Safer Browsing with MikroTik

Safer Browsing with MikroTik


Kids are no strangers to the internet, and interest is growing to find ways of protecting them from some of the content out there. Luckily there are some basic configurations which you can use on Mikrotik to assist you. Though this is not a full-proof way of content blocking, it is quick and easy and will certainly improve the level of control you have over the type of content that can be accessed via your home router.


DNS Blocking

One of the easiest ways to facilitate a safer browsing experience is to simply use a public DNS which already maintain large blacklists of domains such as Open DNS. Adding this as your DNS server and redirecting all DNS queries to the router itself will already make a big difference.

/ip dns
set allow-remote-requests=yes servers=208.67.222.123,208.67.220.123




/ip firewall nat
add action=redirect chain=dstnat comment="Redirect DNS" dst-port=53 protocol=udp







If you do not wish to use public DNS service for all the client devices on your network, you can select and specify the devices that should via address-lists or MAC address:

Address List:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address-list=Parental-Control-List-IPs to-addresses=208.67.222.123


MAC Address:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 in-interface=X protocol=udp src-mac-address=XX:XX:XX:XX:XX:XX to-addresses=208.67.222.123













Youtube Restricted Mode

You can apply static entries into Mikrotik's DNS configuration to force restricted mode

/ip dns static
add address=216.239.38.119 name=www.youtube.com
add address=216.239.38.119 name=youtubei.googleapis.com
add address=216.239.38.119 name=youtube.googleapis.com
add address=216.239.38.119 name=www.youtube-nocookie.com
add address=216.239.38.119 name=m.youtube.com





Kid-Control

It is possible to apply schedules to specific users and their devices. You will also be able to apply rate limits and pause access on the fly if necessary. In the below example access is restricted to SUN,TUE,THU & FRI with a permanent rate limit of 3mbps

/ip kid-control
add fri="" mon="" name=Tim rate-limit=3M sat=18h30m-22h sun=15h-21h thu=0s-1d time-rate-limited=0s-0s tue=0s-1d wed=""
/ip kid-control device
add mac-address=XX:XX:XX:XX:XX:XX name="Tim's Phone" user=Tim






You can verify its operation as there will be dynamic entries created in the firewall and queue menus when in use





It is not necessary to worry about complex scripting or resource capacity on your router. Although the above tools are very basic they are very effective and can be implemented in minutes.

Blog post by Timothy Symonds


Related Products