How to permit only company-allowed websites and block all other websites using Mikrotik routers

 As a network administrator, one of the things that make you a master of your job is your ability to take full control of your network and dictate what can and cannot be done. With organizations paying heavily for internet subscriptions, it is expected that users will judiciously make use of the subscribed bandwidth for the good of the organization. This has been found to be far from the truth as employees are in the habit of using their employers’ internet to search for other jobs, stream videos on YouTube, visit Facebook, p0rn sites and so on. When these happen, there will be little or nothing left for legitimate traffic, causing the company’s operation to surfer. In this post, I will share with us on how to permit company-allowed traffics (legitimate traffics) while blocking all other forms of traffics.

This of course will be done using the layer7 protocols and firewall filter rules but in a highly organized fashion. The first thing to do is to identify your company’s allowed websites. This should include your company’s website, Skype, email provider,,,,, outlook, office365, and other services you may wish to permit.

See code below but do not forget to edit to suite your needs.

Block website with Mikrotik layer7 protocol
Image showing how to block sites with layer7 protocol


Next, create a firewall filter rule for the layer7 protocols created above and set the action to accept. To do that, I will enter the below commands: For https sites:
Ip firewall filter add chain=forward action=accept layer7-protocol=Users Allowed Websites protocol=tcp dst-port=443

For http sites:

Ip firewall filter add chain=forward action=accept layer7-protocol=Users Allowed Websites protocol=tcp dst-port=80.
Next, I will create another layer7 protocol for all other sites that should be blocked.
Mikrotik layer7 protocol
Image showing layer7 protocol
This is the code:
Now, I will create two filter rules (https and http), using the layer7 protocol (block_all_website) above to deny all access to any other website not included in my allowed website list.
Block all port other 443 websites:
Ip firewall filter add chain=forward
action=drop layer7-protocol=block_all_website protocol=tcp 
dst-port=443 log=yes
Block all other port 80 websites:
Ip firewall filter add chain=forward
action=drop layer7-protocol=block_all_website protocol=tcp 
dst-port=80 log=yes
The final task is to create two more rules;one to drop invalid connections and another, to allow established, related and new connections. These rules do not make use of layer7 protocols For invalid connections, see below and set the action to drop.
For related, established and new connections, set the action to allow.
With this setup, the company’s subscribed bandwidth will be put to good use and it will serve its purpose and you, as a network administrator will be respected and appreciated by the organisation for your efforts at improving the quality of service delivery. Please stay with me on YouTube, Facebook and Twitter.
Spread the love

Leave a Comment