MikroTik Firewall is a powerful security tool that can be used to block unwanted websites. If you are a network administrator, sometimes it may be your requirement to block any website like Facebook, YouTube, Pornographic site and so on. To block these types of websites, you just need to create Firewall Rules that will drop any connection to these websites through your MikroTik Router. MikroTik Firewall basic concept such as what is MikroTik Firewall, what is MikroTik Firewall Rule, how to implement MikroTik Firewall Rule etc. was discussed in my previous article. If you feel that you need the basic concept of MikroTik Firewall, feel free to spend time to study that article. In this article, I am only going to show how to block unwanted websites using MikroTik Firewall Rules.
How MikroTik Firewall Blocks Websites
MikroTik Firewall blocks website using Filter Rule. A MikroTik Filter Rule has two parts.
- Conditional part which takes various conditional properties such as Chain, Source Address, Destination Address, Protocol, Source Port, Destination Port, Layer7 Protocol etc. to match conditions.
- Action part which takes only drop action to block any website.
If conditional part of a Filter Rule is matched, MikroTik Firewall will drop that connection. So, any user cannot access that website through MikroTik Router.
Why Layer7 Protocol
MikroTik Firewall is capable to block any website with not only source address or destination address but also Layer7 Protocol. Layer7 Protocol uses Perl Regex (Regular Expression) to match any keyword in URL. If matched is occurred, action is taken by the Filter Rule that uses this Layer7 Protocol. As we want to block any website providing keyword such as Facebook, YouTube etc. we will create a Layer7 Protocol with Regex and then we will use this Layer7 Protocol in our Filter Rule.
Block Facebook, YouTube with MikroTik Filter Rule
Now we will create Filter Rule that will block websites like Facebook, YouTube or any other website that you want. Complete process to create a Filter Rule can be divided into two steps.
- Step 1: Creating layer7 protocol to select desired website and
- Step 2: Creating firewall rule to block that selected website
Step 1: Creating Layer7 Protocol to Select Desired Website
Before creating Filter Rule, we need to create Layer7 Protocol with Regex because this Layer7 Protocol will be used by Filter Rule to match any keyword in URL. The following process will show how to create Layer7 Protocol with Regex.
- Open winbox and login with your login credentials.
- Go to IP > Firewall and then click on Layer7 Protocols tab.
- Click on PLUS SIGN (+) to create a new Layer7 Protocol with Regex. New Firewall L7 Protocol window will appear.
- Put a meaningful name such as Facebook in Name input box.
- Now put ^.+(facebook.com).*$ Regex in Regexp textarea input field if you want to block Facebook. If you are interested to know Perl Regex, you will find here.
- Now click Apply and OK button.
- Similarly, if you want to block YouTube, do step 4, 5 and 6 but change facebook.com with youtube.com like ^.+(youtube.com).*$. You can put any keyword such as sex, porn etc. that you want to block within parenthesis in this Regex.
We have created our Layer7 Protocols which will be used in Filter Rule to block our desired sites. Now we will create our Firewall Filter Rule.
Step 2: Creating Filter Rule to Block Selected Website with Layer7 Protocol
After creating Layer7 Protocol, we will now create Filter Rule that will block our desired website. The following steps will show how to create a Filter Rule to block any website.
- Now click on Filter Rules tab and then click on PLUS SIGN (+) to create a new Filter Rule. New Firewall Rule window will appear now.
- In General tab, choose forward from Chain dropdown menu.
- We are keeping untouched both Src. Address and Dst. Address because we want to block all users. If you want to block for a specific user, put his/her IP address in Src. Address input box or if you want to block for an IP block, put that IP block in the Src. Address input box.
- Click on Protocol dropdown menu and choose tcp from Protocol dropdown menu.
- Put port 80,443 in Dst. Port input box. Value should be comma separated.
- Click on Advanced tab and then choose your Layer7 Protocol that you created before from Layer7 Protocol dropdown menu.
- Now click on Action tab and choose drop from Action dropdown menu.
- Click Apply and OK button.
- Similarly, you can create another Filter Rule to block any other website.
Filter Rule to block website has been created. The above rule will block all the users to access our desired website. But sometimes you may need to access this website for a specific user. In this case, you have to create another Filter Rule where user’s IP address has to provide in source address and the Filter action will be accept.
How to Allow a Specific User to a Blocked Website
The above Filter Rule that we have created will block all users in your LAN. But sometimes you may have some specific users who need to access your blocked website such as Facebook, YouTube etc. The following steps will show you how to give access a specific user to your blocked website.
- Click on Filter Rules tab and then click on PLUS SIGN (+) to create a new Filter Rule. New Firewall Rule window will appear now.
- In General tab, choose forward from Chain dropdown menu.
- Put your user’s IP address which will be allowed to access blocked website in Address input box.
- Click on Protocol dropdown menu and choose tcp from Protocol dropdown menu.
- Put port 80,443 in Dst. Port input box.
- Click on Advanced tab and then choose your Layer7 Protocol which will be allowed for the user from Layer7 Protocol dropdown menu.
- Now click on Action tab and choose accept from Action dropdown menu.
- Click Apply and OK button.
- Similarly, you can add another IP address (user) to access blocked website.
Note: You must place allowed rule before dropped rule. Otherwise, allowed user will go under dropped rule. So, he/she cannot access to desired website.
I hope, you will be able to block any unwanted website using layer7 protocol and MikroTik Firewall filter rule if you follow the above steps properly. However, if you face any confusion to follow above steps, feel free to watch my video about MikroTik Block Website (facebook, youtube etc). I hope, it will reduce your any confusion.
How to block websites (Facebook, YouTube etc.) with MikroTik Firewall Rule and Layer7 Protocol has been discussed in this article. I hope you are now able to block any website or can give access to any user to access any blocked website easily. However, if you face any problem to block any website, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.