Industrial Attachment Project Report

Managing Website Access By Using IP Addresses

And Preventing Entry To Harmful Websites

Submitted To
MD Badiuzzaman Biplob
Instructor
Department of Computer Technology
Daffodil Institute of IT, Chattogram

Submitted By
Net Fusion
Department of Computer Technology
Session: 2020-21
Batch:15th
Daffodil Institute of IT, Chattogram

Submission Date: 15 December, 2024

 1

Group Profile

Serial No Name Roll

1 Mehrab Al Hasin Alvi 590925
2 Md. Iftekhar Reza 590929
3 Ashraful Abedin 590944
4 Turjoy Mallick 590961
5 Imran Ali Nishat 590976

Group Name
Net Fusion

Project Name
Network Cyber Security

Project Title
Managing website access by using IP addresses and
preventing entry to harmful websites

Course Title
Industrial Training (66681)
 2

TABLE OF CONTENTS

INTRODUCTION…………………………………………………………………….1
PROJECT DESCRIPTION …………………………………………………………..2
3.1 ROUTER SETUP ……………………………………………………………….. 3
3.1.1 Router Connecting ……………………………………………………….….5
3.1.2 Accessing and Configuring Network Interfaces Using Winbox………….….6
3.1.3 Establishing a Bridge Between LAN Ports……………………………….…8
3.2 SETUP IP ADDRESSES, ROUTES AND NAT RULE ………………………....10
3.2.1 Setup IP Addresses…………………………………………………………10
3.2.2 Add Routes IP………………………………………………………………11
3.2.3 Setting up Nat Rule…………………………………………………………13
3.3 FIREWALL FILTER RULES…………………………………………………….14
3.4 CONTROLLING IP IN FILTER RULES………………………………………..14
3.4.1 Accept Rules………………………………………………………………..15
3.4.2 Drop Rules………………………………………………………………….16
3.5 CREATE ADDRESS LIST……………………………………………………….17
3.5.1 Create a New Address List………………………………………………….17
3.6 LAYER7 PROTOCOLS CONFIGURE…………………………………………..18
3.6.1 Command in Layer7 Protocols (Regexp)…………………………………...18
3.6.2 The way Layer7 Protocols Function………………………………………..19
3.7 TESTING BLOCKED WEBSITES………………………………………………20
3.7.1 There are Different Reasons to Block Websites…………………………….21
RESULTS AND DISCUSSION………………………………………………………23
CONCLUSION……………………………………………………………………….24
 3

INTRODUCTION

In today’s interconnected digital world, protecting our online presence is essential. Network
cybersecurity safeguards computer networks and systems from various digital attacks, ranging
from simple phishing attempts to advanced, targeted cyberattacks. These attacks often aim to
steal sensitive data, disrupt operations, or even hold systems hostage. A crucial aspect of
network cybersecurity is risk site blocking. This practice restricts access to specific websites
or online resources through technical measures, primarily for cybersecurity purposes. It helps
protect users from harmful sites that could damage their devices or compromise sensitive
information. Site blocking can be implemented at various levels, such as network level (e.g.,
by internet service providers) or device level.
Blocking harmful websites is an essential measure for safeguarding users from various online
threats. This procedure often involves identifying and creating lists of specific domain names
or URLs that are known to host malicious content. In addition to blacklisting, organizations
can employ advanced content analysis techniques. This involves examining the content of
websites to identify certain keywords or patterns that can indicate potential dangers, such as
fraudulent schemes or harmful software.
The primary aim of these measures is to effectively prohibit users from accessing sites that
could endanger their devices and data. Many of these dangerous websites are designed to
distribute malware, which can infect computers and steal sensitive information, or to conduct
phishing scams, which trick users into revealing personal details like passwords or credit card
numbers. The consequences of accessing such websites can include identity theft, financial
loss, and significant disruptions to personal or organizational operations.
By implementing robust site-blocking strategies, both organizations and individual users can
greatly diminish their vulnerability to such cyber threats. These protective measures are critical
in preserving the confidentiality of sensitive information, ensuring the reliability of network
resources, and maintaining a secure online environment.
In summary, the use of techniques to block harmful websites is a fundamental component of a
thorough cybersecurity strategy. It plays a crucial role in defending digital assets from threats
and supports the safe and dependable functioning of network operations, ultimately fostering
a secure online experience for everyone involved.
 4

PROJECT DESCRIPTION

This project aims to enhance network security by implementing a comprehensive solution that
combines IP address-based access control with web filtering capabilities. Specifically, it
involves managing website access using IP addresses to prevent users from entering harmful
websites. Each internet user has a unique IP address, which they use to access various websites.
Not all websites are appropriate for every user, especially minors, and some can present
significant risks. To address these concerns, our project aims to implement a comprehensive
system that controls access to unnecessary or harmful sites, thereby enhancing overall online
safety and creating a more secure browsing environment for users.
We will be utilizing the MikroTik RB941-2nD-TC (HAP lite TC) device, which is known for
its advanced networking capabilities. This device features a robust firewall, including Layer7
processing, which allows us to analyze data packets and block specific websites effectively
using precise command configurations. This feature is crucial for crafting a tailored web access
policy that meets our organization's needs.
The primary objectives of this project are multi-faceted. First, we plan to establish a stringent
IP address-based access control system, ensuring that only authorized users can access
specified websites. This involves configuring detailed firewall rules that permit or deny traffic
based on individual IP addresses or designated IP ranges. In addition to these access control
measures, we will implement web filtering policies that will enforce our access regulations.
This includes blocking websites categorized as malicious or phishing threats, as well as those
deemed inappropriate for our target users. By integrating a sophisticated web filtering solution,
we can proactively safeguard users from harmful online content.
Furthermore, through monitoring and reporting features provided by the MikroTik device, we
will gain insights into network usage patterns. This data will help us continuously refine our
filtering policies and access controls, ensuring they remain effective against emerging threats.
Overall, by executing this project, we aim to create a secure, user-friendly network
environment that not only protects valuable resources but also fosters a safe online experience
for all users, ultimately reducing potential risks associated with internet use.
 5

METHODOLOGY
This project focuses on managing website access by utilizing IP address controls and blocking
access to potentially harmful websites. We will be using the MikroTik RB941-2nD-TC (HAP
lite TC), also known as the hAP lite, which is a compact yet powerful router suitable for small
to medium-sized networks.
To simplify our router management, we will employ the MikroTik Winbox application. This
intuitive graphical user interface (GUI) is specifically designed for MikroTik Router devices.
Winbox is recognized for its robust functionality and user-friendly design, making it accessible
for beginners while still offering advanced features for experienced network engineers.
In the following sections, you will find a detailed guide on how to effectively use Winbox to
configure and manage your MikroTik router, ensuring optimal network performance and
enhanced security measures.
3.1 Router Setup
Configuring the MikroTik RB941-2nD-TC (HAP lite TC) router requires several important
steps to ensure proper setup and functionality. First, you'll need to prepare the hardware by
unboxing the router and connecting it to a power source, followed by linking it to your internet
source via the appropriate ports.
3.1.1 Router Connecting
Plug the MikroTik RB941 router into a power source. Then, connect it to a PC or laptop to
access the configuration settings.

Figure 1: MikroTik RB941-2nD-TC (HAP lite TC)

 6

3.1.2 Accessing and Configuring Network Interfaces Using Winbox

Once the physical setup is complete, you can access the router's configuration interface. This
usually involves connecting a computer or laptop device to the router's network and then
entering the designated IP address into a Winbox app. You'll then be prompted to log in, where
you can enter the required information. To start using Winbox, open the program and select
the router. Then, enter the login information and click "Connect." You can find the default
username and password on the back of the router. The default username is "admin," and the
password is "123456." You can change these later if you want.

Figure 2: Winbox interface shows available MikroTik devices. You can connect using either the MAC
address or the IP address .

If everything is functioning properly, we can now log into the router and configure it as
needed. First, we should adjust the router's clock for accurate logging, scheduled tasks, and
network synchronization. Click on "System" in the left sidebar and then select "Clock."

Figure 3 : Clock settings in Winbox (System > Clock)

 7

Let's rename the interfaces for easier management. First, click on "Interfaces" in the left
sidebar. This will display the default names of all the interfaces. To change a name, click the
" + " icon on the interface whose name you want to edit.

Figure 4 : Interface list to plus " + " icon

imranalinisshat

Figure 4.1 : Renaming ether 1_WAN ( Interfaces > ether1 )

 8

3.1.3 Establishing a Bridge Between LAN Ports

When establishing a network, one important task you may encounter is the creation of a bridge
to connect multiple Local Area Network (LAN) ports. This essential step enables seamless
communication between diverse devices, making it possible for them to interact as if they were
all part of the same local network, regardless of their physical locations. Creating a bridge
involves several key steps that ensure devices on separate networks can exchange data
effectively. By following these detailed instructions, you will be able to construct a robust
bridge for your LAN ports. This will significantly enhance the connectivity and collaboration
capabilities of your networked devices, creating a more integrated and efficient digital
environment.
Step-by-Step Configuration of a Bridge for the LAN ports:
Bridging in networking combines multiple network segments into a single logical network.
This allows devices connected to different physical interfaces to communicate as if they
were on the same network.

Create a New Bridge:

▪ Navigate to the Bridge menu.
▪ Click the " + " button to add a new bridge.
▪ Give the bridge a name ( e.g., "bridge1_LAN" ).
▪ Click Apply and Ok to create the bridge.

Figure 5 : Creating bridge ( Bridge > " + " )

 9

Add Interfaces to the Bridge:

▪ In the Bridge menu, select the newly created bridge.
▪ Go to the Ports tab.
▪ Click the " + " button to add a new port.
▪ In the Interface field, select the LAN port you want to add to the bridge (e.g., ether1,
ether2).
▪ In the Bridge field, select the bridge you created earlier (e.g., "bridge1_LAN").
▪ Click Apply and Ok to add the port to the bridge.
▪ Repeat this step for all LAN ports you want to bridge together.

Figure 5.1: Create and select LAN port a bridge interface as bridge1_LAN

Verify the bridge configuration:

To check the status of the bridge, navigate to the Bridge menu. Use the ping command to test
connectivity between devices connected to different bridged interfaces. Additionally, utilize a
network scanner to determine if devices on various bridged interfaces are visible on the same
network. By following these steps, you can successfully bridge multiple LAN ports on your
MikroTik router, creating a unified network segment. Make sure to replace "ether1" and
"ether2" with the actual names of your LAN ports.
 10

Figure 5.2: Checking Bridge Setup ( bridge1_LAN )

3.2 Setup IP Addresses, Routes and Nat Rule

In this part, we will configure the MikroTik router by implementing essential IP settings,
establishing robust firewall rules, and setting up routing protocols to create a secure and well-
organized network environment. We will begin by assigning specific IP addresses to the LAN
(Local Area Network) and WAN (Wide Area Network) interfaces, which will enable seamless
communication between devices within the LAN. Following this, we will carefully design and
apply firewall rules that act as barriers, protecting the network from any unauthorized access
and ensuring the integrity of our data. Finally, we will set up routing mechanisms that will
facilitate smooth and efficient access for LAN devices to connect to external networks,
ensuring that they can reach the internet and other remote resources without any interruptions.
3.2.1 Setup IP Addresses
To configure the LAN IP address for bridge1_LAN and the WAN IP address for ether1 WAN,
begin by opening WinBox and navigating to the menu option labeled " IP " then select
"Addresses." Once you are on the Addresses page, look for the Plus (+) icon, which you will
click to open a new window for adding a new IP address.

Figure 6: IP addresses added

 11

In this network configuration, we designate the IP address 101.10.10.1/24 to the bridge1_LAN,

which acts as the gateway for the Local Area Network (LAN). This setup allows all devices
within the LAN to use this IP address as their primary route for network traffic, ensuring
smooth and efficient communication. For connecting to the wider internet or an upstream
network, we assign the IP address 192.168.0.2/24 to the ether1_WAN interface. The /24 subnet
mask (which corresponds to 255.255.255.0) specifies the use of the first 24 bits of the IP
address for identifying the network portion, while the remaining 8 bits are available for
individual device addresses. This arrangement can accommodate up to 254 usable IP
addresses, spanning from 101.10.10.1 to 101.10.10.254. Such a capacity makes it ideal for
most office environments, where numerous devices require stable connectivity.

Figure 6.1: Set Up IP Addresses for bridge1_LAN and ether1 WAN in Winbox

To ensure the network operates correctly, it is crucial to verify that both IP addresses are
accurately reflected in the Address List, along with their associated interfaces: bridge1_LAN
for the LAN and ether1_WAN for the WAN. This configuration not only establishes the LAN
gateway but also facilitates seamless communication between the router and external networks
through the WAN interface, thus enhancing the overall functionality and reach of the network.
3.2.2 Add Routes IP
To enable devices on the local area network (LAN) to connect to external networks, including
the Internet, it is essential to configure a default route on the router. A default route serves as
a guiding rule for the router, directing it on how to handle traffic that is destined for addresses
outside the local network.
When a device within the LAN attempts to communicate with an external address, it sends the
traffic to the router. If the router does not have a specific route for that particular address, it
will refer to the default route. This route essentially acts as a "catch-all," ensuring that any
 12

outbound traffic that does not match existing routes is forwarded through the wide area
network (WAN) interface. By setting up this routing rule, we facilitate seamless
communication between devices on the LAN and the broader internet or other external
networks.
Routes List:
In WinBox, navigate to IP > Routes > Plus (+) icon. This opens the Route List window, which
displays current routes and allows us to add new ones.

Figure 7: Routes IP Address List

Create a Default Gateway Routes :

▪ Destination Address: Enter the destination network address (e.g., 0.0.0.0/0).
▪ Gateway: Enter the IP address of the next-hop router (e.g., 192.168.1.1).
▪ Interface: Select the interface through which the traffic will be sent (e.g.,
ether1_WAN).
▪ Click "Apply" to save the configuration.
 13

Figure 7.1 : Adding a default routes

3.2.3 Setting up Nat Rule

To set up the firewall effectively, we will begin by accessing the WinBox application and
clicking on the "IP" option located in the main menu. From the dropdown menu that appears,
we will select "Firewall," which will open the firewall management interface.
Once in the firewall settings, we will navigate to the "NAT" (Network Address Translation)
tab. This is where we can manage the NAT rules for our network. To add a new rule, we will
click on the Plus (+) button, which will prompt a configuration popup window to appear. In
this window, we will define the settings for our NAT rule.
For the appropriate function of this rule, we will ensure that it applies specifically to outgoing
traffic originating from our internal network. This is important to allow our devices to
communicate effectively with external networks such as the Internet.
Next, we will switch to the "Action" tab within the configuration popup. Here, we will set the
Action to "Masquerade." By enabling this setting, we activate dynamic source NAT, which
ensures that the router automatically replaces the source IP address of outgoing packets with
the router's WAN IP address. This feature is particularly advantageous in setups where the
WAN IP is dynamic, as the "masquerade" option will adjust seamlessly to changes in the WAN
IP address. After carefully configuring these settings, we will click on the "Apply" button to
enforce the new rule and then confirm by clicking "OK" to save our changes.
With this rule in place, every device connected to our local network will have the ability to
access the internet. Simultaneously, external devices will perceive the traffic as originating
from the router’s public IP address. This setup not only facilitates proper internet access for
our internal devices but also enhances security, as it effectively obscures the internal IP
addresses from potential external threats. Such measures are pivotal in maintaining network
integrity and protecting sensitive information within our local network.
 14

Figure 8 : Configuring a Firewall NAT Rule (ip>nat rule>action> masquerade)

3.3 FIREWALL FILTER RULES

MikroTik Router Firewall Filter Rules are critical components for effectively managing and
controlling network traffic on your MikroTik router. These rules empower you to establish
precise criteria for handling incoming and outgoing packets, which can include various
parameters such as source and destination IP addresses, port numbers, and protocols.
By defining these criteria, you can implement specific actions based on the traffic that meets
those conditions. For instance, you can permit certain types of traffic while blocking others to
enhance security. Additionally, you can modify packets or redirect them as necessary for your
network's requirements.
These filter rules provide flexibility and granular control over network operations, allowing
you to optimize performance, enforce policies, and protect your network from unauthorized
access or potential threats. Properly configured, MikroTik Firewall Filter Rules play a vital
role in maintaining a secure and efficient network environment.
3.4 Controlling IP in Filter Rules
The MikroTik Router features an extensive and adaptable firewall system designed to give you
complete control over your network traffic. This powerful tool allows you to filter and manage
data based on a variety of criteria, with a significant focus on IP addresses. By implementing
IP-based filtering, you can create detailed firewall rules that help to enhance security and
streamline network performance.
With this functionality, you can whitelist or blacklist specific IP addresses, ensuring that only
trusted devices can access your network while preventing unauthorized access from potentially
harmful sources. You can also prioritize certain types of traffic, such as VoIP or streaming
services, to ensure they receive the necessary bandwidth for optimal performance.
 15

Additionally, you can monitor and log traffic from specific IPs, gaining insights into user
behavior and network usage patterns.
In the following sections, we will take a closer look at the step-by-step process for setting up
IP-based filtering within your MikroTik Router’s firewall rules. This guidance will help you
customize your network settings effectively, allowing you to protect your infrastructure and
manage data flow according to your specific requirements.
3.4.1 Accept Rules
In MikroTik routers, acceptance rules play a critical role in configuring the firewall to control
network traffic effectively. These rules are essential for specifying the types of data packets
that are permitted to pass through the firewall, ensuring that only authorized traffic can access
the network. Acceptance rules typically include detailed criteria, such as source and destination
IP addresses, port numbers, and protocols (such as TCP, UDP, or ICMP). By setting these
parameters, network administrators can create granular control over the traffic flow and
enhance the security of the network.
▪ To add a new rule, click on the Plus (+) button. This will open the rule configuration
window.
▪ In the General tab, set the Chain to "Forward" to control the traffic that is being routed
through the router.
▪ Next, specify the Source Address by entering the IP addresses you want to allow (for
example, 101.10.10.3, 101.10.10.4, 101.10.10.5, and 101.10.10.6 for individual
devices).
▪ Then, go to the Action tab and set the Action to "Accept." This will permit traffic from
the specified IP addresses.
▪ Finally, click "Apply" and then "OK" to save each rule.

Figure 9 : Configuring Accept Rules

 16

3.4.2 Drop Rules

▪ To add a new rule, click on the Plus (+) button. This will open the rule configuration
window.
▪ In the General tab, set the Chain to "Forward" to control the traffic that is being routed
through the router.
▪ Next, specify the Source Address by entering the IP addresses you want to allow (for
example, 101.10.10.3, 101.10.10.4, 101.10.10.5, and 101.10.10.6 for individual
devices).
▪ Protocol Select “6 (tcp)”
▪ Src.Port Enter “80,443” (for HTTP and HTTPS traffic)
▪ In the Action tab, set Drop. This rule will block any traffic from devices within the
LAN subnet that are not covered by the previously accepted rules. This action will
effectively block access to designated websites.
▪ Finally, click "Apply" and then "OK" to save each rule.

This action will effectively prevent access to specified websites, making it impossible
for users to reach these particular online locations.

Figure 9.1 : Drop Rules (ip>firewall>action> Plus (+)>action)

 17

3.5 Create Address List

The Mirotik address list is a powerful tool that facilitates the organization of users by grouping
two or more of them based on their source or destination IP addresses. This functionality is
particularly beneficial for network administrators, as it allows them to apply rules to a defined
group rather than managing individual IP addresses separately. By doing so, administrators
can streamline their configurations and significantly decrease the overall number of rules they
need to implement.
Address lists can be utilized across various components of the Mirotik system, such as firewall
rules, mangle rules, queue trees, and more. This versatility makes them an essential aspect of
effective network management, as they can enhance both security and performance.
There are two primary methods for creating an address list in Mirotik: manual creation and
dynamic generation.
Manual creation involves the administrator specifying each IP address that should be included
in the list, which is useful for static or known users. On the other hand, dynamic generation
allows the address list to be populated automatically based on specific criteria or conditions,
making it more adaptable to changes in the network.
In this post, we will take a closer look at both methods for creating an address list—outlining
step-by-step instructions for each approach and discussing best practices for effective
implementation.
3.5.1 Create a New Address List
▪ Click the Plus (+) button to add a new address list.
▪ Click the Address Lists tab
▪ Name: A descriptive name for the list (e.g., "Site_Block").
▪ Address: The IP address or address range to add. You can use CIDR notation (e.g.,
101.10.10.4) or individual IP addresses.
▪ Timeout: Optional. Specifies the time (in seconds) after which the address will be
removed from the list. If left blank, the address will remain in the list permanently.
▪ Finally, click "Apply" and "OK"
 18

Figure 10 : Add New Address List (ip>address lists)

3.6 Layer7 Protocols Configure

MikroTik Router's Layer7 Protocol Inspection feature offers a sophisticated method for
filtering network traffic by examining the actual content of the transmitted data, rather than
relying on IP addresses and port numbers. This inspection process involves analyzing the first
few packets of a connection to identify and match predefined patterns or regular expressions,
which can represent various types of data or protocols.
With this capability, network administrators can implement advanced filtering techniques that
allow for precise control over the flow of information. For example, it can block access to
specific websites or certain types of protocols, providing a means to restrict unwanted content.
Additionally, this feature enhances security by helping to safeguard against web application
attacks, allowing for the identification of malicious traffic patterns. Furthermore, it empowers
administrators to create custom traffic rules tailored to their specific needs, enabling a flexible
and dynamic approach to network management.
3.6.1 Command in Layer7 Protocols (Regexp)
If you are in charge of managing a network and wish to control access to certain website
domains on a MikroTik router—such as popular news outlets like Prothomalo and The Daily
Star, global networks like CNN, sports sites like ESPN Cricinfo, or various social media
platforms—there are specific configurations you can implement. By following a series of
clear and guided steps, you can effectively filter these websites, ensuring that users on your
network have restricted access to the domains you specify.
▪ To create a dynamic address list, first, use a layer 7 rule to define the service that will
serve as a deciding factor for whose address gets added to the address list or not. Click
on -
IP >> Firewall >> Layer7 Protocols.
 19

▪ Click on the plus (+) icon. In the small window that opens, type a name (e.g.,
“Website Block”)
▪ In the Regexp box, type the domain expression.

^(.*)(prothomalo|thedailystar|cnn|news|espncricinfo)(.*)$

▪ Finally, click "Apply" and "OK"

Figure 11 : Layer7 Protocols Command (ip> layer 7 protocols)

3.6.2 The way Layer7 Protocols Function

Any website that utilizes the Layer7 protocol, in conjunction with its source or destination
addresses, is susceptible to being blocked by the MikroTik Firewall. The Layer7 protocol
functions by employing Regular Expression (Regexp), which allow for the identification of
specific keywords within a URL. This process involves analyzing the URL's structure to find
matches based on the defined patterns in the regexp.
When the MikroTik firewall identifies a match to the specified regex pattern, it activates the
corresponding filter rule that has been set up to respond to such matches. The actions taken
can vary; they may include blocking access to the website, logging the attempt, or redirecting
the user.
 20

To restrict access to certain websites that contain unwanted keywords—such as "Facebook,"

"YouTube," or any other sites deemed inappropriate—we will configure a regex pattern that
captures these keywords. This regex will then be integrated into a Layer7 protocol
configuration, which will be applied through a specific filter rule within the MikroTik Firewall.
By doing this, we ensure that any URL containing the specified words are effectively blocked,
thereby enhancing network security and controlling user access to certain online content.

Figure 12 : Traffic flow diagram

3.7 Testing Blocked Websites

To start, use a device connected to your network, like a computer, tablet, or smartphone. Enter
the URL or typing (e.g., prothomalo/thedailystar/cnn or espncricinfo) of the blocked
website into your browser's address bar and press Enter. If the website is blocked, you
may see an Error Message indicating that the page is not accessible, or the browser may fail
to load the page entirely. In some cases, you might encounter a message about restricted access
or a connection timeout. Take note of any specific error codes or messages, as they can provide
additional information about the nature of the blockage.

Figure 13 : Enter the web address

 21

Testing Result

Figure 14 : Website error message

3.7.1 There are Different Reasons to Block Websites

There are several reasons someone might want to block certain websites. These include
concerns about productivity, protecting children from inappropriate content, enhancing online
security, and minimizing distractions while working or studying. The internet is a vast
landscape filled with both exciting opportunities and significant risks. Among these risks are
threats to website security, often posed by malicious or harmful sites that can compromise
sensitive information. By managing access to certain websites, we can enhance online safety,
protect personal data, and create a more secure digital experience. Here are several compelling
reasons to consider blocking specific websites to safeguard yourself and your information
while browsing the web.
Parental Control: This feature is specifically designed to help parents manage their children’s
online activities by restricting access to inappropriate or distracting websites. By setting up
parental controls, caregivers can create a safer internet experience, ensuring that children are
only able to visit sites that are suitable for their age. This can include blocking access to social
media, gaming sites, and other distracting platforms during designated hours.
Employee Productivity: Implementing internet restrictions in the workplace is essential for
maintaining productivity. This feature allows employers to limit access to non-work-related
websites during work hours, such as social media, streaming services, and personal email. By
reducing distractions, employers can help their staff focus on their tasks, ultimately improving
overall efficiency and output.
 22

Network Security: Protecting the integrity of your network is crucial in today’s digital
landscape. This feature blocks access to malicious or harmful websites that can pose a threat
to your devices and data. By preventing access to phishing sites, malware distributors, and
other dangerous content, you can safeguard your network against potential cyberattacks and
ensure the security of sensitive information.
Content Filtering: This feature is designed to provide a safer browsing environment by
blocking websites that contain objectionable or harmful content. It can filter out adult material,
hate speech, and any other inappropriate content, making it easier for parents and organizations
to create a respectful and safe online space. Customizable filters can be set to meet specific
needs, enhancing the overall online experience for all users.
Bandwidth Management: Efficient management of internet bandwidth is vital for
maintaining optimal network performance. This feature allows you to monitor and limit
bandwidth usage by blocking access to websites that consume excessive bandwidth, such as
video streaming and large file-sharing sites. By controlling bandwidth allocation, you can
ensure that critical applications and services have the necessary resources for smooth
operation.
Restricting access to distracting websites can significantly enhance users' ability to concentrate
on their tasks and boost overall productivity. Utilizing tools like parental controls plays a
crucial role in safeguarding children from inappropriate content and potentially harmful
websites, ensuring a safer online experience. Although many browsers offer a quick, built-in
method for blocking specific sites, this approach often comes with limitations and only applies
to particular platforms. By implementing a more robust and comprehensive website-blocking
solution, we can foster a secure network environment that not only protects valuable resources
but also minimizes risks associated with online distractions and unsafe content.
 23

RESULTS AND DISCUSSION

System Efficiency
During testing, the system demonstrated strong stability and resilience. The MikroTik RB941-
2nD-TC (HAP lite TC) router maintained reliable connections across both LAN and WAN
interfaces, ensuring that devices on the local network could communicate effectively and
access external networks without interruptions. This device features a robust firewall,
including Layer7 processing, which allows us to analyze data packets and block specific
websites effectively using precise command configurations.
IP Control Performance
Mikrotik routers are highly regarded in the networking community for their versatility and
robust capabilities. These devices come equipped with advanced IP control features that play
a crucial role in optimizing network performance. By gaining a deeper understanding of these
features and taking the time to configure them effectively, you can significantly enhance both
the efficiency and security of your network. This means better traffic management, improved
reliability, and enhanced protection against potential threats, making your network stronger
and more reliable. Next, establish clear web filtering settings that align with your
organization’s access policies. This involves setting criteria for acceptable and unacceptable
websites. Additionally, deploy an advanced web filtering solution designed to proactively
block access to websites that are deemed malicious, phishing attempts, or any content that is
inappropriate for your network users.
Website Blocking Challenges and Solutions
Challenges:
HTTPS Encryption: Makes it difficult to inspect and block content.
Dynamic IP Addresses: Websites frequently change IP addresses, requiring constant rule
updates.
DNS Changes: Websites can bypass blocks by altering DNS records.
Bypass Techniques: Users might employ VPNs or proxies to circumvent restrictions.
Solutions:
Content Filtering: URL and keyword filtering, deep packet inspection.
DNS Manipulation: Static DNS, DNS blackholing.
Proxy Server: Transparent proxy for granular control.
User Authentication and Authorization: Control access based on user roles and permissions.
 24

CONCLUSION

Achievements of Project
Our Net Fusion team has successfully concluded the project, marking a significant milestone
in our efforts to enhance network security and access control. We meticulously implemented
a robust IP address control management solution, which is pivotal for regulating website access
based on user IP addresses. Utilizing the MikroTik RB941-2nD-TC (HAP lite TC) model
router, we achieved our primary objective of safeguarding our online resources while ensuring
that only authorized users can access specific websites. This solution not only streamlines the
management of IP addresses but also fortifies our overall network integrity.
In today’s digital landscape, most websites use HTTPS encryption and dynamic IP addresses,
which makes it challenging to effectively block access to certain sites. To manage these
challenges, network administrators can implement various techniques to enhance control over
internet access. One effective method is URL filtering, which allows administrators to create
a blacklist of specific web addresses that users are not allowed to visit. Another approach is
keyword filtering, which enables the blocking of websites based on particular words or phrases
found in the URL or content, providing an additional layer of flexibility.
Future Work and Planning
This project is currently suitable for use in small offices and homes, effectively addressing
their needs. However, modern websites frequently use HTTPS encryption and dynamic IP
addresses, making effective blocking more challenging. Consequently, we plan to implement
special enhancements to improve future versions, making them smarter and more efficient.
Time-Based Blocking :
Enable time-based website blocking to restrict access to specific sites during certain hours of
the day or on particular days of the week.
AI-Powered URL Filtering :
Implement AI-driven URL categorization and filtering to accurately identify and block
malicious or unwanted websites, including those with dynamic content or changing URLs.
Geo-IP Blocking :
Allow users to block websites based on their geographic origin, providing more control over
internet traffic.

The End
Authorities- Net Fusion Team