Ah. I see your layer7 filter is too broad.
The reason this works is that your layer7 rule matches the contents of the DNS packet (same as in the 1st HTTPS solution), so it blocks those, in turn rendering the site blocked... And it should also block any HTTP page that mentions "facebook.com" within its first 2KB of content (including HTTP headers!), or block logins to FTP sites where you have a file containing the name "facebook.com" within your root folder, etc.
If you were to instead match "Host: facebook.com", the rule would not work through Google's HTTPS links.
To double check that yourself, disable the filter for a moment, go to facebook.com, check out your router's DNS cache (in "/ip dns cache"), and add to your "hosts" file the IP of facebook.com. Then reenable the rule, clear your browser cache, and see how the HTTPS links now "magically" work again, despite the rule (because no DNS query is performed now).
Last edited by boen_robot
on Sun Jun 21, 2015 11:08 pm, edited 3 times in total.
(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)