Skip to main content

How to block Facebook, Youtube, any webpage and apps from Mikrotik effectively

 Steps 1: First of all we create a address list of local ip lan in IP Firewall Address List in Mikrotik Firewall or Router.


Step 2: Then we can create a Firewall Raw rule for domain .facebook.com which can create a dynamic IP address list which can make a ip list for Facebook. here we have uses list name IP-Facebook.

Similar way, we can use address list IP-Facebook in all raw rule for .facebook.net, .fbcdn.net, .fbsbx.com, .fb.com, .fb.gg, .messenger.com.

Now we can create a Firewall raw rule for domain .facebook.com.
First here, we can select chain prerouting in general tab.


















Then, in Raw advance tab, select IP-LAN address list which we have create earlier in src and dst address list as like as screenshot and select not ! sign in dst. address list. And in content option write .facebook.com similarly for .facebook.net, .fbcdn.net, .fbsbx.com, .fb.com, .fb.gg, .messenger.com.

Then in action tab, we can select add dst to address list and in Address list we can give the name of address list which i have used IP Facebook then OK.  New Firewall Raw rule has created for domain .facebook.com. Similarly we can make new Raw rule for .facebook.net, .fbcdn.net, .fbsbx.com, .fb.com, .fb.gg, .messenger.com. 


Similarly for facebook.net.

Now if someone from LAN user browse facebook.com we will see ip dynamically assign in IP Facebook list. we can check it from Firewall Address list.

Now we can make a firewall filter rule and apply the rule for IP Facebook address list to block facebook site from LAN network.

In Mikrotik Firewall option we can select forward chain and select address list IP Facebook and finally action will be drop.

Select forward chain general tab.

Then select IP Facebook in dst. Address List in advance tab.


Finally, select drop in Action in Action tab an then click OK.Then a firewall filter rule can add in firewall filters and start to block all facebook access from LAN.



Now all facebook access attempt should be block.
Note: If required to access facebook from a perticular IPs, first create a new address list and keep those users ips in new address list then create another firewall rules which will be forwarding chain, in advance tab src address list will be new permitted ip address list and dst. address list will be IP Facebook and finally action will be accept and remember this rule will be before your drop rule.

By using same process, we can block youtube, tiktok, twitter and any other site from Mikrotik firewall.


In Command:

For Facebook:

/ip firewall raw
add action=add-dst-to-address-list address-list="IP Facebook" \
    address-list-timeout=none-dynamic chain=prerouting comment=Facebook \
    content=.facebook.com dst-address-list=!IP-LAN src-address-list=IP-LAN

add action=add-dst-to-address-list address-list="IP Facebook" \
    address-list-timeout=none-dynamic chain=prerouting comment=Fecebook \
    content=fb.com dst-address-list=!IP-LAN src-address-list=IP-LAN

add action=add-dst-to-address-list address-list="IP Facebook" \
    address-list-timeout=none-dynamic chain=prerouting comment=Fecebook \
    content=.cdninstagram.com dst-address-list=!IP-LAN src-address-list=\
    IP-LAN
add action=add-dst-to-address-list address-list="IP Facebook" \
    address-list-timeout=none-dynamic chain=prerouting comment=Fecebook \
    content=.facebook.net dst-address-list=!IP-LAN src-address-list=IP-LAN

add action=add-dst-to-address-list address-list="IP Facebook" \
    address-list-timeout=none-dynamic chain=prerouting comment=Fecebook \
    content=.instagram.com dst-address-list=!IP-LAN src-address-list=IP-LAN

add action=add-dst-to-address-list address-list="IP Facebook" \
    address-list-timeout=none-dynamic chain=prerouting comment=Fecebook \
    content=messenger.com dst-address-list=!IP-LAN src-address-list=IP-LAN

add action=add-dst-to-address-list address-list="IP Facebook" \
    address-list-timeout=none-dynamic chain=prerouting comment=Fecebook \
    content=fb.gg dst-address-list=!IP-LAN src-address-list=IP-LAN

add action=add-dst-to-address-list address-list="IP Facebook" \
    address-list-timeout=none-dynamic chain=prerouting comment=Fecebook \
    content=.fbsbx.com dst-address-list=!IP-LAN src-address-list=IP-LAN

add action=add-dst-to-address-list address-list="IP Facebook" \
    address-list-timeout=none-dynamic chain=prerouting comment=Fecebook \
    content=.fbcdn.net dst-address-list=!IP-LAN src-address-list=IP-LAN

For Youtube:

/ip firewall raw
add action=add-dst-to-address-list address-list=IP-Youtube \
    address-list-timeout=none-dynamic chain=prerouting comment="IP Youtube" \
    content=.youtube.com dst-address-list=!IP-LAN src-address-list=IP-LAN

add action=add-dst-to-address-list address-list=IP-Youtube \
    address-list-timeout=none-dynamic chain=prerouting comment="IP Youtube" \
    content=.googlevideo.com dst-address-list=!IP-LAN src-address-list=IP-LAN

add action=add-dst-to-address-list address-list=IP-Youtube \
    address-list-timeout=none-dynamic chain=prerouting comment="IP Youtube" \
    content=.youtu.be dst-address-list=!IP-LAN src-address-list=IP-LAN

add action=add-dst-to-address-list address-list=IP-Youtube \
    address-list-timeout=none-dynamic chain=prerouting comment="IP Youtube" \
    content=.ytimg.com dst-address-list=!IP-LAN src-address-list=IP-LAN


For Facebook and Youtube:

/ip firewall filter

add action=accept chain=forward comment="Facebook Permit through IP" \
    disabled=yes dst-address-list="IP Facebook" src-address-list=Access-FB

add action=drop chain=forward comment="Facebook Block Through IP" \
    dst-address-list="IP Facebook" 

add action=drop chain=forward comment="Youtube Block Through IP" \
    dst-address-list=IP-Youtube 









Thanks and Happy Learning











Labels:

Comments

  1. AnonymousAugust 19, 2022 at 4:33 PM

    Hi, can you explaine ...Steps 1: First of all we create a address list of local ip lan in IP Firewall Address List in Mikrotik Firewall or Router.;

    is done when there are several lan?

    ReplyDelete

Post a Comment

Popular posts from this blog

How to Setup VPN PPTP Server in Mikrotik Router? (Tutorial)

PPTP Server is using for VPN. Its so easy to configure pptp server in Mikrotik. Now we can see how easily configure pptp server in Mikrotik router. Lets see the below diagram. Login to the Mikrotik Router via Winbox and click IP then Pool : Click on the “ + Symbol ” to add new pool, Name will be whatever you want like I named it VPN_Pool_20  add the address range ( 192.168.20.2-192.168.20.30 , in my case), then click  OK. Now go to the PPP Section and Click “ PPTP Server ” and check the Enabled : Now on the PPP  page, switch to the “ Profiles ” tab. Click on the + sign to create new profile, Name will be whatever you like (like I use VPN-POOL ), set the pool that we have created earlier for “Local Address” AND “Remote address“, then click  OK . Now click on  the “ Secrets ” tab of the PPP window. Click on the + sign to create new user, add the name(which act as username), password and service may be any or p...
8 comments
Read more

How to Setup DHCP Server and IP Pool in Mikrotik Devices

DHCP( Dynamic Host Configuration Protocol),basically a network management protocol used to dynamically assign ip address to any network device. We will try to configure DHCP server in Mikrotik router in this tutorial. Consider following diagram we can see LAN gateway configure on ether1 interface.we will setup DHCP server for LAN 192.168.0.0/24. First, we have login Mikrotik with admin privilege.click IP tab and then click pool to create ip pool for dhcp server. In IP Pool window,click on Pools,  then click + symbol and then mention a pool name in Name here we use Local_Pool then mention range of ip address, we use 192.168.0.2-192.168.0.254  then click OK . But you can create ip range as you like and create multiple pool.Here Next pool is selected none but you can select another created pool in Next Pool if more ip requirements over existing pool. Then Local_Pool will create. Now click IP then click  DHCP Server to create ...
1 comment
Read more

"How To Set up NAT on a Mikrotik Router: A Comprehensive Guide"

  In this tutorial, we will configure Source NAT (srcnat) on Mikrotik router. From diagram we see that local network is 192.168.0.0/24 and our public network is 10.5.8.0/24 and local interface or gateway ip is 192.168.0.1/24 and public interface ip is 10.5.8.10/24. By Using Winbox: 1. First, configure the local gateway ip address 192.168.0.1/24 in ether1 and public ip 10.5.8.10/24 interface in ether2. 2. Then click on IP tab    3. After click IP tab click on Firewall tab 4. In Firewall we can see NAT tab and click on NAT tab then click + sign.then NAT RULE will appear. 5. In NAT RULE, click General tab. here we select chain will be srcnat select by drop down list.then select ether2 in Out.Interface select by drop down list.  6. Then click Action tab in NAT Rule page and action will be masquerade select by drop down list.then click OK. After click OK NAT configuration will be done. ...
4 comments
Read more