Blocking URL traffic on MikroTik

Step 1: Access Your MikroTik Router

  1. Connect to your router via WinBox or SSH.
  2. Open the terminal in WinBox or start your SSH session.

Step 2: Set Up Layer7 Protocol

Create a Layer7 Protocol rule to identify the traffic going to the URL you want to block.

bashCopy code/ip firewall layer7-protocol
add name="Block_Example_URL" regexp="^.+(example.com).*\$"
  • Replace "example.com" with the URL or part of the URL you wish to block.

Step 3: Configure Mangle Rule

Create a mangle rule to mark the packets that match the Layer7 Protocol.

bashCopy code/ip firewall mangle
add action=mark-packet new-packet-mark=URL_blocked passthrough=no protocol=tcp layer7-protocol=Block_Example_URL chain=prerouting
  • This rule marks all packets that match the Layer7 Protocol as „URL_blocked“.

Step 4: Create a Firewall Filter Rule

Use the packet mark to block the traffic in the firewall filter.

bashCopy code/ip firewall filter
add action=drop chain=forward packet-mark=URL_blocked
  • This rule will drop all packets marked as „URL_blocked“, effectively blocking access to the URL.

Step 5: Verify the Configuration

Make sure your rules are correctly ordered in the firewall settings. Firewall rules in MikroTik are processed from the top down, so ensure your mangle rule and filter rule are placed before any general accept rules for the traffic to be blocked effectively.

Step 6: Testing

After applying the configuration, test to ensure that the URL is effectively blocked. Try accessing the URL from a device within your network to see if it’s unreachable.

Additional Tips:

  • Regular Expression: Be careful with regular expressions in Layer7 protocols; they need to match the packets precisely as expected. Improper configuration might lead to blocking more than intended or not blocking at all.
  • Debugging: Use MikroTik’s built-in tools like Packet Sniffer and Firewall Logs to debug and verify that the right packets are being matched and marked.
  • Performance Consideration: Layer7 inspection can be resource-intensive. Monitor your router’s performance, especially in networks with high traffic levels.

This setup should effectively block the specified URL on your MikroTik router using firewall rules and mangle.

Jan D.
Jan D.

"The only real security that a man will have in this world is a reserve of knowledge, experience, and ability."

Articles: 678

Leave a Reply

Vaše e-mailová adresa nebude zveřejněna. Vyžadované informace jsou označeny *