Tuesday, 31 March 2015

Layer 7 website blocking using Mikrotik

07:56 Posted by Jurgens Krause , , , , 26 comments

There are a couple of ways that you can block websites on Mikrotik Routers. One of the easiest and resource efficient ways to do this on a MT is by using Layer 7 inspection.



1. Open up Winbox and connect to your router.
1.1 On the left menu, select IP->Firewall


2. On the Firewall Windows, click on the "Layer 7 Protocols" tab


3. Click on the Add button
3.1 Under the "Name" field, type "Block"
3.2 Under the Regex field, put the text below. You can add more sites by typing in the Domain, and separating them with the pipe "|" symbol.
^.+(youtube.com|facebook.com).*$

4. Click on the "Filter Rules" tab in the "Firewall" window.
4.1 On the "General" tab, make sure that the "Forward" chain is selected.

5. On the "Advanced" tab, under "Layer 7 Protocol" select the "Block" item that we created earlier.

6. On the "Action" tab, select "reject" as the action, and then click "OK" to finish.

An alternative way to set up the blocking, is by typing (or pasting) the following in a terminal window:
/ip firewall layer7-protocol
add name=Block regexp="^.+(youtube.com|facebook.com).*\$"
/ip firewall filter
add action=reject chain=forward layer7-protocol=Block

Make sure you test everything before putting it in production. Also note that there are ways to bypass this, if your users are clever or determined enough.

26 comments:

  1. Unknown10 August 2015 at 18:11

    "drop" is very slow.
    any browser is beginning to think something if go to blocking site.
    "reject" - yes. it's. not compatible with dns. with ip(direct) (icmp) only.

    ReplyDelete
    Replies
    1. Jurgens Krause21 October 2015 at 08:28

      thank you, will update accordingly

      Delete
    2. Anonymous27 April 2022 at 06:54

      Layer 7 Website Blocking Using Mikrotik ~ Binary Heartbeat >>>>> Download Now

      >>>>> Download Full

      Layer 7 Website Blocking Using Mikrotik ~ Binary Heartbeat >>>>> Download LINK

      >>>>> Download Now

      Layer 7 Website Blocking Using Mikrotik ~ Binary Heartbeat >>>>> Download Full

      >>>>> Download LINK lw

      Delete
  2. Rfl22 January 2016 at 17:06

    apakah ada cara block untuk server mikrotik tidak dengan winbox?
    apakah ada sintak untuk memblock secara manual tidak menggunakan winbox?

    ReplyDelete
  3. Unknown13 February 2016 at 20:58

    Help!
    When block youtube.com google.com not work.
    google.com=youtube.com???

    ReplyDelete
  4. jhonss1 May 2016 at 20:56

    ^.+(porn|xnxx|muyzorras|petardas|xhamster|tube8|cumlouder|bravoteens|redtube|playboyplus|babesofindia|firstanaldate|amateursraw|gfhardcore|).*$ pongo esa regla y me bloquea todo

    ReplyDelete
    Replies
    1. Unknown10 May 2017 at 02:37

      hey tranquilo, tranquilo quieres bloquear todo, supongo que tu prolema es |gfhardcore|). deberia finalizar gfhardcore).

      English:
      Hey take it easy, take it easy you want to block everything. I guess you error is in |gfhardcore|).*$ mus be finish in gfhardcore).*$

      Delete
  5. Squidblacklist23 May 2016 at 03:34

    Real Blacklists for Mikrotik RouterOS are available from Squidblacklist.org


    http://www.squidblacklist.org/downloads/squidblacklists/tik/tik-porn.tar.gz

    ReplyDelete
  6. Unknown18 July 2016 at 12:13

    very nice

    ReplyDelete
  7. Unknown3 October 2016 at 03:27

    Very useful.

    ReplyDelete
  8. Naved Ali25 November 2016 at 16:00

    any way to add exception after rules have been set?

    ReplyDelete
  9. Support Mikrotik CCR18 March 2017 at 11:34

    Help!
    When block youtube.com google.com not work.
    google.com=youtube.com???

    ReplyDelete
  10. Support Mikrotik CCR18 March 2017 at 11:35

    Help!
    When block youtube.com google.com not work.
    google.com=youtube.com???

    ReplyDelete
  11. Unknown23 March 2017 at 11:35

    Thenk you guys for the info, but when i block using the above procedure, it only works on computer connected via cables. All computers connected via wi-fi are still getting through. What do i do? Thanks in advace

    ReplyDelete
  12. Unknown12 April 2017 at 18:35

    Not working

    ReplyDelete
  13. Vaso7 June 2017 at 21:01

    not working solution

    ReplyDelete
  14. Unknown26 June 2017 at 17:31

    Works fine. Easy and fast. Thanks!

    ReplyDelete
  15. Unknown7 September 2017 at 12:11

    This comment has been removed by the author.

    ReplyDelete
  16. Unknown7 September 2017 at 12:12

    We now have a porn regex blacklist with approx 4k lines for portability with all Mikrotik devices. http://www.squidblacklist.org

    ReplyDelete
  17. Unknown13 September 2017 at 15:23

    hey Guys this works perfect! but How do i set up an exception? One user needs to access at those sites, she is Social Media Manager and use Twitter, Facebook, youtube, etc.

    Mikrotik 2011uias Webfig v6.36.3 (Stable)

    ReplyDelete
  18. Unknown11 October 2017 at 06:39

    when i block all web. but how do it setup accept mail.google.com only

    ReplyDelete
  19. Doug10 November 2017 at 09:01

    Make sure the block rule is towards the top of your firewall rules. Exceptions get placed higher than the blocks.

    ReplyDelete
  20. Unknown1 January 2020 at 02:57

    tnx dear

    ReplyDelete
  21. tony16 October 2021 at 11:15

    i have tried this step by step but it doesn't work

    ReplyDelete
  22. Anonymous27 April 2022 at 06:54

    Layer 7 Website Blocking Using Mikrotik ~ Binary Heartbeat >>>>> Download Now

    >>>>> Download Full

    Layer 7 Website Blocking Using Mikrotik ~ Binary Heartbeat >>>>> Download LINK

    >>>>> Download Now

    Layer 7 Website Blocking Using Mikrotik ~ Binary Heartbeat >>>>> Download Full

    >>>>> Download LINK Kk

    ReplyDelete