Why it is a bad idea to drop packets using l7-filter on mikrotik

This article will explain the effect on RouterOS if you drop packets using l7-filter on mikrotik.

As we know from previous articles here,  mikrotik supports Regex for pattern matching. one of its purpose to match traffic based on information on layer 7 (application layer).

Mikrotik has wiki page that explain how the L7 filter works. and on that page, they already warns user that using l7-filter for dropping packet will increase CPU usage and cause router instability.

well, i just got a client who really experiencing this on their router. they use RB1100AHx2 and apply l7-filter to block youtube. ok, here is the script:

1. they create l7-filter:
   /ip firewall layer7-protocol add name=youtube regexp=”^.+(www.youtube.com|googlevideo.com|youtu.be).*\$”
2. and then create firewall filter for it:
   /ip firewall filter add action=drop chain=forward comment=BLOK-YOUTUBE disabled=no layer7-protocol=youtube

What’s happening after the rule is executed? you can conclude by checking the picture below:

the CPU usage soaring to more than 50%, and packet processing become slower.

I tried it also on my mikrotik RB750UP and its just stop working because the CPU usage is just straight to 100% even with low traffic.

So, whats the best practice of using l7-filter? here it is:

1. create l7-filter matcher
2. apply it on firewall, and put their IP address on address list
3. based on the address-list above, we create action