trying to block permanently some sites for the users by using a RB750G. The sites are:
i have tried to use the L7 functionality of Mikrotik as in https://rbgeek.wordpress.com/2012/05/29/how-to-block-facebook-in-mikrotik-using-l7-protocols-layer-7/ but unfortunately it does not seem to work AT ALL!
Any ideas how to block sites, without using any other component apart from Mikrotik, please?
That was in 2012 and now ‘they’ use HTTPS instead of HTTP.
Which means that i do not stand a chance? If yes, then it makes it strange for me to believe that Mikrotik has left this area untouched.
You might make it work “somewhat” by really blocking large portions of IP-space owned by “them”. You probably have to “review” this list from time to time.
This the best you can do if you do not want to use any “external” component (eg. Pi-hole to control DNS-requests)
Now I’m not sure about the DNS-function of Mikrotik => If you force all your users to use the Mikrotik as a DNS and configure some static entries which are “fake” (not sure if you can use wildcards) then you might also inflict some restrictions to these users. If these users use DOH (DNS-over-HTTPS) then yeah…
Reliable block is impossible. No matter what suggestions will come later, I can guarantee that I will be able to figure out a way to get through, unless you completely block me from the internet.
Partially reliable and very easy will be DNS method - force all DNS requests to mikrotik (dst-nat) and then create static entries with regexp matching all domains and subdomains. e.g.
/ip firewall nat add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=127.0.0.1
/ip dns static add address=127.0.0.1 regexp=".*\\.facebook\\.com" type=A
But this will NOT prevent people who use VPNs and/or DNS-over-HTTPS or DNS-over-TLS.
So as I said, not reliable, however, it will be sufficient to block most basic users.
Look up all their ASIN’s and generate a list of their netblocks. It works for Farcebook anyway.
Blocking all IP from particular ASN will work only for services which have their ASN and do not serve their content from any other IP (Google,FB). However, it will also block other services, which are hosted on those IPs (e.g. google has their google cloud platform hosting heaps of 3rd party websites).
It will certainly not work for Tiktok and others who use AWS, Cloudflare, Akamai or any other CDN. (by blocking whole CDN you would cut off millions of other websites)
Personally, I would not waste my time on collecting all those IP.
The bottom-line is that a Mikrotik product simply is not suited anymore in this domain. It might have been so 10 years ago, but not anymore.
I’m doing some projects using Palo Alto at the moment and their App-ID (signature based) detects all these web-applications without a problem (> 3000 different ones)
https://applipedia.paloaltonetworks.com/
Hell, even “Winbox” is listed in the App-ID database 
So yes MT has some nice routing devices doing a lot of things very good for a very low price point, same for (some) wireless solutions & basic switching etc.
But these type of advanced Internet gateways, UTM, Identity-aware systems are not one of them.