нет зашифрованный трафик вы не отсечете ни проксём ни лаер7
только в бан по ипам
я вот так баню
ip firewall layer7-protocol add name=block_site regexp="^.*(get|GET).+(odno(c|k)la(s|ss)niki|vk.com|ok.ru|vk.me).*\$"
для https всё сложней
system scheduler add interval=10m name=schedule on-event=script1 policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive
/system script
add name=script1 policy=ftp,reboot,read,write,policy,test,password,sensitive \
source=":foreach i in=[/ip dns cache all find where (name~\"odnokl\" || na\
me~\"vk.com\" || name~\"vk.me\") && (type=\"A\") ] do={\r\
\n:local tmpAddress [/ip dns cache get \$i address];\r\
\ndelay delay-time=10ms\r\
\n#prevent script from using all cpu time\r\
\n:if ( [/ip firewall address-list find where address=\$tmpAddress] = \"\"\
) do={ \r\
\n:local cacheName [/ip dns cache get \$i name] ;\r\
\n:log info (\"added entry: \$cacheName \$tmpAddress\");\r\
\n/ip firewall address-list add address=\$tmpAddress list=blockSS timeout=\
12:00:00 comment=\$cacheName;\r\
\n}\r\
\n}"
ip firewall filter add action=reject chain=forward dst-address-list=blockSS in-interface="eth 1" protocol=tcp reject-with=tcp-reset