I don't use the BTH app, but I am guessing they should have some kind of Path MTU Discovery mechanism inside. They are networking product maker and cannot be that dumb. Mobile network is notorious for smaller than usual MTU due to all the encapsulation between eNB.

Upload should work because your MRU allows it.
If you test download and it works too, then you can stop here.
Else you might need to set 1320 inside Mikrotik

BTH is still wireguard behind the scene. They just package it into an easy to use app and Mikrotik operates a relay.

This post has been edited by kwss: Oct 3 2025, 10:11 PM

The latest beta support Post Quantum Cryptography for IPSec now
*) ipsec - support Post-Quantum Pre-shared Key (PPK) with QKD integration (CLI only) (additional fixes);

Just in time after this year's DEFCON warning.
Anyone interested of Quantum computing progress in breaking cryptography can watch it here

You use packet matcher but it's very leaky.

My suggestion is just use NextDNS as DoH resolver in Mikrotik.
In the forwarding rule, block dst port 53 and 853.

You then proceed to add your blocking rule inside NextDNS.
Then you review the log regularly to identify anyone trying to bypass like using VPN or whatnot.

You still cannot prevent people who bypass by not doing domain lookup when they connect to their VPN.

Then NextDNS easiest and most robust when combined with Mikrotik forward chain rules.
They got option to prevent usage of Apple Private Relay and other DNS too so it's very easy to configure. Basically don't need to know very in-depth how things work.

Free for 300k query. Not enough then rm8 per month. Bayar jer.

Try first, decide later. Maybe your staff didn't actually do anything then you don't pay loh.
You can continue using even if you exceed 300k and don't pay. NextDNS just won't do any filtering.
Unless your staff only do bad shit at the end of month when you already exceeded 300k.

RM8 very expensive for your business meh? Can claim as company expenses.
One burger special at those tepi jalan how much already?
Mixed rice how much?
Per month bro. Not per day.

Packet matching is stateless and only recognize header, options and payload using regex.
If there is fragmentation, it won't work.
If it is QUIC or HTTP/3, it won't work because the SNI is "encrypted".
If any of the keyword appear in any packet due to your filter being too generic, then it will have a lot of false positive.
Packet matcher is a data plane operation, meaning it must punt to control plane for logging, which is very CPU intensive.
It will definitely fill up your router log.
You won't gain any insight with how router log is being displayed.
You need solid knowledge and lots of testing to even make it work properly.

Finally I am not gonna offer any support for packet matcher in your use case. Tell you upfront first.
It is normally used at the edge for ACL use case, not URL filtering use case.

tng55 if you are really kedekut then run a PiHole container inside your Mikrotik router.
Then proceed to add the forward chain rule to block dst port 53 and 853.
You will need to recreate all the ruleset that NextDNS already has.

I am not providing free tech support for this setup as well. You are on your own.

300k is the queries, not history. You can set log duration separately.
How many computer do you have? Use the free one first and then personal.

There are many types:
1. DLP, which log at the endpoint
2. SIEM, which log flow at the network, and also can mirror traffic if you install a tap
3. MITM proxy, where you install a root CA on every computer and decrypt all traffic

You can pick one, or a combination of them. But damn how big is your business?
If you are the boss and you have to ask this in a forum, don't need to consider.
Those solution requires full tech team to run.
For SIEM, SOAR, EDR, you need a fully staffed Security Operation Center.

EDIT:
You didn't tell me what you are looking specifically. You suspect he steal your data? Upload to cloud? Or just snaking around?
Very different scenario you know.

This post has been edited by kwss: Oct 30 2025, 10:21 PM

Look, the stuff you want is simple.
So make it simple.

Just get started in nextdns and use it as your DNS server now.
Don't need Mikrotik.
Don't need blocking.
Just see what website gets logged.
See how many requests you used a month from now.

What router you using in your office?

I already said go register an account, put it into your Asus and monitor.
You don't waste my time keep asking the same thing with zero progress.

Okay so you go to your Asus and configure DoT.
You should see the logs starts showing.
You can also starts blocking already.