I need some advice please. I am not new to firewalls but must admit I am new to Mikrotik products.
I have an issue where Facebook has been blocked on a Unifi Network Router using a layer 7 protocol rule which is working 100%.
The issue is I need one mobile device to have access to facebook and not other users. I was under the impression that the Miktotik reads rules from top to bottom.
I have placed a rule which includes the mac address of the specific mobile device above the block rule for Facebook and still have no joy.
If i disable the Facebook Layer 7 block rule the device has access to facebook.
This is not what you want to hear, but using Layer7 is generally a bad practice, because:
You can get around this filtering by using VPN
You can get around this by (sometimes) doing nothing. See “DNS Over HTTPS” and some browsers do it by default now.
Specifically your case, you can change MAC and get around this rule. Luckily, your smartphone does not use random MAC address on each connection. Pixel phones as well as any phone with Pixel-like ROM will do this by default.
Layer7 filtering is very resource intensive, so keep it in mind.
But what you want to hear - try marking connections from the mobile connection in IP → Firewall → Mangle. Use “Chain: prerouting”, set other required rules and in “action” select “mark connection” and write any mark you want, like “my_smartphone”.
Then in IP → Firewall → Filter Rules use “forward” chain and block traffic that has your smartphone connection mark as well as specified L7 protocol.
You are correct Mikrotik Firewall always work sequentially from top to bottom and in your case you are still facing the block because of your Identifiers.
Try using jump to change the chain as the first rule, it may help.
