filter rules not working with L7 protocol

mikuser123 · June 30, 2019, 7:14am

I want to set my router allow some domain in whitelist passthrough. I added l7 protocols, but not working.
my settings:

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X  chain=srcnat action=masquerade src-address=10.40.96.0/20 log=no 
      log-prefix="" 
 1    chain=srcnat action=masquerade routing-mark=M_10_40_96_100 log=no 
      log-prefix="" 
[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=prerouting action=mark-routing new-routing-mark=M_10_40_96_100 
      passthrough=no dst-address=!10.40.96.0/20 src-address-list=A_10_40_97_100 
      log=no log-prefix="" 
 1    chain=prerouting action=mark-routing new-routing-mark=M_10.40.96.101 
      passthrough=yes dst-address=!10.40.96.0/20 
      src-address-list=A_10_40_96.101 content=baidu.com log=no log-prefix="" 
 2    chain=prerouting action=mark-routing new-routing-mark=M_10_40_96_100 
      passthrough=yes protocol=udp dst-address=!10.40.96.0/20 
      src-address-list=A_10_40_97_100 dst-port=53 log=no log-prefix="" 
 3    chain=prerouting action=mark-routing new-routing-mark=M_10_40_96_100 
      passthrough=yes protocol=icmp dst-address=!10.40.96.0/24 
      src-address-list=A_10_40_97_100 log=no log-prefix="" 
 4    chain=prerouting action=mark-routing new-routing-mark=M_in_eth1 
      passthrough=yes in-interface=ether1 log=no log-prefix="" 
[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=forward action=accept protocol=icmp log=no log-prefix="" 
 1    chain=forward action=accept protocol=tcp dst-port=53 log=no log-prefix="" 
 2    chain=forward action=accept protocol=udp dst-port=53 log=no log-prefix="" 
 3    chain=forward action=accept layer7-protocol=whitelist log=no log-prefix="" 
 4    chain=forward action=drop log=no log-prefix="" 
[admin@MikroTik] > ip firewall layer7-protocol print
 # NAME                                                                                                                       REGEXP                                                                                                                     
 0 whitelist                                                                                                                  ^.*google.com.*$                                                                                                           
[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=prerouting action=mark-routing new-routing-mark=M_10_40_96_100 passthrough=no dst-address=!10.40.96.0/20 src-address-list=A_10_40_96_100 log=no log-prefix="" 
 1 X  chain=prerouting action=mark-routing new-routing-mark=M_in_eth1 passthrough=yes in-interface=ether1 log=no log-prefix="" 
[admin@MikroTik] > ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade routing-mark=M_10_40_96_100 log=no log-prefix="" 
[admin@MikroTik] > ip firewall address-list print
Flags: X - disabled, D - dynamic 
 #   LIST                                                                                       ADDRESS                                                                                                         CREATION-TIME        TIMEOUT             
 0   A_10_40_96_100                                                                             10.40.96.100-10.40.96.150

anyone helps?