How can block all except Address list?

Hi, i’m newbie,
I using router board: RB750gr3 , OS 6.45.9.
I want to block all connection except IP Address List.
I has make a ip address list and using rule at firewal filter: please see attachment file.
But some one is using VPN to access other sites.
How can i block all but only allow my address list?
Thank for your help and sorry for my bad english.

# sep/12/2020 07:57:08 by RouterOS 6.45.9
# software id =
#
# model = RB750Gr3
# serial number =
/interface bridge
add admin-mac=C4:AD:34:AC:17:F6 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=blockface regexp="^.+(www.facebook.com|facebook.com|login.facebook.co\
m|www.login.facebook.com|fbcdn.net|www.fbcdn.net|fbcdn.com|www.fbcdn.com|s\
tatic.ak.fbcdn.net|static.ak.connect.facebook.com|connect.facebook.net|www\
.connect.facebook.net|apps.facebook.com).*\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=DHCPwf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
add address=192.168.70.116/24 interface=ether1 network=192.168.70.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.253 client-id=1:98:da:c4:ee:8:9f comment=\
"ACCESS POINT" mac-address=98:DA:C4:EE:08:9F server=DHCPwf
add address=192.168.88.245 client-id=1:98:da:c4:ee:8:42 comment=\
"ACCESS POINT" mac-address=98:DA:C4:EE:08:42 server=DHCPwf
add address=192.168.88.236 client-id=1:98:da:c4:ee:19:a comment=\
"ACCESS POINT" mac-address=98:DA:C4:EE:19:0A server=DHCPwf
add address=192.168.88.2 client-id=1:A8:DB:03:6C:7D:F0 comment=luongIT \
lease-time=10h mac-address=A8:DB:03:6C:7D:F0 server=DHCPwf
add address=192.168.88.3 client-id=1:4C:4F:EE:BB:69:52 comment=NamIT \
mac-address=4C:4F:EE:BB:69:52 server=DHCPwf
add address=192.168.88.49 client-id=1:e0:dc:ff:d4:65:73 mac-address=\
E0:DC:FF:D4:65:73 server=DHCPwf
add address=192.168.88.82 client-id=1:2c:33:61:84:37:45 mac-address=\
2C:33:61:84:37:45 server=DHCPwf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=211.249.221.0/24 list=chophep
add address=www.facebook.com list=block-facebook
add address=facebook.com list=block-facebook
add address=login.facebook.com list=block-facebook
add address=www.login.facebook.com list=block-facebook
add address=fbcdn.net list=block-facebook
add address=www.fbcdn.net list=block-facebook
add address=fbcdn.com list=block-facebook
add address=www.fbcdn.com comment=www.facebook.com list=block-facebook
add address=static.ak.fbcdn.net list=block-facebook
add address=static.ak.connect.facebook.com list=block-facebook
add address=connect.facebook.net list=block-facebook
add address=www.connect.facebook.net list=block-facebook
add address=apps.facebook.com comment=www.facebook.com list=block-facebook
add address=www.youtube.com list="Block youtube"
add address=googlevideo.com list="Block youtube"
add address=110.76.141.203 comment="kakaotalk app" list=chophep
add address=ep.optrontec.com list=chophep
add address=121.53.203.203 comment="kakaotalk app" list=chophep
add address=162.158.0.0/15 list=Cloudflare
add address=173.245.48.0/20 list=Cloudflare
add address=103.21.244.0/22 list=Cloudflare
add address=103.22.200.0/22 list=Cloudflare
add address=103.31.4.0/22 list=Cloudflare
add address=141.101.64.0/18 list=Cloudflare
add address=108.162.192.0/18 list=Cloudflare
add address=190.93.240.0/20 list=Cloudflare
add address=188.114.96.0/20 list=Cloudflare
add address=197.234.240.0/22 list=Cloudflare
add address=198.41.128.0/17 list=Cloudflare
add address=104.16.0.0/12 list=Cloudflare
add address=172.64.0.0/13 list=Cloudflare
add address=131.0.72.0/22 list=Cloudflare
add address=104.101.221.0/24 list=Akamai
add address=184.51.125.0/24 list=Akamai
add address=184.51.154.0/24 list=Akamai
add address=184.51.157.0/24 list=Akamai
add address=184.51.33.0/24 list=Akamai
add address=2.16.36.0/24 list=Akamai
add address=2.16.37.0/24 list=Akamai
add address=2.22.226.0/24 list=Akamai
add address=2.22.227.0/24 list=Akamai
add address=2.22.60.0/24 list=Akamai
add address=23.15.12.0/24 list=Akamai
add address=23.15.13.0/24 list=Akamai
add address=23.209.105.0/24 list=Akamai
add address=23.62.225.0/24 list=Akamai
add address=23.74.29.0/24 list=Akamai
add address=23.79.224.0/24 list=Akamai
add address=23.79.225.0/24 list=Akamai
add address=23.79.226.0/24 list=Akamai
add address=23.79.227.0/24 list=Akamai
add address=23.79.229.0/24 list=Akamai
add address=23.79.230.0/24 list=Akamai
add address=23.79.231.0/24 list=Akamai
add address=23.79.232.0/24 list=Akamai
add address=23.79.233.0/24 list=Akamai
add address=23.79.235.0/24 list=Akamai
add address=23.79.237.0/24 list=Akamai
add address=23.79.238.0/24 list=Akamai
add address=23.79.239.0/24 list=Akamai
add address=63.208.195.0/24 list=Akamai
add address=72.246.0.0/24 list=Akamai
add address=72.246.1.0/24 list=Akamai
add address=72.246.116.0/24 list=Akamai
add address=72.246.199.0/24 list=Akamai
add address=72.246.2.0/24 list=Akamai
add address=72.246.44.0/24 list=Akamai
add address=72.247.150.0/24 list=Akamai
add address=72.247.151.0/24 list=Akamai
add address=72.247.216.0/24 list=Akamai
add address=72.247.44.0/24 list=Akamai
add address=72.247.45.0/24 list=Akamai
add address=80.67.64.0/24 list=Akamai
add address=80.67.65.0/24 list=Akamai
add address=80.67.70.0/24 list=Akamai
add address=80.67.73.0/24 list=Akamai
add address=88.221.208.0/24 list=Akamai
add address=88.221.209.0/24 list=Akamai
add address=96.6.114.0/24 list=Akamai
add address=104.64.0.0/10 list=Akamai
add address=17.0.0.0/8 list=Apple
add address=35.190.247.0/24 list=Google
add address=35.191.0.0/16 list=Google
add address=64.233.160.0/19 list=Google
add address=66.102.0.0/20 list=Google
add address=66.249.80.0/20 list=Google
add address=72.14.192.0/18 list=Google
add address=74.125.0.0/16 list=Google
add address=108.177.8.0/21 list=Google
add address=108.177.96.0/19 list=Google
add address=130.211.0.0/22 list=Google
add address=172.217.0.0/19 disabled=yes list=Google
add address=172.217.32.0/20 list=Google
add address=172.217.128.0/19 list=Google
add address=172.217.160.0/20 list=Google
add address=172.217.192.0/19 list=Google
add address=172.253.56.0/21 list=Google
add address=172.253.112.0/20 list=Google
add address=173.194.0.0/16 list=Google
add address=209.85.128.0/17 list=Google
add address=216.58.192.0/19 list=Google
add address=216.239.32.0/19 list=Google
add address=96.16.0.0/15 list=Akamai
add address=172.217.0.0/16 list=Google
add address=138.197.0.0/16 list=digitalocean
add address=207.154.192.0/18 list=digitalocean
add address=13.125.138.249 list=Amazon
add address=172.217.24.46 list=chophep
add address=113.29.141.0/24 list=chophep
add address=103.27.149.0/24 comment=kakao list=chophep
add address=113.29.160.0/19 comment=kakao list=chophep
add address=113.29.179.0/24 comment=kakao list=chophep
add address=113.29.180.0/24 comment=kakao list=chophep
add address=113.29.181.0/24 comment=kakao list=chophep
add address=113.29.184.0/24 comment=kakao list=chophep
add address=113.29.185.0/24 comment=kakao list=chophep
add address=113.29.186.0/24 comment=kakao list=chophep
add address=113.29.187.0/24 comment=kakao list=chophep
add address=203.133.160.0/19 comment=kakao list=chophep
add address=203.133.168.0/24 comment=kakao list=chophep
add address=203.133.169.0/24 comment=kakao list=chophep
add address=203.133.170.0/24 comment=kakao list=chophep
add address=203.133.171.0/24 comment=kakao list=chophep
add address=203.133.184.0/24 comment=kakao list=chophep
add address=203.133.185.0/24 comment=kakao list=chophep
add address=203.133.186.0/24 comment=kakao list=chophep
add address=203.133.187.0/24 comment=kakao list=chophep
add address=203.133.188.0/24 comment=kakao list=chophep
add address=203.133.189.0/24 comment=kakao list=chophep
add address=203.133.190.0/24 comment=kakao list=chophep
add address=203.133.191.0/24 comment=kakao list=chophep
add address=203.217.224.0/19 comment=kakao list=chophep
add address=203.217.224.0/24 comment=kakao list=chophep
add address=203.217.225.0/24 comment=kakao list=chophep
add address=203.217.226.0/24 comment=kakao list=chophep
add address=192.168.88.2 list=luongit
add address=192.168.88.3 list=luongit
add address=68.183.182.66 list=digitalocean
add address=188.166.251.171 list=digitalocean
add address=68.183.176.0/20 list=digitalocean
add address=157.240.0.0/16 list=block-facebook
add address=159.89.192.0/20 list=digitalocean
add address=178.128.48.0/20 list=digitalocean
add address=167.99.64.0/20 list=digitalocean
add address=digitalocean.com list=digitalocean
add address=159.65.0.0/16 list=digitalocean
add address=157.230.0.0/16 list=digitalocean
add address=139.59.0.0/16 list=APNIC
add address=104.248.0.0/16 list=digitalocean
add address=83.220.172.0/23 list=VIETPN
add address=83.220.168.0/21 list=VIETPN
add address=2.56.149.0/24 list=VIETPN
add address=62.216.92.0/24 list=VIETPN
add address=5.181.4.0/24 list=VIETPN
add address=128.199.192.0/18 list=digitalocean
add address=45.135.229.0/24 list=VIETPN
add address=203.217.229.0/24 comment=kakao list=chophep
add address=203.217.229.227 list=chophep
add address=92.38.149.0/24 list=VIETPN
add address=113.29.128.0/19 list=chophep
add address=110.76.140.0/22 list=chophep
add address=121.53.203.0/24 list=chophep
add address=211.231.101.0/24 list=chophep
add address=211.226.0.0/15 list=chophep
add address=203.133.178.0/24 list=chophep
add address=128.199.0.0/16 list=VIETPN
add address=38.0.0.0/8 list=VIETPN
add address=206.189.0.0/16 list=digitalocean
add address=192.168.88.49 list=luongit
add address=162.251.60.0/22 list=VIETPN
add address=178.128.96.0/24 list=digitalocean
add address=192.168.88.0/24 list=LAN
add address=192.168.70.0/24 list=70.x
add address=203.217.204.0/24 list=chophep
add address=203.246.172.0/24 list=chophep
/ip firewall filter
add action=accept chain=forward src-address-list=luongit
add action=accept chain=input comment=WINBOX dst-port=8291 protocol=tcp
add action=accept chain=forward dst-address-list=chophep
add action=drop chain=forward comment=\
"cho phep kakaotalk va ep.optrontec.com" dst-address-list=!chophep \
dst-port=80,443,8080 log-prefix=blkk protocol=tcp
add action=drop chain=forward dst-address-list=!chophep protocol=udp \
src-port=80,443,8080
add action=drop chain=forward protocol=udp
add action=drop chain=forward protocol=udp
add action=drop chain=output protocol=icmp
add action=drop chain=forward dst-address-list=APNIC
add action=drop chain=forward dst-address-list=digitalocean
add action=drop chain=forward comment="block google" dst-address-list=Google
add action=drop chain=forward comment="block apple" dst-address-list=Apple
add action=drop chain=forward comment="block akamai" dst-address-list=Akamai
add action=drop chain=forward comment="block clouflare" dst-address-list=\
Cloudflare log-prefix=clfare
add action=drop chain=forward comment="BLOCK FACEBOOK" dst-address-list=\
block-facebook log-prefix=blockfb
add action=drop chain=forward comment=VPN protocol=tcp src-port=\
4500,4000,800,53
add action=drop chain=forward comment=VPN dst-port=4500,4000,800,53 protocol=\
udp
add action=drop chain=forward dst-address-list=VIETPN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes log=yes
add action=drop chain=forward src-address=192.168.88.82
add action=drop chain=forward src-address=192.168.88.66
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set pptp disabled=yes
/ip route
add distance=1 gateway=192.168.70.1
/ip traffic-flow
set enabled=yes interfaces=ether1
/ip traffic-flow target
add port=443 version=5
/system clock
set time-zone-name=Asia/Ho_Chi_Minh
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1

We are a strange lot here, in that we dont like overly large colourful gifs, but we do like networking diagrams and configs
/export hide-sensitive file=anynameyouwish.

However to answer your question the way to do this is twofold.

a. to directly answer the question: use the “!” syntax in the rule.

So if you had a forward rule you had
add chain=forward action**=drop** source-address=**!**firewall_address_list_name {rest of rule}

Means drop all forward traffic from any source address that IS NOT on the firewall address list (implying that only firewall address list entries will not be dropped).

The use of the everything else but, is kinda powerful backwards way of rule structure which could have unexpected results being an all encompassing syntax.

b. Its usually better to make a clearer rule, what is allowed, AND coupled with a last rule in the forward chain that drops all other traffic!! Much easier to read IMHO.

So if you had a forward rule it would be crystal clear
add chain=forward action=accept source-address=firewall_address_list_name {rest of rule}
…other rules…
…last rule…
add chain=forward action=drop comment=“drop all else”

If you are on source addresses then don’t forget to include yoursef or you will have to use MAC communication to the router to control it.

??? Hi smatter,
Are you talking Input chain or Forward chain??

I was talking source address-list.

Input would “lock” you out of the router. Forward would lock you out from the world outside the router.

BTW your avatar is donkey and not a llama who have no upper theeth. Llama was expected.

Admit, it you wanted to say ASS…

Assertive?

The OCALC has denounced your comments and a lawsuit is pending ( Official Camelide Association Llama Chapter) pertaining to the mis-characterization of a Llama as a jackass. Although older llamas that have been living on the streets and having a rough life, may very much look like Equidae family members, the gross error cannot go unpunished.

It’s the end of days when people are configuring their routers entirely with a mobile phone.

Thanks,
This is my config, i using “a” solution, but they can using VPN app to pass this rule.
When i try “b” solution, all connection is Drop, included Address list.

# sep/12/2020 07:57:08 by RouterOS 6.45.9
# software id =
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac=C4:AD:34:AC:17:F6 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=blockface regexp="^.+(www.facebook.com|facebook.com|login.facebook.co\
    m|www.login.facebook.com|fbcdn.net|www.fbcdn.net|fbcdn.com|www.fbcdn.com|s\
    tatic.ak.fbcdn.net|static.ak.connect.facebook.com|connect.facebook.net|www\
    .connect.facebook.net|apps.facebook.com).*\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=DHCPwf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=192.168.70.116/24 interface=ether1 network=192.168.70.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.253 client-id=1:98:da:c4:ee:8:9f comment=\
    "ACCESS POINT" mac-address=98:DA:C4:EE:08:9F server=DHCPwf
add address=192.168.88.245 client-id=1:98:da:c4:ee:8:42 comment=\
    "ACCESS POINT" mac-address=98:DA:C4:EE:08:42 server=DHCPwf
add address=192.168.88.236 client-id=1:98:da:c4:ee:19:a comment=\
    "ACCESS POINT" mac-address=98:DA:C4:EE:19:0A server=DHCPwf
add address=192.168.88.2 client-id=1:A8:DB:03:6C:7D:F0 comment=luongIT \
    lease-time=10h mac-address=A8:DB:03:6C:7D:F0 server=DHCPwf
add address=192.168.88.3 client-id=1:4C:4F:EE:BB:69:52 comment=NamIT \
    mac-address=4C:4F:EE:BB:69:52 server=DHCPwf
add address=192.168.88.49 client-id=1:e0:dc:ff:d4:65:73 mac-address=\
    E0:DC:FF:D4:65:73 server=DHCPwf
add address=192.168.88.82 client-id=1:2c:33:61:84:37:45 mac-address=\
    2C:33:61:84:37:45 server=DHCPwf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=211.249.221.0/24 list=chophep
add address=www.facebook.com list=block-facebook
add address=facebook.com list=block-facebook
add address=login.facebook.com list=block-facebook
add address=www.login.facebook.com list=block-facebook
add address=fbcdn.net list=block-facebook
add address=www.fbcdn.net list=block-facebook
add address=fbcdn.com list=block-facebook
add address=www.fbcdn.com comment=www.facebook.com list=block-facebook
add address=static.ak.fbcdn.net list=block-facebook
add address=static.ak.connect.facebook.com list=block-facebook
add address=connect.facebook.net list=block-facebook
add address=www.connect.facebook.net list=block-facebook
add address=apps.facebook.com comment=www.facebook.com list=block-facebook
add address=www.youtube.com list="Block youtube"
add address=googlevideo.com list="Block youtube"
add address=110.76.141.203 comment="kakaotalk app" list=chophep
add address=ep.optrontec.com list=chophep
add address=121.53.203.203 comment="kakaotalk app" list=chophep
add address=162.158.0.0/15 list=Cloudflare
add address=173.245.48.0/20 list=Cloudflare
add address=103.21.244.0/22 list=Cloudflare
add address=103.22.200.0/22 list=Cloudflare
add address=103.31.4.0/22 list=Cloudflare
add address=141.101.64.0/18 list=Cloudflare
add address=108.162.192.0/18 list=Cloudflare
add address=190.93.240.0/20 list=Cloudflare
add address=188.114.96.0/20 list=Cloudflare
add address=197.234.240.0/22 list=Cloudflare
add address=198.41.128.0/17 list=Cloudflare
add address=104.16.0.0/12 list=Cloudflare
add address=172.64.0.0/13 list=Cloudflare
add address=131.0.72.0/22 list=Cloudflare
add address=104.101.221.0/24 list=Akamai
add address=184.51.125.0/24 list=Akamai
add address=184.51.154.0/24 list=Akamai
add address=184.51.157.0/24 list=Akamai
add address=184.51.33.0/24 list=Akamai
add address=2.16.36.0/24 list=Akamai
add address=2.16.37.0/24 list=Akamai
add address=2.22.226.0/24 list=Akamai
add address=2.22.227.0/24 list=Akamai
add address=2.22.60.0/24 list=Akamai
add address=23.15.12.0/24 list=Akamai
add address=23.15.13.0/24 list=Akamai
add address=23.209.105.0/24 list=Akamai
add address=23.62.225.0/24 list=Akamai
add address=23.74.29.0/24 list=Akamai
add address=23.79.224.0/24 list=Akamai
add address=23.79.225.0/24 list=Akamai
add address=23.79.226.0/24 list=Akamai
add address=23.79.227.0/24 list=Akamai
add address=23.79.229.0/24 list=Akamai
add address=23.79.230.0/24 list=Akamai
add address=23.79.231.0/24 list=Akamai
add address=23.79.232.0/24 list=Akamai
add address=23.79.233.0/24 list=Akamai
add address=23.79.235.0/24 list=Akamai
add address=23.79.237.0/24 list=Akamai
add address=23.79.238.0/24 list=Akamai
add address=23.79.239.0/24 list=Akamai
add address=63.208.195.0/24 list=Akamai
add address=72.246.0.0/24 list=Akamai
add address=72.246.1.0/24 list=Akamai
add address=72.246.116.0/24 list=Akamai
add address=72.246.199.0/24 list=Akamai
add address=72.246.2.0/24 list=Akamai
add address=72.246.44.0/24 list=Akamai
add address=72.247.150.0/24 list=Akamai
add address=72.247.151.0/24 list=Akamai
add address=72.247.216.0/24 list=Akamai
add address=72.247.44.0/24 list=Akamai
add address=72.247.45.0/24 list=Akamai
add address=80.67.64.0/24 list=Akamai
add address=80.67.65.0/24 list=Akamai
add address=80.67.70.0/24 list=Akamai
add address=80.67.73.0/24 list=Akamai
add address=88.221.208.0/24 list=Akamai
add address=88.221.209.0/24 list=Akamai
add address=96.6.114.0/24 list=Akamai
add address=104.64.0.0/10 list=Akamai
add address=17.0.0.0/8 list=Apple
add address=35.190.247.0/24 list=Google
add address=35.191.0.0/16 list=Google
add address=64.233.160.0/19 list=Google
add address=66.102.0.0/20 list=Google
add address=66.249.80.0/20 list=Google
add address=72.14.192.0/18 list=Google
add address=74.125.0.0/16 list=Google
add address=108.177.8.0/21 list=Google
add address=108.177.96.0/19 list=Google
add address=130.211.0.0/22 list=Google
add address=172.217.0.0/19 disabled=yes list=Google
add address=172.217.32.0/20 list=Google
add address=172.217.128.0/19 list=Google
add address=172.217.160.0/20 list=Google
add address=172.217.192.0/19 list=Google
add address=172.253.56.0/21 list=Google
add address=172.253.112.0/20 list=Google
add address=173.194.0.0/16 list=Google
add address=209.85.128.0/17 list=Google
add address=216.58.192.0/19 list=Google
add address=216.239.32.0/19 list=Google
add address=96.16.0.0/15 list=Akamai
add address=172.217.0.0/16 list=Google
add address=138.197.0.0/16 list=digitalocean
add address=207.154.192.0/18 list=digitalocean
add address=13.125.138.249 list=Amazon
add address=172.217.24.46 list=chophep
add address=113.29.141.0/24 list=chophep
add address=103.27.149.0/24 comment=kakao list=chophep
add address=113.29.160.0/19 comment=kakao list=chophep
add address=113.29.179.0/24 comment=kakao list=chophep
add address=113.29.180.0/24 comment=kakao list=chophep
add address=113.29.181.0/24 comment=kakao list=chophep
add address=113.29.184.0/24 comment=kakao list=chophep
add address=113.29.185.0/24 comment=kakao list=chophep
add address=113.29.186.0/24 comment=kakao list=chophep
add address=113.29.187.0/24 comment=kakao list=chophep
add address=203.133.160.0/19 comment=kakao list=chophep
add address=203.133.168.0/24 comment=kakao list=chophep
add address=203.133.169.0/24 comment=kakao list=chophep
add address=203.133.170.0/24 comment=kakao list=chophep
add address=203.133.171.0/24 comment=kakao list=chophep
add address=203.133.184.0/24 comment=kakao list=chophep
add address=203.133.185.0/24 comment=kakao list=chophep
add address=203.133.186.0/24 comment=kakao list=chophep
add address=203.133.187.0/24 comment=kakao list=chophep
add address=203.133.188.0/24 comment=kakao list=chophep
add address=203.133.189.0/24 comment=kakao list=chophep
add address=203.133.190.0/24 comment=kakao list=chophep
add address=203.133.191.0/24 comment=kakao list=chophep
add address=203.217.224.0/19 comment=kakao list=chophep
add address=203.217.224.0/24 comment=kakao list=chophep
add address=203.217.225.0/24 comment=kakao list=chophep
add address=203.217.226.0/24 comment=kakao list=chophep
add address=192.168.88.2 list=luongit
add address=192.168.88.3 list=luongit
add address=68.183.182.66 list=digitalocean
add address=188.166.251.171 list=digitalocean
add address=68.183.176.0/20 list=digitalocean
add address=157.240.0.0/16 list=block-facebook
add address=159.89.192.0/20 list=digitalocean
add address=178.128.48.0/20 list=digitalocean
add address=167.99.64.0/20 list=digitalocean
add address=digitalocean.com list=digitalocean
add address=159.65.0.0/16 list=digitalocean
add address=157.230.0.0/16 list=digitalocean
add address=139.59.0.0/16 list=APNIC
add address=104.248.0.0/16 list=digitalocean
add address=83.220.172.0/23 list=VIETPN
add address=83.220.168.0/21 list=VIETPN
add address=2.56.149.0/24 list=VIETPN
add address=62.216.92.0/24 list=VIETPN
add address=5.181.4.0/24 list=VIETPN
add address=128.199.192.0/18 list=digitalocean
add address=45.135.229.0/24 list=VIETPN
add address=203.217.229.0/24 comment=kakao list=chophep
add address=203.217.229.227 list=chophep
add address=92.38.149.0/24 list=VIETPN
add address=113.29.128.0/19 list=chophep
add address=110.76.140.0/22 list=chophep
add address=121.53.203.0/24 list=chophep
add address=211.231.101.0/24 list=chophep
add address=211.226.0.0/15 list=chophep
add address=203.133.178.0/24 list=chophep
add address=128.199.0.0/16 list=VIETPN
add address=38.0.0.0/8 list=VIETPN
add address=206.189.0.0/16 list=digitalocean
add address=192.168.88.49 list=luongit
add address=162.251.60.0/22 list=VIETPN
add address=178.128.96.0/24 list=digitalocean
add address=192.168.88.0/24 list=LAN
add address=192.168.70.0/24 list=70.x
add address=203.217.204.0/24 list=chophep
add address=203.246.172.0/24 list=chophep
/ip firewall filter
add action=accept chain=forward src-address-list=luongit
add action=accept chain=input comment=WINBOX dst-port=8291 protocol=tcp
add action=accept chain=forward dst-address-list=chophep
add action=drop chain=forward comment=\
    "cho phep kakaotalk va ep.optrontec.com" dst-address-list=!chophep \
    dst-port=80,443,8080 log-prefix=blkk protocol=tcp
add action=drop chain=forward dst-address-list=!chophep protocol=udp \
    src-port=80,443,8080
add action=drop chain=forward protocol=udp
add action=drop chain=forward protocol=udp
add action=drop chain=output protocol=icmp
add action=drop chain=forward dst-address-list=APNIC
add action=drop chain=forward dst-address-list=digitalocean
add action=drop chain=forward comment="block google" dst-address-list=Google
add action=drop chain=forward comment="block apple" dst-address-list=Apple
add action=drop chain=forward comment="block akamai" dst-address-list=Akamai
add action=drop chain=forward comment="block clouflare" dst-address-list=\
    Cloudflare log-prefix=clfare
add action=drop chain=forward comment="BLOCK FACEBOOK" dst-address-list=\
    block-facebook log-prefix=blockfb
add action=drop chain=forward comment=VPN protocol=tcp src-port=\
    4500,4000,800,53
add action=drop chain=forward comment=VPN dst-port=4500,4000,800,53 protocol=\
    udp
add action=drop chain=forward dst-address-list=VIETPN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes log=yes
add action=drop chain=forward src-address=192.168.88.82
add action=drop chain=forward src-address=192.168.88.66
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set pptp disabled=yes
/ip route
add distance=1 gateway=192.168.70.1
/ip traffic-flow
set enabled=yes interfaces=ether1
/ip traffic-flow target
add port=443 version=5
/system clock
set time-zone-name=Asia/Ho_Chi_Minh
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1
[/]

somebody help!!!

What do you mean THEY.
What do you mean by VPN
WHat do you mean by bypass… what is being bypassed.

and in the above questions dont mention anything to do with the router or configuration speak in terms of what users are doing.
What are the requirements, without talking about the router or its config.


In the meantime not sure this will work but…
What you need to do is block certain IPs from internet access altogether.
Find which devices are those breaking your rules.
Make them static IPs on your dhCP servers.
then add these IPs to and address list call it bad_users.

Then in your firewall rules forward chain
add chain=forward action=drop in-interface-list=LAN out-interface-list=WAN source-address-list=bad_users

This should block them from any internet access.
There is not way to block sites anymore from users as they can use https or third party VPNs etc…
http://forum.mikrotik.com/t/blocking-facebook-tiktok-and-other-websites/142972/1