address contained in the “Gateway” option above. Click Apply and OK.
Step 10: Enable lock filters
Back to the Lumiun DNSpanel, click on the “Policies” menu at the top of the page, select the newly created policy and enable the “adult content block” filters and “block child sexual abuse content”.
Still on the page and policies, we will activate the protected search for Google and Bing. This filter will remove adult content in the search results of these search engines.
Step 11: Complementary Settings
To finalize the integration with Lumiun DNS follow the complementary steps of safety and redirect in the NAT .
Step 12: Test the blockade
In an anonymous tab of your browser, visit Redtube.com and Lumiun DNS lock screen will be displayed.
Advantages of Lumiun DNS
- No need to maintain lists
- Cloud filter management
- Standardized lists for Brazilian users
- No need for extra equipment
- Graph with volume of released and blocked requests
- Statistics with the most blocked websites
- Real-time logs
- Protected search to remove adult content from major search engines
- Support in Portuguese
Disadvantages of Lumiun DNS
- Does not have a complete documentation
- Is in the testing phase
Complementary Safety Setup
To avoid external queries attacks because of the “Allow Remote Requests” option enabled in DNS, we will define new Firewall rules.
Step 1: Access the firewall
Visit the IP menu → Firewall and click the "Add New" button.
Step 2: Rule for blocking external queries via UDP
- In the "Chain" field select the "Input" option.
- In the “Protocol” field select the “UDP” option.
- In the “Dist. Port” field inform the UDP port number “53”.
- In the “In. Interface” field select the option that is your link, for example "Ether1".
- In the "Action" field select the "Drop" option.
- Click on the "Apply" and "OK" buttons respectively.
Step 3: Rule to block external queries via TCP
Repeat the steps in the previous step, except for the “Protocol” field that you should now select the “TCP” option.
In the end, you will have two new firewall rules, as shown below.
NAT redirect
Let's redirect NAT in order to force the network devices to make DNS queries configured on Mikrotik.
Step 1: Accessing Nat Rule Page
To add a new NAT rule go to the IP menu → Firewall, click on the NAT tab and click the "Add New" button.
Step 2: adding new NAT rule
- In the “Chain” field select the “Dstnat” option
- In the “Protocol” field select “UDP”
- In the “dst. Port” field inform the door “53”
- In the “In. Interface” field select the option that is your link, for example "Ether1" and check the box on the side to appear the sign "!" (exclamation)
- In the "Action" field select the "Redirect" option
- Click the "Apply" and "OK" button respectively
What is the best solution for my network?
It will depend on your need and time .
If you have time and do not need to follow the blockages, tip 1 would be the most suitable as it is free. However, it needs periodic revisions in regular expression and also the addition of false-positive exceptions and domains.
Tip 2 (OpenDNS) is ideal for those who do not have time to maintain the lists, does not require much details of blockages, need to manage up to 3 distinct networks, do not have financial resources to invest and does not care if Brazilian adult content sites run out of block.
Finally, Tip 3 ( Lumiun DNS ) is suitable for those who do not have time to manage the lists, need a more rigid blockage from Brazilian and international websites, needs to filter out the results of major search engines, want to view real -time logs and statistics and want to control the internet of multiple domestic or corporate networks in a single control panel.
