If you manage a home network, a school lab, or a small office, you might stop people from visiting distracting or harmful websites. For this purpose, you can easily block websites on MikroTik in several simple ways without buying any extra software or hardware.

MikroTik RouterOS gives you built-in tools to filter DNS, build firewall address lists, and even set time-based rules so websites are only blocked during certain hours.

What You Need Before You Start

Before starting to block websites on MikroTik, make sure you have:

• A MikroTik router running RouterOS v6.36 or newer. RouterOS v7 is recommended for the best features.
• Access to WinBox, WebFig, or the SSH Terminal on your router.
• Admin credentials for your router.
• A basic idea of your LAN subnet, for example, 192.168.88.0/24.

Method 1: Block Websites on MikroTik Using DNS Static Entries

This is the simplest method, and it works on every MikroTik router. For example, when a client asks your router what the IP address of facebook.com is, the router answers with 127.0.0.1 instead of the real one.

Follow the steps below to see how you can set it up.

Enable the Router as a DNS Server

Open a terminal and run the command below:

/ip dns set allow-remote-requests=yes

This tells the router to answer DNS queries from your LAN clients.

Add a Static DNS Entry to Block a Site

To block a website, you must add a fake DNS record pointing to 127.0.0.1:

/ip dns static add name=example-site.com address=127.0.0.1 ttl=1h
/ip dns static add name=www.example-site.com address=127.0.0.1 ttl=1h

Always add both the www. version and the root domain. Also, some websites have subdomains, so you may need to add those too.

Force All Clients to Use the Router’s DNS

If a user changes their DNS to 8.8.8.8 on their device, the static entry above will be bypassed. To prevent this, you must add a NAT rule that redirects all DNS traffic, port 53, back to the router:

/ip firewall nat
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53 comment="Force DNS to router"
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53 comment="Force DNS to router TCP"

Now, even if someone manually sets a different DNS server on their laptop or phone, their requests will be silently redirected back to your MikroTik router.

Flush the DNS Cache

After adding rules, flush the existing DNS cache so old records do not exist:

/ip dns cache flush

Method 2: Block Websites on MikroTik Using Address Lists plus Firewall

This method works at the IP level rather than the DNS level. It is better to block specific services that use many IP addresses or content delivery networks (CDNs). You can build a list of blocked destinations and drop all traffic going to them.

Create an Address List

First, you must create an address list with the commands below:

/ip firewall address-list
add address=social-site.com list=blocked-sites
add address=another-site.com list=blocked-sites

RouterOS will automatically resolve the domain to its IP addresses and keep them in the list. This requires RouterOS v6.36+ to use domain names directly in address lists.

Add a Firewall Rule to Drop Traffic

You must place this rule above any existing accept rules in your forward chain; it might never trigger:

/ip firewall filter
add action=drop chain=forward comment="Block websites in list" dst-address-list=blocked-sites

Verify the Block

From a client machine on the network, try visiting the blocked site; it should time out or refuse to connect. You can also check the address list entries in WinBox under IP → Firewall → Address Lists.

Note: Large websites like Google, YouTube, and Facebook use hundreds of IP addresses and CDN nodes. Blocking them by IP alone can be unreliable; DNS-based blocking is more effective for those.

Method 3: Block Adult Content Using Cloudflare Family DNS

This is the fastest way to block websites on MikroTik that contain adult content, and it requires almost no maintenance. Cloudflare offers free DNS resolvers that automatically block adult websites and malware at the DNS level.

• 1.1.1.3: Blocks malware and adult content.
• 1.0.0.3: Secondary server with the same filtering.

Set Cloudflare Family DNS on the Router

To set the Cloudflare family DNS, you can use the command below:

/ip dns set servers=1.1.1.3,1.0.0.3 allow-remote-requests=yes

Push DNS to All Clients via DHCP

You must navigate to IP → DHCP Server → Networks, open your LAN network entry, and set the DNS field to your router’s IP, for example, 192.168.88.1. This ensures all clients use the router as their DNS, which in turn uses Cloudflare Family DNS upstream.

Or you can use the terminal:

/ip dhcp-server network set [find] dns-server=192.168.88.1

Force DNS Redirect and Test the Block

You can run the same NAT redirect rules shown in Method 1 Step 3 to stop users from bypassing this by changing their device DNS settings.

To test it, open a browser and try a known adult domain. Cloudflare will block it, and you will see a block page. This confirms your setup is working.

Also, you can use OpenDNS FamilyShield, 208.67.222.123 and 208.67.220.123, as an alternative. It works the same way.

Method 4: Block Websites on MikroTik Using the Built-in AdList

RouterOS 7.15 introduced a native AdList feature, essentially a built-in ad and content blocker similar to Pi-hole. You can point it to community-maintained blocklists that are regularly updated, letting you block websites on MikroTik at scale with thousands of domains at once.

Update RouterOS to v7.15 or Newer

First, you must update your RouterOS. For this purpose, go to System → Packages → Check for Updates and install the latest stable v7 release.

Increase DNS Cache Size

AdLists store their data in the DNS cache. If the cache is too small, you will get max cache size reached errors.

To increase the DNS cache size, you can use:

/ip dns set cache-size=40000

This sets the cache to 40 MB. Adjust based on your router’s RAM; a router with 128 MB RAM can handle 30 to 40 MB safely.

Add a Blocklist URL

Go to IP → DNS → Adlist in WinBox and click +. Then, paste a blocklist URL. For adult content blocking, a popular choice is:

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

Or use the CLI:

/ip dns adlist add url="https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" ssl-verify=no

The router will download and analyze the list. You can monitor progress with:

/ip dns adlist print

In the output, the name-count field shows how many domains are loaded. The match-count shows how many queries have been blocked.

Verify It Works

To verify it works, on a client, flush the DNS cache on Windows:

ipconfig /flushdns

Then, try visiting a known ad or adult domain. It should return 0.0.0.0 instead of the real IP.

Method 5: Schedule-Based Website Blocking

Sometimes you do not want to block something forever; maybe you want to block social media during work hours or restrict gaming sites at night for kids. This lets you block websites on MikroTik only during specific hours.

Make Sure the Router Clock Is Correct

Time-based rules depend on accurate time. You must set up NTP first:

/system ntp client set enabled=yes servers=pool.ntp.org

Add a Time-Based Firewall Rule

The following example blocks all forwarded traffic to a specific address list between 9 PM and 7 AM, every day:

/ip firewall filter
add action=drop chain=forward comment="Block social media at night" \
    dst-address-list=blocked-sites \
    time=21:00:00-07:00:00,sun,mon,tue,wed,thu,fri,sat

The rule becomes active at 9:00 PM and deactivates at 7:00 AM automatically.

Alternative Way: Script with Scheduler

If you want more control, for example, blocking a device by MAC address at specific times, you can use the Scheduler:

/system script add name=enable-block source="/ip firewall filter enable [find comment=\"Block social media\"]"
/system script add name=disable-block source="/ip firewall filter disable [find comment=\"Block social media\"]"

/system scheduler add name=block-at-night on-event=enable-block start-time=21:00:00 interval=1d
/system scheduler add name=unblock-morning on-event=disable-block start-time=07:00:00 interval=1d

Why You Should Avoid Layer 7 Protocol Blocking

You may have seen tutorials that use Layer 7 (L7) protocol matching to block websites. While it sounds powerful, MikroTik’s documentation warns against using it for website filtering.

Here is why you should avoid it:

• It barely works on HTTPS. Almost every website today uses HTTPS; L7 cannot read the URL inside an encrypted packet.
• It kills router performance. L7 rules inspect every packet using regex. On a busy network, this maxes out your CPU fast.
• It misses most traffic. L7 only inspects the first 10 packets or 2 KB of a connection. If the pattern is not in that window, the connection is left alone.

For reliable and efficient results, it is recommended to stick to DNS-based blocking.

Limitations: When Users Can Bypass Your Blocks

No single method is perfect. Here is what can defeat your filtering and how to reduce the risk:

1. Changing DNS Manually on a Device: A user sets 8.8.8.8 on their phone, and your DNS blocks stop working. To fix it, you can use the NAT redirect rules from Method 1 Step 3 to force all DNS queries back to the router.

2. DNS over HTTPS (DoH): Modern browsers and apps can use DoH (encrypted DNS over port 443), which completely bypasses standard DNS redirect rules. To fix it, block known DoH provider IPs in your firewall:

/ip firewall address-list
add address=dns.google list=DoH-Block
add address=1.1.1.1 list=DoH-Block
add address=8.8.8.8 list=DoH-Block
add address=9.9.9.9 list=DoH-Block

/ip firewall filter
add action=drop chain=forward dst-address-list=DoH-Block comment="Block DoH bypass"

If you want to take DNS filtering, you can check this guide on MikroTik DNS over HTTPS setup to encrypt your upstream DNS and boost privacy at the same time.

3. VPN Usage: A VPN tunnels all traffic through an encrypted connection. Your DNS blocks and firewall rules cannot see inside it. To fix this, you can block common VPN ports or use a managed DNS service like NextDNS that includes VPN and proxy detection.

4. Encrypted SNI / ECH: A newer HTTPS feature called Encrypted Client Hello (ECH) hides the domain name even in the TLS handshake. DNS-based blocking still works for the majority of sites since ECH requires special DNS support on the website’s end.

Which Method Should You Use to Block Websites on MikroTik?

Here is a side-by-side comparison of which method you are best to use to block websites on MikroTik:

Method	Best For	Maintenance	Bypassed By
DNS Static Entries	Specific site blocks	Manual updates	DoH, VPN
Address List + Firewall	IP-level blocking	Moderate	VPN
Cloudflare Family DNS	Adult content (families)	Almost none	DoH, VPN
AdList (v7.15+)	Large-scale blocking	Auto-updated	DoH, VPN
Schedule-Based Rules	Time-limited access	Low	VPN

Conclusion

Blocking websites on MikroTik is not complicated once you understand the right tools. For most families and small offices, combining Cloudflare Family DNS with a DNS redirect NAT rule covers most use cases with minimal setup.

For more control, like blocking specific sites or adding time restrictions, the address list and scheduler methods give you better flexibility. If you are running RouterOS 7.15 or newer, the AdList feature brings Pi-hole-level blocking natively to your router without any extra hardware.

The key thing to remember is that layering DNS filtering, firewall rules, and DNS redirect together gives you a much stronger defense than relying on any single method alone.

If you need more control over DNS and policy routing, you can deploy RouterOS on a MikroTik VPS and manage your entire network filtering stack from the cloud.

FAQs