As explained in the official MikroTik Wiki page, Layer7 protocol on MikroTik is one of the options used for the purpose of blocking access to certain websites.
The Layer7 protocol matcher searches for certain patterns of data in the first 10 packets, or in the first 2KB of data, in the TCP/UDP/ICMP streams of any new connections. This matcher is based on the entries added to the ‘Regexp’ (Regular Expression) field in the L7 Protocol. This regexp is used to define search patterns for keywords in the URLs.
If a predefined pattern is found in the connection, then based on the conditions defined in the filter rules using the layer7 protocol, an action will be taken on the data stream. If no pattern is found in the connection, then the matcher will stop inspecting the connection further.
This process of matching patterns in the incoming data streams is a very resource-intensive task for the MikroTik controller. Multiple L7 matchers and connections will significantly increase memory and CPU usage, ultimately leading to router instability and rebooting in recurring instances.
To demonstrate this, below are two screenshots of the CPU usage statistics before and after the following L7 matcher rules are put in place:
Below terminal commands will identify traffic with facebook.com or youtube.com and block them from accessing for end-users.
/ip firewall layer7-protocol add comment="Block Websites" name=block-sites regexp="^.+*(facebook.com|youtube.com).*\$ "
/ip firewall filter add comment="Block Websites" chain=forward layer7-protocol=block-sites action=reject reject-with=icmp-host-unreachable
Before:
After:
In conclusion, we do not recommend that Layer7 protocol be used for the purpose of website blocking. Instead, alternative methods such as Content Filtering or DNS-based blocking must be used for Web Filtering
How to Block Websites through Filter Rules in Mikrotik
How to Block Adult Websites through DNS-Based Filtering in Mikrotik
Note: Layer7 Protocol can however be used to effectively drop p2p BitTorrent traffic, in order to conserve overall bandwidth usage of the network.
How to Block BitTorrent Traffic using MikroTik Layer7 Protocol
With multiple offices and partial team members working from homes, communicating becomes a challenge for both employees and employers as they will require..
Read MoreWhile the world is learning to adapt, albeit at a very sharp curve to accommodate remote working and Work from Home, I personally believe WFH sucks, not because there are..
Read MoreFor co-working spaces, internet downtime is a big NO-NO! A common issue we have observed is that ISPs promise a certain speed but in reality less than half that speed ..
Read More