Home / Mikrotik Router Configuration / How To Block Website (Facebook) Using Layer 7 in Mikrotik Router

How To Block Website (Facebook) Using Layer 7 in Mikrotik Router

How To Block Website (Facebook) Using Layer 7 in Mikrotik Router

Below I will share the Mikrotik Tutorial to block facebook using Mikrotik L7 Protocol (Layer 7). Layer 7 protocol is a method for finding patterns in ICMP / TCP / UDP streams, or any other term Regular Expression pattern.

How Layer 7 works is to match (matcher) the first 10 packet connections or 2KB first connection and look for patterns/patterns of data matching the available. If this pattern is not found in the available data, the matcher does not check further. And it will be considered unknown connections. You should consider that many connections will significantly increase memory usage on your RB or PC Router. To avoid that add regular firewall matchers (pattern) to reduce the amount of data sent to the layer-7 filter.

Block Facebook in Mikrotik

Layer 7 matcher should see both directions of traffic (incoming and outgoing). To comply with this requirement rule 7 must be set in the chain forward. If the rule in the input / prerouting chain then the same rule must be set also in the output/post routing chain, otherwise the data may be considered incomplete so the pattern is considered incorrect.

Okay already know about Layer 7 Protocol? We go on. So the scenario we will use is like the following picture,

Block Facebook in Mikrotik Diagram

This Tutorial Has Two Parts

1-Block Facebook website for everyone who connects to the local network.

First, we first check the Facebook site can be opened or not.

Block Facebook in Mikrotik

Check the IP address of the client that can not open Facebook

Block Facebook in Mikrotik

Next, go to Winbox Mikrotik, go to IP menu -> Firewall -> Layer 7 Protocols. Create a new Regular Expression rule to block Facebook.

The steps are like in the following picture:

Block Facebook in Mikrotik

Block Facebook in Mikrotik

Name the rule Facebook, enter the following Regular Expression script.

^. + (Facebook.com). * $

Block Facebook in Mikrotik

Next, create a new Firewall Rule with:

Chain: forward

Src Address: network address of client (172.16.10.0/24)

Block Facebook in Mikrotik

Enter the Advanced tab, in Layer 7 Protocol select “facebook”

Block Facebook in Mikrotik

Go to the Action tab, select Action drop.

Block Facebook in Mikrotik

Now try the test settings successfully what not.

Block Facebook in Mikrotik

Block Facebook in Mikrotik

Block Facebook in Mikrotik

Check Also That other Sites are working fine other than Facebook

Block Facebook in Mikrotik

Okay, the setting goes smoothly

2. Creating Facebook can only be opened by some users only.

Okay go on, this time we try to open a connection one client let me open Facebook for the second client (172.16.10.199/24) but still blocking access to Facebook for other clients.

Block Facebook in Mikrotik

Create a second filter rule with a specific Src Address to its IP address client that is 172.16.10.199 instead of its network address.

Do not forget his action select accept.

Block Facebook in Mikrotik

Block Facebook in Mikrotik

Block Facebook in Mikrotik

Move the newly created rule to the top of it.

Block Facebook in Mikrotik

Try this setting test on the second client (172.16.10.199/24):

Block Facebook in Mikrotik

Details on the rule there are packets and data passing.

Block Facebook in Mikrotik

Check also on other clients on the same network whether Facebook can be accessed or not.

Block Facebook in Mikrotik

Look again at this rule

Block Facebook in Mikrotik

Drop packets rate it up right. This means that our settings successfully blocked Facebook using Layer 7 Protocol Mikrotik.

We can also do the same to block youtube sites, etc. Please try and apply yourself.

May be useful 🙂

About admin

Check Also

Load Balance 2 WAN in Mikrotik

How to Load Balance 2 WAN in Mikrotik

How to Load Balance 2 WAN in Mikrotik This article again discusses Load Balancing, which …

Leave a Reply

Your email address will not be published. Required fields are marked *