Web proxy поможет ограничить доступ к ресурсам интернет.
Настройка Web Proxy Setting
/ip proxy
set always-from-cache=yes cache-administrator=prochor@expopark.ru enabled=yes \
max-cache-size=1024KiB max-client-connections=2048 max-fresh-time=1d \
max-server-connections=5000 port=3128 serialize-connections=yes \
src-address=192.168.0.1
Настройка правил доступа, мы ограничелись запретом на скачивание
/ip proxy access
add action=allow comment="Allow ALL" disabled=yes
add action=deny comment=FILES disabled=no method=GET path=":^.*\\.mp3\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.m3u\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.asf\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.asx\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.wma\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.wmv\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.wmf\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.mov\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.avi\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.wav\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.mpeg\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.midi\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.aiff\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.au\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.mui\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.msi\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.exe\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.bat\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.cab\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.dat\$"
add action=deny comment="" disabled=yes method=GET path=":^.*\\.js\$"
add action=deny comment="" disabled=yes method=GET path=":^.*\\.zip\$"
add action=deny comment="" disabled=yes method=GET path=":^.*\\.rar\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.arj\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.scr\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.inf\$"
add action=deny comment="" disabled=no method=GET path=":^.*\\.torrent\$"
Самое главное оставили на последок. Данные правила нужны для автоматического перенаправления трафика на Web proxy.
/ip firewall address-list
add address=192.168.0.0/24 list=lan
/ip firewall nat
add action=redirect chain=dstnat comment="web proxy" dst-port=80 protocol=tcp \
src-address-list=lan !to-addresses to-ports=3128