Mikrotik Proxy: Limiting Internet Access

Multicolored stack of books.

In library environments, we often have a need to limit Internet access on certain computers. One example would be for a dedicated card catalog computer where we do not want patrons using the machine for anything else. In this example, we have a certain computer that will only be allowed to access a card catalog hosted on AutoGraphics’ webserver. In addition, we need to include access to cover images provided by Syndetics. First, we create a web proxy entry in the router:

[sourcecode language=”plain”]
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600
max-fresh-time=3d max-server-connections=600 parent-proxy= \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=

In this example, we do not want to cache the site(s) on the router’s disk, and the access port is set to 8080. Next, we create entries in the proxy for what can and cannot be accessed:

[sourcecode language=”plain”]
/ip proxy access
add action=allow disabled=no dst-host=*.auto-graphics.com
add action=allow disabled=no dst-host=*syndetics.com
add action=deny disabled=no

We have added entries for both auto-graphics.com and syndetics.com, and have ended with a deny all. The order is important as any attempt to access a website will move through the list from the top down. This is the same order as rules in the router firewall. Next, we create an address-list entry for the IP address of the card catalog computer:

[sourcecode language=”plain”]
/ip firewall address-list
add address= disabled=no list=CardCat

We could of course create multiple address-lists entries for different IP addresses, making sure to name them all the same (CardCat). Finally, we create a NAT rule in the firewall that will capture all http port 80 traffic and re-direct it to the proxy for processing:

[sourcecode language=”plain”]
ip firewall nat
add action=redirect chain=dstnat comment="Card Catalog Proxy Rule" disabled=no dst-port=80 \
protocol=tcp src-address-list=CardCat to-ports=8080

The NAT rule will examine any traffic from our CardCat machine, determine if it is http port 80 traffic and, if so, it will force the traffic to use the proxy. The proxy will in turn examine the destination site and only allow traffic to the two URL’s we have set.

In order to prevent external access to the proxy (especially if running PPPoE client on WAN interface), use the following filter rule:

[sourcecode language=”plain”]
/ip firewall filter add chain=input in-interface=pppoe-out1 src-address= protocol=tcp dst-port=8080 action=drop

That is all there is to locking a computer down to whatever pre-approved sites we want. The setup could be improved upon, especially in light of the fact that only port 80 http traffic is being examined. We could simply block all other port traffic, or create similar rules dictating what can and cannot be accessed. For instance, secured https traffic (typically port 443) is not examined or blocked in any way.