I have created a rule forward and output
our IP range is 192.168.0.0 till 254
The rules are created as:
Rule = Block
action : output
Src.add : 192.168.0.0/24
Layer7 : youtube&facebook as described in layer 7 protocols : ^.+(youtube.com|facebook.com).*$
Action : drop
and-----------
action : forward
Src.add : 192.168.0.0/24
Layer7 : youtube&facebook as described in layer 7 protocols : ^.+(youtube.com|facebook.com).*$
Action : drop
---
it is running perfectly.
-------------------------------------------------
But now when I have created Rule for Allow for few users as:
Rule = Allow
action : output
Src.add : 192.168.0.0/24
Layer7 : youtube&facebook as described in layer 7 protocols : ^.+(youtube.com|facebook.com).*$
Action : accept
and-------
Rule = Allow
action : forward
Src.add : 192.168.0.0/24
Layer7 : youtube&facebook as described in layer 7 protocols : ^.+(youtube.com|facebook.com).*$
Action : accept
---but it does't work.
----------------------------------------------------------
please correct me where I am wrong because I am not most familiar in Firewall.
your reply are welcome for above mentioned youtube & facebook. Also suggest to block and allow for video streaming sites by specific users.
Abdul Nasir

The added "accept" rules contain the same src-address like the "drop" rules, so how do you identify/want to identify those "users" for which these rules should apply?

Other than that, the order of rules matters. So you have to place the exceptional "accept" rules before the "drop" ones, otherwise the packets will be dropped by the "drop" rules and never reach the "accept" rules.

you should handmade the users which kind of users wants to access some sites or not
solution of this way is creating a address-list which one of them manage block section and the other one manage access section
-----------------------------
chain : forward
src-address-list : block-users
layer7 : ....
action : drop
-----------------------------
chain : forward
src-address-list : access-users
layer7 : ....
action : accept

if you wanna block user you just add user ip in block address-list
and do same for access address list

Dear Friends,

I have created rules same as suggested by you guys but result is same.

Also, I have created separately rule for block of video by specific IP in which dailymotion and other video streaming sites working mentioned in Layer 7 but all are working at user side.

there is something different way I think that is missing.. I don't what and how...

Can you guys suggest any software or utility that can run on my PC for access control purpose where Mikrotik is running on behind.

Is it possible? to use any software for control, please suggest me anyway I have to just do simple block and allow sites for the users IP wise.

Thanks & regards.
Abdul Nasir

I made following option 1 rules and configuration and it is works for me. you can check option 2 as well.

For Youtube Block (option 1)
-------------------------
/ip firewall mangle
add action="mark-connection" chain="prerouting" protocol=udp dst-port=53 connection-mark=no-mark content=youtube new-connection-mark=YOUTUBE_CONN passthrough=yes
add action=mark-packet chain="prerouting" connection-mark=YOUTUBE_CONN new-packet-mark=YOUTUBE_PACKET

/ip firewall filter
add action=drop chain=forward packet-mark=YOUTUBE_PACKET
add action=drop chain=input packet-mark=YOUTUBE_PACKET

For Youtube block (option 2)
-----------------------------
Make layer7 protocol with this regexp with name :

Layer7-youtube

^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.com|s.ytimg.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|googlevideo.com|youtu.be).*$

/ip firewall filter add action=drop chain=forward comment=Layer7-youtube layer7-protocol=Layer7-youtube