How to block sites on the MikroTik Layer 7 protocol

As we know, there are several ways to block a site on MikroTik, one of which uses the Layer 7 Protocol feature. It is a method of searching for patterns in ICMP / TCP / UDP streams. For example, we will try to block the Youtube site from MikroTik with layer 7. But before that you must first know what Layer 7 is.

Read also: How to deal with and overcome NetCut with MikroTik

What is layer 7

Layer 7 is the latest layer in the OSI Layer-7 model on the Internet. It is also known as the “Application Layer”. This is the top layer of data processing that takes place right under the surface or behind the scenes of the software application with which the user interacts.

In MikroTik itself how it works Layer Protocol 7 is to match (mathcer) the first 10 connection packets or the first 2KB connection and look for data models that match the available ones. If this model is not found in the available data, the matcher does not check further. And unknown connections will be considered. Keep in mind that multiple connections will significantly increase memory usage on your RB or PC router.

To avoid this, add regular firewall matches (pattern) to reduce the amount of data sent to the level 7 filter. Layer7 matching should look at both directions of traffic (inbound and outbound). To meet this requirement, Level 7 rules must be set out in the Forward chain. If the rules are in the input / pre-routing chain, the same rules must be set in the output / post-routing chain, otherwise the data may be considered incomplete, so the model is considered incorrect / appropriate.

Block sites in the MikroTik Layer 7 protocol

In this example, we will try to block youtube on MikroTik with layer 7 protocol.

1. First we enter the menu IP> Firewall then go to the tab Layer Protocol 7 then click the icon +.

2. In part Name we can complete anything, but because we want to block youtube here, we only fill it with Youtube. In the Regexp section, make sure you enter this code correctly and carefully: ^. + ( * $ here Regexp is a script that is used in Layer 7 Protocol to block a site.

MikroTik Layer Protocol 7

3. Once done, go to the menu IP> Firewall then go to the tab Filtering rules then click the icon +.

4. On the tab General in the Chain we fill with redirect then in Mr. Approach fill in with the IP client you want to block. If you want to block all clients from a single network in the host ID section, do so 0. E.g

MikroTik regular firewall

5. Then on the tab advanced we fill the Layer 7 Protocol with the one created previously.

Firewall rule MikroTik Layer 7 protocol

6. Continue on the tab Action we fill the action with sudden fall.

MikroTik Action Drop firewall rule

7. Finally, we do the test by opening YouTube in the browser.

Testing the MikroTik Layer 7 protocol


Here’s how to block sites with the Layer 7 MikroTik Protocol. But, in fact, the Layer 7 protocol consumes a lot of the Router’s resources. Therefore, we recommend that you use this feature only for very specific traffic.

In fact, it’s not recommended to use the Layer 7 protocol for general traffic, such as blocking web pages. It will almost never work properly, and your device will consume resources and try to capture all traffic. You can use other features to block web pages, such as usage transparent proxy MikroTik.

So many articles How to block sites on the MikroTik Layer 7 protocol. Looking forward to more interesting articles and don’t forget to share this article with your friends. Thanks…

Leave a Comment

/* */