Layer7-protocol is a method of searching for patterns in ICMP/TCP/UDP streams. The L7 matcher is very resource intensive. Use this feature only for very specific traffic. It is not recommended to use L7 matcher for generic traffic, such as for blocking webpages. This will almost never work correctly and your device will exhaust it's resources, trying to catch all the traffic. Use other features to block webpages by URL.
In some cases when layer 7 regular expression cannot be performed, RotuerOS will log topic=firewall, warning with an error message stating the problem in the message. Layer 7 matcher is case insensitive.
UP Link IP Address: 10.10.10.2/30
Local IP Address: 192.168.0.1/24
Drop Site: Facebook and Youtube
Platform: Mikrotik Router
Step 1: Connect your Mikrotik router with your pc with a utp cable. Collect winbox software (or download it from www.mikrotik.com), click on refresh tab for MAC scan, select the mac which has shown, login with admin user, no password.
Step 2: Add wan side IP address, subnet mask and select port.
Step 3: Then add LAN Side IP address, subnet mask and select port.
Step 4: Add routes.
Step 5: Add DNS address.
Step 6: Add NAT rules.
Step 7: Add NAT rules.
Step 8: Add NAT rules.
Step 9: Go to filter rules then go layer7 protocols and create layer7 regexp rule.
Step 10: Go to filter rules and create filter rule for drop site.
Step 11: Create filter rule for drop site and set chain, scr. address, protocol, dst.port etc.
Step 12: Then go advanced tab and select layer7 protocol.
Step 13: Then go to action tab and set action drop. And finally the configured has been done.
Explanation: First we give a code snippet and then explain what it actually does.
/ip address
add address=192.168.0.1/24 comment=Local interface=ether3 network=192.168.0.0
add address=10.10.10.2/30 comment=UP_Link interface=ether1 network=10.10.10.0
/ip route
add check-gateway=ping distance=1 gateway=10.10.10.1
/ip dns
set servers=8.8.8.8, 4.2.2.2
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
Layer7-protocol regexp rule:
/ip firewall layer7-protocol
add name="Block Site" regexp="^.+(facebook|youtube).*$"
Facebook and Youtube drop rule:
/ip firewall filter
add action=drop chain=forward disabled=yes dst-port=80,443 layer7-protocol=\
"Block Site" protocol=tcp src-address=192.168.0.0/24
END
In some cases when layer 7 regular expression cannot be performed, RotuerOS will log topic=firewall, warning with an error message stating the problem in the message. Layer 7 matcher is case insensitive.
UP Link IP Address: 10.10.10.2/30
Local IP Address: 192.168.0.1/24
Drop Site: Facebook and Youtube
Platform: Mikrotik Router
Step 1: Connect your Mikrotik router with your pc with a utp cable. Collect winbox software (or download it from www.mikrotik.com), click on refresh tab for MAC scan, select the mac which has shown, login with admin user, no password.
Step 2: Add wan side IP address, subnet mask and select port.
Step 3: Then add LAN Side IP address, subnet mask and select port.
Step 4: Add routes.
Step 5: Add DNS address.
Step 6: Add NAT rules.
Step 7: Add NAT rules.
Step 8: Add NAT rules.
Step 9: Go to filter rules then go layer7 protocols and create layer7 regexp rule.
Step 10: Go to filter rules and create filter rule for drop site.
Step 11: Create filter rule for drop site and set chain, scr. address, protocol, dst.port etc.
Step 12: Then go advanced tab and select layer7 protocol.
Step 13: Then go to action tab and set action drop. And finally the configured has been done.
Explanation: First we give a code snippet and then explain what it actually does.
/ip address
add address=192.168.0.1/24 comment=Local interface=ether3 network=192.168.0.0
add address=10.10.10.2/30 comment=UP_Link interface=ether1 network=10.10.10.0
/ip route
add check-gateway=ping distance=1 gateway=10.10.10.1
/ip dns
set servers=8.8.8.8, 4.2.2.2
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
Layer7-protocol regexp rule:
/ip firewall layer7-protocol
add name="Block Site" regexp="^.+(facebook|youtube).*$"
Facebook and Youtube drop rule:
/ip firewall filter
add action=drop chain=forward disabled=yes dst-port=80,443 layer7-protocol=\
"Block Site" protocol=tcp src-address=192.168.0.0/24
END