I received a (dynamic) 1Gbit/s internet link in each building, but as a standard of the institution I need to block entertainment sites and social networks. Each building has a CRS125, I tried to block it by dropping the dynamic domains I added to the address list, but the device is at 100% with two machines connected and stops everything when I put it in the buildings (between 10 and 100 devices). What is the correct device for this? Is there another not-so-expensive way to get the same result? It doesn’t have Active Directory. I’m carrying the IT sector with everything I can and I really need your help!!! 
Not sure what you need to accomplish will be possible with MT devices.
Suggesting DNS services from 3rd party maybe??
Webroot, Webtitan, cisco umbrella …
CRS125 is a… Router Switch, not a Core Router, has very limited routing functionality for management.
You can’t use it as firewall filter or all traffic pass trought cpu and all stop working.
The max speed of the only 600MHz CPU with only 128Mbit RAM, if is used as firewall filter is around 30Mbps max
Also used as access devices for the building clients is wrong.
How does it works??? It’s the best way to block sites??
Thank you very very much! I have no experience with MikroTik, these devices were already where I work. A CCR is very expensive, we are unable to buy one for each building, I need a cheaper solution, if you know 
You must use one CCR1036-12G-4S, using CRS as plain managed switch, for have 1Gbits bi-directional with queue and filters,
or CCR2004-16G-2S+, using CRS as plain managed switch, but have less power and with many queue and filters can reach max 1Gbits as sum of both directions.
Less spent = Less power = useless 1Gbit/s
I think you need to look at controlling DNS resolution. (eg. Pihole)
Then on the Mikrotik DROP anything trying NOT to use your designated DNS-resolvers and/or “intercept” DNS lookups and deliver them to the Pihole (or equivalent)
On Pi-hole you can “blacklist” whatever you want *.facebook.com .youtube. etc,etc.
The problem still the CRS125 involved.
Using anything that force the packet inspection (like force the DNS) deplete all CPU power…
I did it, thanks bro! But the CRS can’t handle almost anything but switching 
I public department, we spend less than U$20 per 1Gbps link, but we don’t have money to buy lots of CCR, I live in Brazil, one CCR costs the same as an good car..
Sorry, I understand.
You dont really need a CCR, a RB4011 will run circles around the CRS125 without breaking a sweat
Awesome man! 
it’s really powerful and we probably can afford it! But what about DNS services like Cisco Umbrella or Cloudflare, etc?
CZfan should the OP look at the new 5009 its in the same ballpark $wise but seems to be more powerful ???
For me personally, the jury is not out yet on the 5009, so for a production box, with only ROS 7 which is not out yet either, don’t think so
Yep, I couldn’t found here to buy, but the performance seems to be the same.. Ok so, it’s sure that this RB4011 can do what I need?! (Read the address list and drop the packets to domains?) What you guys think about paid DNS services, like dnsfilter or cisco umbrella?
Understood the risk aspect…
I was comparing components and test results that are available…
64bit vs 32 bit (thats huge)
1gig NAND to 512 NAND, not insignificant
3 less gig ports than RB4011 (7 vice 10)
1x 2.5 gb port (none on RB4011) may be a positive factor for direct gpon connections to ISPs ???
Funnily enough, they are close enough on ethernet throughput so that one is not all that different from the other.
Would be good to have ipsec results for RB5009 (missing).
Here are some more facts but I dont have the acumen to state why one is better than another.
RB5009 - Marvell Amethyst family switch-chip with a 10 Gbps full-duplex line leading to the Marvell Armada Quad-core ARMv8 1.4 GHz CPU.
RB4011 - The RB4011 uses a quad core Cortex A15 CPU with two realtek 2.5gb switches
They state the 5009 was developed with advice/consultation from users.
So I guess the RB4011 was deficient in some way???
DNS won’t work right either unless you control the config of the connected clients.
Reason is DNS over HTTPS. It is more or less default on now and that means that the client will only one unencrypted question and that is to the DoH service unless you use cloud flare which is based on IP.
If you also control the connected client you can block use of DoH.
Thank you, what do you recommend me?
So this is a hard one. You can buy a DNS service, I use NextDNS, where you can force the clients to use it and block other service via blocking the DNS name. For example blocking dns.google.com meaning it will not resolve and will not work. But this will be a constant struggle to maintain.
What is the main purpose of this block? Is it to lower bandwidth consumption? As in that case using queues might be better?