Tuesday, 31 March 2015

Layer 7 website blocking using Mikrotik

07:56 Posted by Jurgens Krause , , , , 19 comments

There are a couple of ways that you can block websites on Mikrotik Routers. One of the easiest and resource efficient ways to do this on a MT is by using Layer 7 inspection.

1. Open up Winbox and connect to your router.
1.1 On the left menu, select IP->Firewall

2. On the Firewall Windows, click on the "Layer 7 Protocols" tab

3. Click on the Add button
3.1 Under the "Name" field, type "Block"
3.2 Under the Regex field, put the text below. You can add more sites by typing in the Domain, and separating them with the pipe "|" symbol.

4. Click on the "Filter Rules" tab in the "Firewall" window.
4.1 On the "General" tab, make sure that the "Forward" chain is selected.

5. On the "Advanced" tab, under "Layer 7 Protocol" select the "Block" item that we created earlier.

6. On the "Action" tab, select "reject" as the action, and then click "OK" to finish.

An alternative way to set up the blocking, is by typing (or pasting) the following in a terminal window:
/ip firewall layer7-protocol
add name=Block regexp="^.+(youtube.com|facebook.com).*\$"
/ip firewall filter
add action=reject chain=forward layer7-protocol=Block

Make sure you test everything before putting it in production. Also note that there are ways to bypass this, if your users are clever or determined enough.


  1. "drop" is very slow.
    any browser is beginning to think something if go to blocking site.
    "reject" - yes. it's. not compatible with dns. with ip(direct) (icmp) only.

  2. apakah ada cara block untuk server mikrotik tidak dengan winbox?
    apakah ada sintak untuk memblock secara manual tidak menggunakan winbox?

  3. Help!
    When block youtube.com google.com not work.

  4. ^.+(porn|xnxx|muyzorras|petardas|xhamster|tube8|cumlouder|bravoteens|redtube|playboyplus|babesofindia|firstanaldate|amateursraw|gfhardcore|).*$ pongo esa regla y me bloquea todo

    1. hey tranquilo, tranquilo quieres bloquear todo, supongo que tu prolema es |gfhardcore|). deberia finalizar gfhardcore).

      Hey take it easy, take it easy you want to block everything. I guess you error is in |gfhardcore|).*$ mus be finish in gfhardcore).*$

  5. Real Blacklists for Mikrotik RouterOS are available from Squidblacklist.org


  6. any way to add exception after rules have been set?

  7. Help!
    When block youtube.com google.com not work.

  8. Help!
    When block youtube.com google.com not work.

  9. Thenk you guys for the info, but when i block using the above procedure, it only works on computer connected via cables. All computers connected via wi-fi are still getting through. What do i do? Thanks in advace

  10. This comment has been removed by the author.

  11. We now have a porn regex blacklist with approx 4k lines for portability with all Mikrotik devices. http://www.squidblacklist.org

  12. hey Guys this works perfect! but How do i set up an exception? One user needs to access at those sites, she is Social Media Manager and use Twitter, Facebook, youtube, etc.

    Mikrotik 2011uias Webfig v6.36.3 (Stable)