Block domains using wildcard

RouterOS General
1

Hi!

I recently got a Mikrotik router with RouterOS v6.45.9 installed, and would like to block some websites based on their domain. For 99% of the cases I can do this via my computer’s hosts file, but unfortunately that doesn’t work for some websites. For instance, itch.io (where one can download games) has a separate subdomain for each game creator, like creator1.itch.io, superspecialawesomme.itch.io, and so on. I’ve found this old post on the Mikrotik wiki https://wiki.mikrotik.com/wiki/How_to_Block_Websites_%26_Stop_Downloading_Using_Proxy which gives a way to do this, but that post is almost 10 years old so I’m hesitant to try it on my router in case it doesn’t work and I break something.

Can someone please confirm whether the above post’s method will work, and if not recommend another way to block domains with wildcards?

2

Using proxy will not block you anything anymore.
Please use tls-host matcher to block webpages.

Example with wildcards:

Step 1 disable fasttrack
Step 2 add rules

/ip firewall filter
add action=jump chain=forward comment=BLOCKLIST jump-target=blocklist
add action=reject chain=blocklist comment="block youtube" disabled=yes protocol=tcp reject-with=icmp-network-unreachable tls-host=*youtube*
3

Thanks for the pointers! I’ve entered the commands exactly as you gave them, both for YouTube and for itch.io, and unfortunately both of them are not being blocked at all. I’ve attached a screenshot of the firewall page; please let me know if there’s any information you need.
Screenshot 2021-05-05 124929.png

4

first, upgrade to 6.47.9,

second, the rules on example are (X) disabled (right choice on examples)
must be activated for work, but probably you also do not have disabled fasttrack

5

Hi rextended

Thanks for your help! I have now enabled those two rules which were disabled before. Also, fasttrack has been disabled. However, I am having trouble updating RouterOS to 6.47.9, as when I try to click ‘Download&Install’ in the relevant menu I get the error ‘Couldn’t perform action - not permitted (9)’. My guess is that this is some restriction from my ISP. Do I have to update to the latest version in order for this filtering to work correctly?

Anyway, the filtering is not working yet as I can still access YouTube and itch.io.
Screenshot 2021-05-05 175456.png

6

Hello,
This is my rules maybe help you if it didt work try to move rule to up

;;; Drop Layer7 Web Filter Rule
      chain=forward action=reject reject-with=icmp-admin-prohibited layer7-protocol=blockwebsite protocol=tcp 
      in-interface-list=LAN out-interface-list=WAN dst-port=80,443 log=no log-prefix=""
      ---------------------
      ^.+(anten.ir|filimo.com|youtube.com).*$
7
8

@jvanhambelgium

Thank you for your suggestion, I did remove the TCP from the rule <3

9

In the example that Normis gave, the new rule for BLOCKLIST in the forward firewall has to be moved to the top of the forward rules.
When it is below the “accept established/related” rule it will not work.
I advise you to keep the forward rules together, so move the two forward rules that are between input rules down below the BLOCKLIST (jump) rule.

10

Thanks @pe1chl! It seems to be working now.