MikroTik and blocking unwanted sites (for example, youtube and facebook)

I was encouraged to write this article by the fact that the older child, at night, instead of going to bed, looking at your smartphone on any videos on youtube until late at night, as well as replacing the home router with TP-Link TL-WR1043ND on MikroTik RB951G -2HnD.

Having studied the Internet, I stumbled upon a presentation from 2017 on the microtic channel in YouTube. It described how not to do and how to do it correctly. Perhaps for many advanced users of MikroTik and RouterOS this will not be a revelation, but I hope that it will help novice users, like me, not to get lost in the wilds of the options offered on the Internet.

Let's start with the often proposed option on the Internet ( so do not do it !!! ):
')

● /ip firewall layer7-protocol add name=youtube regexp="^.+(youtube).*$" add name=facebook regexp="^.+(facebook).*$" ● /ip firewall filter add action=drop chain=forward layer7-protocol=facebook add action=drop chain=forward layer7-protocol=youtube 

This solution has the following disadvantages: high load on cpu, increased latency, packet loss, youtube and facebook are not blocked.

Why it happens? Each connection is checked again and again, Layer7 is checked in the wrong place, which leads to checking all the traffic.

Correct solution

Create a regular expression rule for Layer7:

 ● /ip firewall layer7-protocol add name=youtube regexp="^.+(youtube).*$" 

I have only blocked YouTube, if you need a facebook or something else, it creates separate rules

 add name=facebook regexp="^.+(facebook).*$" 

You can create rules for other video streaming services, here is one of the options:

 regexp=”^.*youtube.com|youtu.be|netflix.com|vimeo.com|screen.yahoo.com|dailyMotion.com|hulu.com|twitch.tv|liveleak.com|vine.co|break.com|tv.com|metacafe.com|viewster.com).*$” 

Next, create rules for labeling connections and packages:

 ● /ip firewall mangle add action=mark-connection chain=prerouting protocol=udp dst-port=53 connection-mark=no-mark layer7-protocol=youtube new-connection-mark=youtube_conn passthrough=yes add action=mark-packet chain=prerouting connection-mark=youtube_conn new-packet-mark=youtube_packet 

and rules for firewall filter:

 ● /ip firewall filter add action=drop chain=forward packet-mark=youtube_packet add action=drop chain=input packet-mark=youtube_packet 

In my home network, static ip-addresses are distributed via dhcp, so I applied the filter to the child's ip-address of the smartphone, you can create a group of addresses and apply to it. Go to the menu IP> Firewall> AddressList, click the Add button, enter the name of the group and do not forget to fill in the list of addresses to block.

Next, go to the IP> Firewall> Mangle menu, select our mark_connection and mark_packet and in the Src field . Address we drive in blocked ip or group.



Everything, the device was left without YouTube, tough, but necessary for educational purposes.

You can also apply these rules on a schedule.

I would be happy for comments and corrections if you notice any inaccuracies, because This is my first article on Habré. According to the materials channel MikroTik on Youtube. Attention, this article is not about how to limit access to the child to the Internet, restricting access to YouTube is just an example. An article about one of the ways to restrict access to unwanted resources.

Updt1, from avelor , block by mac:

  ● /ip firewall filter add chain=input src-mac-address=aa:bb:cc:dd:ee:ff action=drop add chain=forward src-mac-address=aa:bb:cc:dd:ee:ff action=drop 

You can block in dhcp - make a lease and click block access