MikroTik and blocking unwanted sites (on the example of youtube and facebook)

I was inspired to write this article by the fact that the older child began to watch all kinds of videos on youtube on his smartphone at night, instead of going to bed, until late at night, as well as replacing the home router with TP-Link TL-WR1043ND with MikroTik RB951G -2HnD.

Having studied the Internet, I came across a presentation from 2017 on the Mikrotik channel in YouTube. It described how not to do it and how to do it right. Perhaps for many advanced users of MikroTik and RouterOS this will not be a revelation, but I hope that it helps novice users like me not to get lost in the wilds of the options offered on the Internet.

Let's start with the often proposed option on the Internet ( do not do this !!! ):

● /ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube).*$"
add name=facebook regexp="^.+(facebook).*$"
● /ip firewall filter
add action=drop chain=forward layer7-protocol=facebook
add action=drop chain=forward layer7-protocol=youtube

This solution has the following disadvantages: high cpu load, increased latency, packet loss, youtube and facebook are not blocked.

Why it happens? Each connection is checked again and again, Layer7 is checked in the wrong place, which leads to checking all traffic.

The right decision

Create a regexp rule for Layer7:

● /ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube).*$"

I only blocked YouTube, if you need facebook or something else, it creates separate rules

add name=facebook regexp="^.+(facebook).*$"

You can create rules for other video streaming services, here is one of the options:

regexp=”^.*youtube.com|youtu.be|netflix.com|vimeo.com|screen.yahoo.com|dailyMotion.com|hulu.com|twitch.tv|liveleak.com|vine.co|break.com|tv.com|metacafe.com|viewster.com).*$”

Next, we create rules for marking connections and packages:

● /ip firewall mangle
add action=mark-connection chain=prerouting protocol=udp 
dst-port=53 connection-mark=no-mark layer7-protocol=youtube new-connection-mark=youtube_conn passthrough=yes 
add action=mark-packet chain=prerouting connection-mark=youtube_conn new-packet-mark=youtube_packet

and rules for the firewall filter:

● /ip firewall filter
add action=drop chain=forward packet-mark=youtube_packet
add action=drop chain=input packet-mark=youtube_packet

In my home network, via dhcp, static IP addresses are distributed, so I applied the filter to the IP address of the child’s smartphone, you can create a group of addresses and apply to it. Go to the menu IP> Firewall> AddressList, click the Add button , enter the name of the group and do not forget to fill out the list of addresses to block.

Next, go to IP> Firewall> Mangle, select our mark_connection and mark_packet and in the Src field . Address we drive in the blocked ip or group.



That's all, the device was left without YouTube, tough, but necessary for educational purposes.

You can also apply these rules on a schedule.

I will be glad to comment and amend if you notice any inaccuracies, because This is my first article on Habré. Based on materials from the MikroTik channel on Youtube. Attention, this article is not about how to restrict a child’s access to the Internet, restricting access to YouTube is just an example. An article about one of the ways to restrict access to unwanted resources.

Updt1, from avelor , mac block:

 ● /ip firewall filter
    add chain=input src-mac-address=aa:bb:cc:dd:ee:ff action=drop
    add chain=forward src-mac-address=aa:bb:cc:dd:ee:ff action=drop

You can also block in dhcp - make lease and click block access