Good morning.

I'm sure people already came across this issue, although I couldn't find anything on forums.

I have built a webfilter for the company I work in, using the Mikrotik Webproxy, and it works like a charm, except for one thing.

https://www.facebook.com

http I block it fine, however https is giving me hell. My first instinct was to drop all port 443 traffic altogether, but it created more problems than it solved, since they use a lot of legit https sites for work.

My aim for this excercise was to block websites that waste time at work, my main target being facebook, and this whole https workaround is beating the purpose for it all.

Messing with DNS is not an option, since 2 or 3 machines in the hotel actually need facebook for work promotions.

Any ideas?

Firstly,
Only HTTP traffic is supported in transparent mode of the web proxy. HTTPS and FTP protocols are not going to work this way.

You can block 443 TCP traffic that belongs to Facebook (bunch of IP addresses are used by Facebook) at /ip firewall filter.

That's what worried me.

So essentially, if facebook decide to tinker with their IP's, next DNS refresh will render me helpless, unless i keep checking them constantly.

This example covers all known Facebook addresses:

This example covers all known Facebook addresses:

Not really:

http://bgp.he.net/AS32934#_prefixes :
66.220.144.0/21
66.220.152.0/21
66.220.159.0/24
69.63.176.0/21
69.63.184.0/21
69.171.224.0/20
69.171.239.0/24
69.171.240.0/20
69.171.255.0/24
74.119.76.0/22
204.15.20.0/22

http://bgp.he.net/AS32934#_prefixes6 :
2620:0000:1c00::/40

EDIT: IPv4 summarized:
66.220.144.0/20
69.63.176.0/20
69.171.224.0/19
74.119.76.0/22
204.15.20.0/22

You can easily add them to the address list