Have firewall rules to block facebook. I have the following config
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment="Drop Facebook 1" disabled=no \
dst-address=66.220.152.16 protocol=tcp
add action=drop chain=forward comment="Drop Facebook 2" disabled=no \
dst-address=69.171.237.16 protocol=tcp
add action=drop chain=forward comment="Drop Facebook 3" disabled=no \
dst-address=69.171.234.21 protocol=tcp
add action=drop chain=forward comment="Drop Facebook 4" disabled=no \
dst-address=66.220.158.70 protocol=tcp
add action=drop chain=forward comment="Drop Facebook 5" disabled=no \
dst-address=66.220.149.88 protocol=tcp
add action=drop chain=forward comment="Drop Facebook 6" disabled=no \
dst-address=69.171.247.21 protocol=tcp
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.2.0/24 \
src-address=192.168.3.0/24
add action=masquerade chain=srcnat disabled=no out-interface=1-WAN
add action=dst-nat chain=dstnat disabled=no dst-address=68.143.166.138 \
dst-port=80,443 protocol=tcp to-addresses=192.168.3.118
add action=dst-nat chain=dstnat disabled=no dst-address=68.143.166.138 \
dst-port=110,25,465 protocol=tcp to-addresses=192.168.3.116
/ip firewall service-port
set ftp disabled=no ports=21,22
set tftp disabled=yes ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=yes
It is no blocking Facebook. I have tried turning off the tcp, using address lists, everything i can think of.
Users are not using a proxy. I did trace routes, and they are going out the router then to the internet. The firewall rules appear don't get hits. Sometimes it hangs up in the Browser but hitting enter again will get it through. I have every IP for Facebook in the list.