So either way
It looks rather complex, have you managed to figure out how to place inline in a bridge with common vlan filtering setups??
I have not done this using MikroTik Routers … I have done this for a number of families using Ubiquiti EdgeRoutr-X and Untangle … To prevent porn some families will pay the price without hesitation but most of these are well-to-do families. Its not complicated once you learn how … yes it takes time to learn and I do not believe that RB devices would be a problem since they are extensible.
My recommended approach using Untangle is to use it in Router Mode because that would be the KISS approach … Untangle works really well when it is installed in a machine that has plenty of memory for cache and a very fast processor [3Ghz minimum] and SSD for storage assuming performance is desirable because “content filtering” puts a heavy load on the system.
Can this block porn when you do a google search for “sex nude” and search filter is turned off?
How should Untangle see the different from a search fro “Nasa” or for “sex”?
The Untangle admin will never turn Web Filter off , the level of sophistication is significant:
https://wiki.untangle.com/index.php/Web_Filter
Web Filter monitors HTTP and HTTPS traffic on your network to filter and log web activities and block inappropriate content. Web Filter also appeals to customers who require an added level of protection or are subject to regulations, for example Web Filter helps libraries comply with the Children’s Internet Protection Act). Need to block Pornography or Hate Speech on your network?
Traffic Flow
When scanning traffic, Web Filter evaluates the pass lists, block lists, categories, and rules at two distinct points of the HTTP transaction. The first evaluation happens after the request is received from the client and before it is forwarded to the server. The second is after the response is received from the server and before it is passed back to the client. This allows a high degree of filtering and control over both resources that are requested, and content that is returned in response.
The Link above provides excellent additional information
So this solution does not work if you do not have 100% control of all clients in the network.
PaloAlto and Forcepoint (and other) also have solution that change the certificate and examines all the packets to see whats inside.
But this is for corporate network where there are admin that has control of the pc.
Untangle does not help with “How do I block pornographic images in my RB?”
I say that blocking porn is a battle that is very hard to win.
No I dont think that is what is being said… we are talking about implementation NOT on individual PCs jotne!!
So untangle will help here? (I have not looked at it)
Yes but you have to buy an untangle box and put it as your router or inline on the LAN as a conduit to the WAN, and you have to pay a monthly fee.
So not cheap.
An this will open google search (https/quic) packets and block search for “sex nude”?
How can I the trust https?
I can understand how this can block sites, but not some part of data from a site.
It will not help OP that like to do it with a MT Router.
Untangle can also do man-in-the-middle SSL decryption and re-encryption, like Palo Alto and Fortinet devices. You have to trust the certificate of course in order for this to work properly without throwing scary errors to the user.
So then you need to have control of the clients (PC/Phone ++++). Not for any home/smal business network.
And for home network, kids just connect to mobile network if you start to block anything.
In all of my Untangle installations non of the families permits their children to have cell phones. Yes it is strictly enforced because those families understand the environment. Untangle is very effective.
I guess they don’t permit their children to have friends either? Because it they do, whole thing is in vain. 
True, better to educate than to deny because deny doesnt work in our society especially if you have money.
Best word as far in this thread.
Also a good comment 
Friends share their mobil net.
How old are your children and what country are you in?
Here in north Europa, most 7 years old have their own cell phone.
Understand the code and apply changes if needed. 1.1.1.2 disables just malware.
###### Disable Malware and Adult Content using Cloudflare DNS: https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
/ip dhcp-client set [ find interface=ether1 ] use-peer-dns=no
/ipv6 dhcp-client set [ find interface=ether1 ] use-peer-dns=no
# disable malware and adult content
/ip dns set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003
/ip dns cache flush
This will help some.
Problem is that you can set your own DNS (that could be redirected using rules to your DNS)
Some clients are using DoH/DoT and will not use normal DNS server at all. (example iOS >=14)
https://paulmillr.com/posts/encrypted-dns/
Yes, any fresh OS and browser is able to do DoH. I’ve successfully used deterrence for this, by announcing that porn is blocked with additional rules to automatically block out any device that tries to get past the restriction. It works, no technical blocking rules needed if users believe 
Can you explain how this is done? Can it be done one RouterOS?
I am not sure how to block this without having 100% control of the clients.
You can setup as many DoH server as you like on the internett. Since this is https packets, I do not see how you can block them without opening the https packets and inspect them. Hense, not doable on RouterOS.
What is the ultimate goal here? If the person is able to configure DoH, maybe he is also free to watch his pr0n ? I don’t think children will use DoH.