Three Different Ways to Block Website in Mikrotik - Layer 7 protocol and TLS-Host
This video will show three different ways to block Website / Social Media with the help of Mikrotik.
Method 1 : Use of Layer 7 Protocol (Wrong Way)
First create Layer 7 Protocol:
/ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube).*\$"
add name=facebook regexp="^.+(facebook).*\$"
Then, drop the packet based on this Layer 7 protocol
/ip firewall filter
add action=drop chain=forward layer7-protocol=facebook
add action=drop chain=forward layer7-protocol=youtube
Method 2 : Use of Layer 7 Protocol and Mangle ( Current Implementation)
Create Layer 7 protocol
/ip firewall layer7-protocol
add name=facebook regexp="^.+(facebook).*\$"
Mark connection based on Layer 7 protocol and mark packet based on this connection
/ip firewall mangle
add action=mark-connection chain=prerouting protocol=udp dstport=53 connection-mark=no-mark layer7-protocol=facebook newconnection-mark=facebook_conn passthrough=yes
add action=mark-packet chain=prerouting
connectionmark=facebook_conn new-packet-mark=facebook_packet
Drop traffic based on the marked packet
/ip firewall filter
add action=drop chain=forward packet-mark=facebook_packet
add action=drop chain=input packet-mark=facebook_packet
Method 3 : Use of TLS-Host (Correct Implementation - New)
/ip firewall filter
add chain=forward dst-port=443
protocol=tcp tls-host=*.facebook.com
action=reject
add chain=forward dst-port=443
protocol=tcp tls-host=*.youtube.com
action=reject
Use of Server Name Indication ( SNI ) or TLS-Host is only after Router OS ( ROS ) version 6.41 and later.
#Mikrotik #RouterOS