Since most of the internet now uses https, it has become much harder to filter specific web content. For this
reason, RouterOS 6.41 introduces a new firewall matcher which allows you to block https websites (TLS traffic)
based on the TLS SNI extension, called “TLS-HOST”. The new parameter supports glob-style patterns, which
should be enough for whatever you’re trying to match.
For example, to block example.com, you would use a rule like this:
/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.example.com action=reject