How to block websites through filter rules in Mikrotik


In this method of “Web Filtering”, specific websites can be blocked on MikroTik using the Content Filter Rules. This filter can be found in the ‘Advanced’ tab while adding new firewall filter rules.

This method will try to match packets that contain the specified string in the URL, and then accordingly take an action on these packets as per what action is selected.

In order to block a website for e.g “Facebook” through a MikroTik, the steps are as follows:-

  1. Step 1: Go to IP > Firewall. Click on the ‘Filter Rules’ tab. Click on '+' to add a new rule.

  2. Step 2: In the General tab, Select chain as forward, Select protocol as tcp
  3. Step 3: In the Advanced tab, Enter ‘facebook’ in the content field
  4. Step 4: In the Action tab, Select Action as reject, then Select Reject With as icmp host unreachable.
    Click on Comment to add a label “Block Facebook” to the rule. Click Apply, then OK.

    5. The MikroTik terminal command for adding the above rule is as follows:

    /ip firewall filter add chain=forward protocol=tcp content="facebook" action=reject reject-with=icmp-host-unreachable comment="Block Facebook"

    In Winbox, click on New Terminal. Copy and paste the above command in the terminal window and hit enter. The firewall rule as seen in the images above will be added instantly.

  5. Step 5: Drag this rule above the other essential firewall filter rules. This step is very important as filte rules work in top to bottom order and you need to make sure the rules are set accordingly.

If there are multiple local networks created on the MikroTik router, the above rule created will block the website across all networks.

If you want to block any website only on one particular network

In order to block the website across only one network from among multiple networks created on MikroTik, we specify the network on which the website is to be blocked in the Src. Address field in the General tab while adding the Block Website rule, as seen in the image below:

    • The MikroTik terminal command for adding the above rule is as follows:

    /ip firewall filter add chain=forward src-address="192.168.88.0/24" protocol=tcp content="facebook" action=reject reject-with=icmp-host-unreachable comment="Block Facebook"

    The rule will thus block the website on all devices connected on the 192.168.88.0/24 network. In order to block the website only for a certain IP range, say the DHCP pool range, we specify the IP range in the Src Address field in the General tab while adding the Block Website rule, as seen in the image below:


    • The MikroTik terminal command for adding the above rule is as follows:

    /ip firewall filter add chain=forward src-address="192.168.88.10-192.168.88.254" protocol=tcp content="facebook" action=reject reject-with=icmp-host-unreachable comment="Block Facebook"

    The rule will thus block the website on all devices which are dynamically or manually assigned IP addresses in the range 192.168.88.10-192.168.88.254. The devices manually assigned IP addresses outside the DHCP pool will be able to access the website.

    If you want to block any website only on certain devices

    In order to block the website only for a certain device, there are two methods through which this can be done:

  • Method 1: We specify the static IP of the device in the Src. Address field in the General tab while adding the Block Website rule, as seen below:

    • The MikroTik terminal command for adding the above rule is as follows:

    /ip firewall filter add chain=forward src-address="192.168.88.10" protocol=tcp content="facebook" action=reject reject-with=icmp-host-unreachable comment="Block Facebook"

    The rule will block the website on only the device which is manually or dynamically assigned the IP address 192.168.88.10.

  • Method 2: We specify the MAC address of the device in the Src. MAC Address field in the Advanced tab while adding the Block Website rule, as seen below:

    • The MikroTik terminal command for adding the above rule is as follows:

    /ip firewall filter add chain=forward src-mac-address="AA-BB-CC-DD-EE-FF" protocol=tcp content="facebook" action=reject reject-with=icmp-host-unreachable comment="Block Facebook"

    The rule will block the website on only the device which has mac address of AA-BB-CC-DD-EE-FF.

    If you want to whitelist few devices for particular websites which are otherwise blocked

    If a website is blocked across all networks, or on a certain network, but certain specific devices need to be given access to these sites, then we will create another filter rule and place it above the existing Website Blocking rule. We recommend you read the below FAQ section in details.

    How to Whitelist users (devices) to access blocked websites on Mikrotik


    VPN, Mikrotik, Remote-working

    What is VPN and how to leverage it for remote-working

    April 10, 2020

    With multiple offices and partial team members working from homes, communicating becomes a challenge for both employees and employers as they will require..

    Read More
    The CO(Working)VID-19 Effect: Office lives on despite WFH

    The CO(Working)VID-19 Effect: Office lives on despite WFH

    April 07, 2020

    While the world is learning to adapt, albeit at a very sharp curve to accommodate remote working and Work from Home, I personally believe WFH sucks, not because there are..

    Read More
    It is time to say no to internet downtime for coworking spaces

    Coworking 2020: upgrade to ZERO internet downtime

    February 09, 2020

    For co-working spaces, internet downtime is a big NO-NO! A common issue we have observed is that ISPs promise a certain speed but in reality less than half that speed ..

    Read More

    Understand how Hotels WiFi is important for comfortable stays

    Know More

    faviconicon