If you want to control Facebook or YouTube traffic in your LAN—whether accessed via browser or Android apps—MikroTik can handle it efficiently. This tutorial is step-by-step and user-friendly.
Step 1: Network Overview
- LAN Subnet: 192.168.88.0/24
- WAN Interfaces: ether1, ether2, pppoe-out1
- RouterOS Version: v6.49.18
- Goal: Limit Facebook/YouTube traffic, support both browser and Android apps, CPU-friendly, multi-WAN ready
Step 2: Disable FastTrack
FastTrack bypasses mangle rules and queues. It must be disabled.
/ip firewall filter
remove [find action=fasttrack-connection]
Step 3: Block QUIC (UDP 443)
Modern Android apps and some browsers use QUIC/HTTP3 over UDP 443 to bypass TCP shaping. Blocking UDP 443 on LAN forces apps to fallback to TCP, so the Queue Tree can apply.
/ip firewall filter
add chain=forward src-address=192.168.88.0/24 protocol=udp dst-port=443 action=drop comment="Block QUIC from LAN"
Step 4: Mark TCP 443 Traffic using TLS-host
TCP 443 traffic is marked for Facebook and YouTube using TLS-host.
/ip firewall mangle
add chain=prerouting src-address=192.168.88.0/24 protocol=tcp dst-port=443 tls-host=*.facebook.com action=mark-packet new-packet-mark=facebook passthrough=no
add chain=prerouting src-address=192.168.88.0/24 protocol=tcp dst-port=443 tls-host=*.fbcdn.net action=mark-packet new-packet-mark=facebook passthrough=no
YouTube
/ip firewall mangle
add chain=prerouting src-address=192.168.88.0/24 protocol=tcp dst-port=443 tls-host=*.youtube.com action=mark-packet new-packet-mark=youtube passthrough=no
add chain=prerouting src-address=192.168.88.0/24 protocol=tcp dst-port=443 tls-host=*.googlevideo.com action=mark-packet new-packet-mark=youtube passthrough=no
Optional Tweaks
-
YouTube extra domains:
-
*.ytimg.com -
*.googleusercontent.com -
*.ggpht.com
-
-
Facebook extra CDN:
-
*.messenger.com -
*.whatsapp.net -
*.tfbnw.net
-
Step 5: Create Parent Queues (One per WAN Interface)
For a multi-WAN setup, create a parent queue for each WAN interface.
/queue tree
add name="LAN-Parent-ether1" parent=ether1 max-limit=100M
add name="LAN-Parent-ether2" parent=ether2 max-limit=100M
add name="LAN-Parent-pppoe" parent=pppoe-out1 max-limit=100M
Adjust max-limit according to your WAN speed.
Step 6: Create Child Queues for Facebook & YouTube
/queue tree
add name="Facebook-ether1" parent=LAN-Parent-ether1 packet-mark=facebook max-limit=4k priority=8
add name="Facebook-ether2" parent=LAN-Parent-ether2 packet-mark=facebook max-limit=4k priority=8
add name="Facebook-pppoe" parent=LAN-Parent-pppoe packet-mark=facebook max-limit=4k priority=8
YouTube
/queue tree
add name="YouTube-ether1" parent=LAN-Parent-ether1 packet-mark=youtube max-limit=4k priority=8
add name="YouTube-ether2" parent=LAN-Parent-ether2 packet-mark=youtube max-limit=4k priority=8
add name="YouTube-pppoe" parent=LAN-Parent-pppoe packet-mark=youtube max-limit=4k priority=8
Optional: Other Traffic
/queue tree
add name="ZZ-Other-ether1" parent=LAN-Parent-ether1 packet-mark="" max-limit=100M priority=1
add name="ZZ-Other-ether2" parent=LAN-Parent-ether2 packet-mark="" max-limit=100M priority=1
add name="ZZ-Other-pppoe" parent=LAN-Parent-pppoe packet-mark="" max-limit=100M priority=1
Step 7: Verification
- Check packet marks:
/ip firewall mangle print - Monitor Queue Tree traffic:
/queue tree print stats - Perform LAN client speed tests to verify Facebook/YouTube limits.
Notes & Tips
- Keep FastTrack off for proper shaping.
- UDP 443 block ensures Android apps TCP fallback.
- TCP 443 TLS-host marking works for both browser and apps.
- Parent
max-limit= WAN speed. - Child
max-limit= desired Facebook/YouTube speed limit. - Optional: Add extra domains (ytimg.com, messenger.com, etc.) for more accuracy.
Conclusion
This setup ensures both browsers and Android apps have Facebook and YouTube traffic effectively limited. It works with multi-WAN, is CPU-friendly, and future-proof.