http://wiki.mikrotik.com/wiki/Block_Download_Extention_With_Firewall_Filter_-_mp3_,_exe_,_…
In this tutorial ..
Firewall Filter
Chain : Forward
Protocol : TCP
Port : 80,443
Content : Facebook
Action : Drop
but there is no option for content…
in that situation, the “content” is anything in the headers that you can find. In this case, it finds “Facebook” in the address or URL. very limited with https.
You can also use Layer7 protocols to filter out almost anything, that is not encrypted.
A word of advice. If you are filtering Facebook, use NAT instead to redirect the Facebook connection to a local server that will serve a page. Far too many sites and services depend on making a connection to FB now. In my case, a time clock web interface. It takes up to 60 seconds to load if it can not connect to FB. Using NAT tricks it into thinking FB is just not logged in.
Hi Everybody,
We are required to block social media apps without web proxy. I have tested by configuring router with L7 protocol and RegExp method. Websites are blocking but the issue is facing with the applications. Any would would suggest please how to block social media applications like Facebook and Youtube. Kind responses in this regard will be highly appreciable. 
Here are my configuration:
/interface bridge
add name=All
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=“Facebook Block” regexp=“^.+(www.facebook.com|facebook.com|login.facebook.com|www.login.facebook.com|fbcdn.net|www.fbcdn.net|fbcdn.com|www.fbcdn.com|static.ak.fbcdn.net|static.ak.connect.facebook
.com|connect.facebook.net|www.connect.facebook.net|apps.facebook.com|m.facebook.com|facebook).*\$”
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool2 ranges=192.168.88.2-192.168.88.126
add name=dhcp_pool3 ranges=192.168.88.2-192.168.88.126
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=All name=dhcp1
/interface bridge port
add bridge=All interface=ether2
add bridge=All interface=ether3
add bridge=All interface=ether4
add bridge=All interface=ether5
/ip address
add address=103.244.135.0/24 interface=ether1 network=103.244.135.2
add address=192.168.88.1/25 interface=All network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/25 gateway=192.168.88.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=185.26.26.100,8.8.8.8
/ip dns static
add address=127.0.0.1 comment=Facebook name=facebook.com
add address=127.0.0.1 name=m.facebook.com
/ip firewall filter
add action=drop chain=forward comment=“Block Facebook” connection-mark=Facebook_conn dst-port=443 in-interface=All layer7-protocol=“Facebook Block” log=yes log-prefix=“>>Block Facebook” out-interface=
ether1 protocol=tcp src-address-list=“”
add action=drop chain=forward comment=“Facebook_IPs _For Mikro” connection-limit=100,32 connection-mark=Facebook_conn content=facebook disabled=yes dst-address=157.240.7.35 in-interface=ether1
layer7-protocol=“Facebook Block” out-interface=All src-address=192.168.88.3
add action=drop chain=forward comment=Facebook_IPs_ForWifi connection-mark=Facebook_conn disabled=yes dst-address=157.240.7.35 in-interface=All layer7-protocol=“Facebook Block” out-interface=ether1
src-address=192.168.1.0/24
add action=reject chain=forward comment=Facebook_preroute connection-mark=Facebook_pre disabled=yes dst-port=80,553 in-interface=ether1 layer7-protocol=“Facebook Block” out-interface=All protocol=tcp
reject-with=icmp-network-unreachable
/ip firewall mangle
add action=mark-connection chain=postrouting comment=post_routing layer7-protocol=“Facebook Block” new-connection-mark=Facebook_conn passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=DNS_TCP dst-port=53 in-interface=All protocol=tcp to-addresses=192.168.88.1 to-ports=53
add action=dst-nat chain=dstnat comment=DNS_UDP dst-port=53 in-interface=All protocol=udp to-addresses=192.168.88.1 to-ports=53
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=103.244.135.2
add distance=1 dst-address=127.0.0.1/32 type=blackhole
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Dubai
/system routerboard settings
set boot-os=router-os
[admin@MikroTik] >
Clever. Thanx a lot.
You have some error in your config. These three pools are overlapping or duplicate. I guess you only need the first line.
It some strange to name the bridge “ALL”, but should work
Thank you Jotne for your time and spotting the error.