Hi,

I'm trying to set up access to a bunch of sites and deny all others. I've gone the layer7 route, created the list and it kinda works. What I mean by that is if in filter rules i set drop traffic things work, and no sites on that list are allowed. But if i check inverse match (!) nothing works - not allowed, not blocked. My understanding is that by checking that, it should block all others not on that list, thus achieving my goal.

Am I doing something wrong or it just doesn't work like that ?

The layer 7 firewall won't work for encrypted https connections. You may spend a lot of time on this and not get a satisfactory result. Your best bet would be to find a different device that's designed to do content filtering. Fortinet and Sonicwall maybe.

With Mikrotik, best you may get is applying layer 7 to DNS. Set up firewall to disallow DNS entries to external dns servers like google, opendns, etc. Or you can even use a firewall rule to re-address the dest-IP of the dns query to your own Mikrotik IP. Both Windows and Linux don't seem to care if a DNS response comes from an IP that's different from where the request was sent.

L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection and searches for the pattern in the collected data. If the pattern is not found in the collected data, the matcher stops inspecting further.

I may be wrong, but my guess is that L7 matcher probably does not wait for all 10 packets or 2kB of data. So if you're looking for something that's not there, once it's not there in first packet, it does no longer matter if it would be e.g. in second one. So "not" with L7 is probably useful only for single-packet stuff like DNS. But again, I may be wrong, I didn't test it.

Both Windows and Linux don't seem to care if a DNS response comes from an IP that's different from where the request was sent.

I didn't test this either (it seems wrong, but maybe it's true), but it's not what happens when you redirect DNS queries to router's own resolver. It's NAT, so it will make sure that reply packet sent to client will have the source address used by client's request as destination.

I will test this regarding the first packets. It's true I've set the filter on dst port 80/443 - i'll try to filter others protocol too and see how that goes. Tbh dns would work too because if you can't resolve you can't access by name

Thank you guys.

You guys are great, I got it working by filtering dns traffic and using the l7. Requests are blocked so you can't resolve sites not included in the regexp.

... dns would work too because if you can't resolve you can't access by name

Not entirely true, you can look up addresses elsewhere, put them in hosts file and connect just fine.

As a principle of course you are right but my users don't have access to change the hosts file - i doubt they even know about it.
You adapt to your target audience, if you expect "resistance" buy a more advanced or specialized device ))