I have version 7.14 and I wanted to block websites other than layer7, I tried tls but it wasn't effective, I need to block YouTube and Facebook.
Do you know any way?

Get a router that does DPI, not mikrotik.

I wouldn't say that, because Mikrotik is already thinking about making big blocks or you don't know addlist?

and money grows on trees, and unicorns and rainbows

Perhaps the best alternative is that you control the DNS. Then you can also do some serious blocking.
If your Mikrotik is capable of running containers you can look for something like Adblock or Pihole and simply block on that.
Off course you will have a tough time blocking "leaking dns" clients that will try to by-pass your DNS-filter. (DoH, DoT etc,etc)
If your Mikrotik cannot run containers look for something to run the above mentioned software on.

What Mikrotik product ? What audience ? (your kids at home? students ? corporate environment ?)

But for serious scalable content-filtering policies & enforcement across an organisation, go for another product.

Perhaps the best alternative is that you control the DNS. Then you can also do some serious blocking.
If your Mikrotik is capable of running containers you can look for something like Adblock or Pihole and simply block on that.
Off course you will have a tough time blocking "leaking dns" clients that will try to by-pass your DNS-filter. (DoH, DoT etc,etc)
If your Mikrotik cannot run containers look for something to run the above mentioned software on.

What Mikrotik product ? What audience ? (your kids at home? students ? corporate environment ?)

But for serious scalable content-filtering policies & enforcement across an organisation, go for another product.

for 10 employees small business.
mikrotik 750Gr3

I wonder if you not better look to handle this at CLIENT/ENDPOINT level. There are various endpoint-security clients available with things like webfilter-control policies etc. Is this 100% Windows 10/11 environment ?
Things like Microsoft Defender for Endpoints etc.

...not everything can (or should) be "solved" at network-level...

Fixed it for ya........

...not everything can (or should) be "solved" at network-level via mikrotik products... RoS from 750 to ccr2216 is still RoS.

You could have done a search on this forum before opening the hundredth post about the same old thing.
There are dozens and dozens of posts that all lead to the same conclusion:

IT-CAN'T-BE-DONE

All it takes is a simple FREE "VPN", and you get screwed.

Is it a company?
Have a resolution signed: Anyone who uses Facebook or Youtube at work,
with Company device or connection will be fined 500¤ the first time, 5000¤ the second, and the third time they will be fired.
You don't even have to bother with needlessly configuring things...





I'll explain the gist of the matter:
People block advertising banners.
Some states block social media.
Other states block gambling, tobacco, sex, etc. sites.
So Google, Meta, Tobacco, Gambling, and Sex Industries are interested in people always reaching their sites.
They spend all day taking the piss out of you that https is for security, that DNS must be hidden and encrypted, etc. etc. etc.,
just to ultimately have control over what you do with the devices, and prevent anyone from filtering unwanted things.

So it's a losing war from the start. Who are We to compete with half the world's wealth?

<----- what he said, i dont know shit,
Yup lots of piss, whether you drink vino or cerveza or coffee or for my friend, rextended, Canadian Club Rye Whiskey.

Create a static dns entry that catch all fb/yt dns name and return 127.0.0.1

I do block dns from lans to wan. Only resolvers is mkt.
the only way to bypass is for client use it's own hosts file with real ip.

So i added forward deny rules with dst address list that contains identified dns names.
I've blocked fews website for 99% of users between work hours.

Create a static dns entry that catch all fb/yt dns name and return 127.0.0.1

I do block dns from lans to wan. Only resolvers is mkt.
the only way to bypass is for client use it's own hosts file with real ip.

So i added forward deny rules with dst address list that contains identified dns names.
I've blocked fews website for 99% of users between work hours.

I think you can indeed still get some reasonable results with managing DNS (either locally on RouterOS, or some Adguard/Pihole box or container) but the DNS-over-HTTPS & DNS-over-TLS is going to punch through it.
In a corporate environment where you can also manage endpoint/browsers you can control more, disabling any DNS-over-HTTPS/DNS-over-TLS etc that might leak through.