In this lesson, I will show you how you can limit Facebook traffic on MikroTik Routeros without using Layer7 Protocol Regexp. Why without Layer 7? Because believe it or not, L7 Regexp is very heavy on the MikroTik CPU and using it can cause a lot of drop of packets when the traffic is passing through the router and that's not the best option especially for users who like to play online gaming.

There is also a possible way to make on Mikrotik separate bandwidths for Facebook & browsing in case you have 2 different WAN internet service. Maybe will show that for you in another lesson.

Let's see now what is the scenario that I have:

My computer is connected directly to Eth5 on the MikroTik Router. It has also internet from it as you can see if I ping from the PC:

Pinging [] with 32 bytes of data:
Reply from bytes=32 time=8ms TTL=115
Reply from bytes=32 time=19ms TTL=115
Reply from bytes=32 time=7ms TTL=115
Reply from bytes=32 time=8ms TTL=115
Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 19ms, Average = 10ms

Let's open some Facebook page and do some traffic then check what would show the bandwidth utilization on the MikroTik Router

You can see, 22.5 Mbps of bandwidth is being wasted from Facebook traffic. That's a lot of bandwidth that I am sure you would be happy to limit it, thus limiting the Facebook raffic.

To do that, you have to 1st mark the facebook traffic. We have the mark 1st the connection that we are opening with Facebook server and then the packets which belong for this connection will not be checked from the MikroTik Firewall and will pass as part of the connection.

So I have done, I have marked all Connections for Facebook under the Mark name facebook-Connection and i have un-checked the passthrough so as soon as the MikroTik Firewall detect a facebook onnection, it will not go down anymore for the other mange rules created on the firewall.

Let's create a second mange rule to mark the packets that belong for the connection which we name it Facebook-Packet

Let's open a Facebook page and do some traffic to see if the mangle rules that I have created are detecting the connections and packets of Facebook.

Look at the bytes and packets how they have been increased once i have opened Facebook website. Excellent, so the mangle rules are working.

Now let's create a queue to define a maximum bandwidth of 256 Kbps on upload and 768 Kbps on download for the Facebook traffic

Let me explain. I gave the queue a name Limit Facebook and it is going to be applied on the LAN network which I have mentioned its network id on the target, then on max limit I have put the maximum upload 256 bps and maximum download 768 Kbps, then on Advanced I have selected the packet Marks to be Facebook-Packet that I have already created. This means that this queue will be applied on the Facebook traffic only.

I will open Facebook again and check the simple queue statistic:

As you can see, the simple queue is working perfectly and limiting my Facebook traffic.


Limiting Facebook on MikroTik can be a challenge. In this lesson I have showed you how to limit Facebook traffic using TLS host which is much easier on the CPU than Layer 7 protocol. If interested, you can join my MikroTik courses on my website

If you like this post, I will be happy if you buy me a coffee on the following URL:
Thank you in advance :)