Layer 7 website blocking using Mikrotik

There are a couple of ways that you can block websites on Mikrotik Routers. One of the easiest and resource efficient ways to do this on a MT is by using Layer 7 inspection.

1. Open up Winbox and connect to your router.

1.1 On the left menu, select IP->Firewall

2. On the Firewall Windows, click on the "Layer 7 Protocols" tab

3. Click on the Add button

3.1 Under the "Name" field, type "Block"

3.2 Under the Regex field, put the text below. You can add more sites by typing in the Domain, and separating them with the pipe "|" symbol.

4. Click on the "Filter Rules" tab in the "Firewall" window.

4.1 On the "General" tab, make sure that the "Forward" chain is selected.

5. On the "Advanced" tab, under "Layer 7 Protocol" select the "Block" item that we created earlier.

6. On the "Action" tab, select "reject" as the action, and then click "OK" to finish.

An alternative way to set up the blocking, is by typing (or pasting) the following in a terminal window:

Make sure you test everything before putting it in production. Also note that there are ways to bypass this, if your users are clever or determined enough.

                                              ############  #############  #############  ##########  ############  #######

How to block facebook in Mikrotik using L7 Protocols (Layer 7)

In Some Scenarios , We May need to Block Facebook Social Website or some others …In this tutorial, I will show you, how to achieve this goal using L7 (Layer7).

This tutorial consists of two parts:

1- Block facebook website for everyone on local network.

2- Allow facebook for specific host(s) and block for others on local network.

1- Block facebook website for everyone on local network.

First we check that Facebook is currently working on our local network or not?

Check the IP address of our client?

We need to create new Regexp rule at Layer7 Protocols, in order to block thefacebook for our local network.

To achieve this goal, please follow these steps:

^.+(facebook.com).*$

Now, we need to create Filter Rule, using these steps:

Now test the rule, that we just created:

Try also on 2nd client (172.16.10.199/24):

Check that it only block facebook or other websites also?

Oh yes, our rule is working perfectly 

2- Allow facebook for specific host(s) and block for others on local network.

Now, we want to allow facebook for 2nd client (172.16.10.199/24) but still want to block it for other host(s).

To accomplish this goal, we need to create a second Filter rule, to do this, please follow these steps:

Move this rule at the top:

Test this rule on 2nd client (172.16.10.199/24):

Verify the rule on Mikrotik:

Verify that, facebook is still blocked for other host(s) on the local network:

Verify the rule(s) on Mikrotik:

Drop packets rate are incremented!

W e can do the same for youtube or any other website!

############  #############  #############  ##########  ############  #######

Mikrotik Hotspot, Block website based on User Profile

Layer 7 Protocol

But you know there is a layer 7 protocol which is used to search pattern with regular expressions (RegExp) filter for ICMP, TCP and UDP connection streams. In this way we can put part of url address of a website using regular expression on layer 7 and all matched pattern can be proceed into firewall rule.

Example new RegExp

1. Go to IP->Firewal->Layer 7 Protocols

2. Click “+” button to add new RegExp.

3. A small windows will poped up, put a name for the new RegExp (for example Facebook).

4. In RegExp form put:

This will match all facebook.com address

5. Click Apply

New Firewall Filter Rule

1. Go to IP->Firewall->Filter Rules

2. Click “+” button to add new Filter Rule

3. Set:

General Tab

Advanced Tab

Please read how to trap user address based on profile in related to address list

Action Tab

4. Click Apply.

This filter will apply only to user’s ip address who trapped into the above address list. Other users will normally access the website without any limitation. If you want to block more website simply copy the the RegExp on layer 7 protocol and change the RegExp name and website name into the name of website to be blocked. And you need also copy the firewall rule and change the Layer 7 Protocol to the new protocol created.