How to configure time-based firewall filter rules on Mikrotik routers

Mikrotik allows the use of time-based firewall filter rules to filter traffics, permit and deny access to network resources like websites, using attributes like time and days of the week. In this demonstration, I want to share with us on how to create firewall filter rules that will deny network users access to YouTube from 8am to 5pm Monday to Friday.

In a production environment, it is necessary to ensure that users are able to access the internet seamlessly. Part of this is making sure that the company’s internet is used for what it is meant for. To do this, all streaming sites, download or p2p sites must be blocked during work hours. Mikrotik router OS has a feature that allows network administrators to fully automate this process. Users can create time-based firewall filter rules in conjunction with layer7 scripts that will work with NTP to ensure that the rules are effectively enforced. To implement this solution, the following conditions must be met:

  • The Mikrotik router must have accurate time configured (router can be configured as NTP client).
  • A layer7 script must be created
  • A firewall filter rule which makes use of the layer7 script must be created


Creating a Miktrotik time-based firewall filter rule

First, configure the Mikrotik router as an NTP client. This can be done using the command line interface via the new terminal menu. See below:

[admin@timigate] > sys ntp client set primary-ntp= enabled=yes


Mikrotik ntp client
Image showing ntp client attributes


Next, we create a layer7 script to block Youtube. This can be done using the command line interface as shown below:

[admin@timigate] > ip firewall layer7-protocol add name=youtube regexp=^*$

Next, we create a time-based firewall filter rule that will make use of the layer7 script created above to deny users access to Youtube during work hours. The rule will be ineffective from 5pm to 8am and on Saturdays and Sundays. See below:

/ip firewall filter add

add chain=forward action=drop layer7-protocol=youtube in-interface=ether5 time=8h-17h,mon,tue,wed,thu,fri log=no log-prefix=””



mikrotik time-based firewall filter rules
image showing a firewall filter rule that denies access to Youtube


Spread the love

Leave a Comment