Why blocking websites using L7 Protocol on MikroTik is a bad idea?


As explained in the official MikroTik Wiki page, Layer7 protocol on MikroTik is one of the options used for the purpose of blocking access to certain websites.

The Layer7 protocol matcher searches for certain patterns of data in the first 10 packets, or in the first 2KB of data, in the TCP/UDP/ICMP streams of any new connections. This matcher is based on the entries added to the ‘Regexp’ (Regular Expression) field in the L7 Protocol. This regexp is used to define search patterns for keywords in the URLs.

If a predefined pattern is found in the connection, then based on the conditions defined in the filter rules using the layer7 protocol, an action will be taken on the data stream. If no pattern is found in the connection, then the matcher will stop inspecting the connection further.

This process of matching patterns in the incoming data streams is a very resource-intensive task for the MikroTik controller. Multiple L7 matchers and connections will significantly increase memory and CPU usage, ultimately leading to router instability and rebooting in recurring instances.

To demonstrate this, below are two screenshots of the CPU usage statistics before and after the following L7 matcher rules are put in place:

Below terminal commands will identify traffic with facebook.com or youtube.com and block them from accessing for end-users.

/ip firewall layer7-protocol add comment="Block Websites" name=block-sites regexp="^.+*(facebook.com|youtube.com).*\$ "

/ip firewall filter add comment="Block Websites" chain=forward layer7-protocol=block-sites action=reject reject-with=icmp-host-unreachable

Before:



After:



In conclusion, we do not recommend that Layer7 protocol be used for the purpose of website blocking. Instead, alternative methods such as Content Filtering or DNS-based blocking must be used for Web Filtering

How to Block Websites through Filter Rules in Mikrotik

How to Block Adult Websites through DNS-Based Filtering in Mikrotik

Note: Layer7 Protocol can however be used to effectively drop p2p BitTorrent traffic, in order to conserve overall bandwidth usage of the network.

How to Block BitTorrent Traffic using MikroTik Layer7 Protocol


VPN, Mikrotik, Remote-working

What is VPN and how to leverage it for remote-working

April 10, 2020

With multiple offices and partial team members working from homes, communicating becomes a challenge for both employees and employers as they will require..

Read More
The CO(Working)VID-19 Effect: Office lives on despite WFH

The CO(Working)VID-19 Effect: Office lives on despite WFH

April 07, 2020

While the world is learning to adapt, albeit at a very sharp curve to accommodate remote working and Work from Home, I personally believe WFH sucks, not because there are..

Read More
It is time to say no to internet downtime for coworking spaces

Coworking 2020: upgrade to ZERO internet downtime

February 09, 2020

For co-working spaces, internet downtime is a big NO-NO! A common issue we have observed is that ISPs promise a certain speed but in reality less than half that speed ..

Read More

Understand how Hotels WiFi is important for comfortable stays

Know More

faviconicon