Hello Guys ,
i am new to mikrotik and my boss asked me to create a rule that will block access to playstore and also disable android updates on users in the office network . For playstore , i tried layer-7 protocol with a regular expression of ^.+(play.google.com).*$, but it only block playstore on the web but not android devices . For Android Updates , i applied a filter rule to drop connections on UDP and TCP port 5228 but still i can update and download apps . I went further to applying static dns on play.google.com with no lack on the app side . Is it possible to block Android Updates / Playstore with mikrotik ? if so , any help will be appreciated .Thanks

You can try OpenDNS configured with Mikrotik. It's a great combination ever.

You can try OpenDNS configured with Mikrotik. It's a great combination ever.

Hi Delte , Thanks for your answer . i can try OpenDNS but the problem is that , i am developing a software using mikrotik API , so client won't be happy to use another software like OpenDNS . Can you achieve this solely on Mikrotik . Thanks again

Try this Layer7 protocol

/ip firewall layer7-protocol
add name=GOOGLEAPPS regexp="^.*(apqxgv.*gvt)"

Try this Layer7 protocol

/ip firewall layer7-protocol
add name=GOOGLEAPPS regexp="^.*(apqxgv.*gvt)"

Hi Kivimart , Unfortunately this does not work . Thanks for helping tho

Try this Layer7 protocol

/ip firewall layer7-protocol
add name=Google_PlayStore regexp=^.+(android.clients.google.com).*$

note: for unknown reason this protocol will block youtube as well!

Also you can try this protocol if the previous one not works:

add name=Google_PlayStore regexp=^.+(android.clients.google.com|play.google.com).*$

I hope anyone who can advise with a proper rule that can block play store but not to affect the youtube.

Try this Layer7 protocol

/ip firewall layer7-protocol
add name=Google_PlayStore regexp=^.+(android.clients.google.com).*$

note: for unknown reason this protocol will block youtube as well!

Also you can try this protocol if the previous one not works:

add name=Google_PlayStore regexp=^.+(android.clients.google.com|play.google.com).*$

I hope anyone who can advise with a proper rule that can block play store but not to affect the youtube.

Hi amobasher , thanks for helping . Yes , its true , the protocol rule works ! But it does not block youtube and playstore only , but all google apps like maps and gmail . So , i think getting a layer-7 protocol that will only block playstore will be pretty cool even though i read in some post that is nearly impossible to block playstore without affecting other google apps .

Try this one, I'm currently using it and so far, it works for me:

/ip firewall layer7-protocol
add name=Google-PlayStore regexp=^..+\.(play.googleapis.com|android.clients.google.com|lh3.googleusercontent.com).*$

We're using it not for blocking purposes but to control the bandwidth usage specifically for google playstore since I'm with the mobile development and publishing company, we need to prioritize bandwidth for this.

As of now, I'm still checking out layer7-protocol for iOS appstore, Amazon store, and Windows Store.

Hello sir (twyxted),
as per your below instruction i have created
/ip firewall layer7-protocol
add name=Google-PlayStore regexp=^..+\.(play.googleapis.com|android.clients.google.com|lh3.googleusercontent.com).*$
and it was working previously. it had block google app store & youtube app but unfortunately one my friend has disabled this and now when i again created protocol its not working can you help me please....???

Resurrecting an old thread here, but I use address lists to block this. Much less intense on processing than L7. I have a situation where if I switch to LTE from fibre, I don't want Google Play, Youtube, Windows Update, Netflix, Steam etc accessible as I'm on a pay-per-gigabyte LTE package. Example I use for play store below:

Resurrecting an old thread here, but I use address lists to block this. Much less intense on processing than L7. I have a situation where if I switch to LTE from fibre, I don't want Google Play, Youtube, Windows Update, Netflix, Steam etc accessible as I'm on a pay-per-gigabyte LTE package. Example I use for play store below:

Code: Select all

/ip firewall mangle
add action=add-dst-to-address-list address-list=GooglePlay \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Google Play Address List" content=play.google.com
add action=add-dst-to-address-list address-list=GooglePlay \
    address-list-timeout=5m chain=prerouting comment=\
    "Identify Google Play Address List" content=android.clients.google.com
/ip firewall filter
add action=drop chain=forward comment="Block Google Play LTE" \
    dst-address-list=GooglePlay out-interface=lte1

How are you populating address-lists ?

How are you populating address-lists ?

Using mangle. On prerouting it adds the IP address to an address list when the URL is looked up.

This issue with all those L7-protocol solutions is:

- the pattern is often overly broad (it can match other traffic as well)
- the CPU cost of matching this pattern in all traffic is high
- the pattern is not guaranteed to occur in the traffic, especially now that more and more traffic is becoming encrypted

When such L7 matches "appear to work" it is usually only because they happen to match the SNI in TLS, and that can be more reliably accomplished by using a TLS Host match.

This issue with all those L7-protocol solutions is:

- the pattern is often overly broad (it can match other traffic as well)
- the CPU cost of matching this pattern in all traffic is high
- the pattern is not guaranteed to occur in the traffic, especially now that more and more traffic is becoming encrypted

When such L7 matches "appear to work" it is usually only because they happen to match the SNI in TLS, and that can be more reliably accomplished by using a TLS Host match.

How can you TLS Host match in mikrotik ? Is that even possible ?

It is available on the Advanced tab of a firewall rule when it is for TCP protocol and it does not get pre-empted by something like Established/Related.
It matches the SNI of a TLS setup sequence. So of course it will stop working when encrypted SNI has become standard.
Advantage of this method is that it can match the exact field that contains the SNI, whereas the commonly seen L7 matches like "^.*facebook.com.*$" just match any packet which happens to contain the string facebook.com and it would also match facebook.comics.net or similar, and it would match datapackets that happen to contain this text (e.g. this forum discussion).