Hello.

I'm triying to collect the addressess of some services (e.g. facebook) into an address list. I added rule in /ip/firewall/mangle as follows:

/ip/firewall/mangle add chain=forward content=".facebook.com" action=add-dst-to-address-list address-list="Facebook" address-list-timeout=4m log

It produces the following log output:
forward: in:ether4_WAN out:bridge, connection-state:established,snat src-mac [edited], proto UDP, 31.13.93.26:443->192.168.88.21:35964, NAT 31.13.93.26:443->(148.205.177.136:35964->192.168.88.21:35964), len 1257

And client IP address (i.e. local LAN address) is added to the address list. If I change "action=add-dst-to-address-list" to "action=add-src-to-address-list" destination address (i.e. a facebook address) is added to the list.

I understand add-dst-to-address-list referes to the destination address of the package (an external address, facebook on my example) but maybe I'm missunderstanding the way mangle works.

I'm running RouterOS v7.19.1 on a hAP ax³ router.

Is this the right behavoir or is it that "add-dst-to-address-list" and "add-src-to-address-list" are swapped out?

Best regards.

V.

The traffic is bidirectional. You must specify in interface or in interface list for example.

WHY?
Layer7 was the way to block facebook and that is now gone considering the ways that traffic is directed by such Apps.
Unless the router has DPI that can reach into encrypted packets you are wasting your time.