MikroTik Blocking Websites with TLS Host Firewall Matcher

Most of the websites now use https and blocking https websites is so much harder with the MikroTik RouterOS version less than 6.41. But from RouterOS v6.41, MikroTik Firewall introduces a new property named TLS Host that is capable to match https websites so easily. So, blocking https websites like Facebook, YouTube etc. can be easily done with MikroTik Router if RouterOS version is greater than 6.41. In my previous article, I discussed how to block websites with MikroTik Router using layer 7 protocol. In this article, I will discuss how to block https websites with MikroTik Firewall using TLS Host matcher.




How to Block HTTPS Websites with TLS Host Matcher




The TLS Host is a new property of MikroTik Firewall. So, it is only available RouterOS version greater than 6.41. If your RouterOS version is less than 6.41, upgrade RouterOS to the latest bug free version and then do the following steps to block websites with the TLS Host matcher.




  • Go to IP > Firewall menu item and click on Filter Rules tab and then click on PLUS SIGN (+). New Firewall Rule window will appear.
  • Choose forward from Chain dropdown menu.
  • Choose tcp from Protocol dropdown menu.
  • Click on Dst. Port input box and put 443.
  • Click on Advanced tab and click on TLS Host input box and put your desired domain name that you want to block (such as *.facebook.com) in this box.
  • Click on Action tab and choose drop from Action dropdown menu.
  • Click Apply and OK button.




Alternatively, you can apply the following command to create this blocking firewall rule.




/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.facebook.com action=drop




Firewall TLS Host Matcher
Firewall TLS Host Matcher




Your desired website will now be blocked with the above blocking rule. I have crated and tested this rule in RouterOS v6.44.3 and its working without any issue. So, try yourself and hope you will get result.




Sometimes you may need to allow blocked website for a specific user. In this case, you have to create another Filter Rule that will accept some specific users IP addresses. In the next section, we will know how to allow users to get access to blocked websites.




How to Allow Users to Get Access to Blocked Website




The above Filter Rule that we have created will block all users in your LAN. But sometimes you may need to allow some specific users to get access to blocked websites. The following steps will show how to create another filter rule that will allow a group of user to get access to blocked websites.




  • Go to IP > Firewall menu item and click on Filter Rules tab and then click on PLUS SIGN (+). New Firewall Rule window will appear.
  • Choose forward from Chain dropdown menu.
  • Choose tcp from Protocol dropdown menu.
  • Click on Dst. Port input box and put 443.
  • Click on Advanced tab and put a group name (such as Facebook Allowed Users) in Src. Address List input box and click on TLS Host input box and put your desired domain name that you want to allow (such as *.facebook.com) in this box.
  • Click on Action tab and choose accept from Action dropdown menu.
  • Click Apply and OK button.




Allowed rule has been created. Now place this allowed rule above the dropped rule. Otherwise, allowed user will go under dropped rule and fail to get access to desired website.




Firewall Filter Rules
Firewall Filter Rules




We have allowed blocked website to a group but don’t specify the user of that group. The following steps will show how to add an IP to the allowed user group.




  • Go to IP > Firewall menu item and click on Address Lists tab and then click on PLUS SIGN (+). New Firewall Address List window will appear.
  • Choose your created group name (Facebook Allowed Users) from Name dropdown menu.
  • Put user IP (such as 10.10.10.2) that you want to add this group in Address input field.
  • Click Apply and OK button.




Firewall Address List
Firewall Address List




Similarly, you can add as many IPs as you want in your allowed group following the above steps.




If you face any confusion to follow above steps properly, watch the following video about Blocking HTTPS Websites with MikroTik TLS Host Matcher. I hope it reduce your any confusion.