Dear you dont need any address in and also no need of doing this you do this only Name : Denied Websites Regexp :^.+(facebook.com|youtube).*$

Then i created a Firewall Filter Rule with this configuration : Chain : forward In.Interface : ether1 Layer7 Protocol : Denied Websites Action : Drop except With this configuration the 2 websites are blocked for all the computers.

I then created a Address List with : Name : Forbidden Address : 192.168.1.1-192.168.1.20 (which i the range of the IPs where i want to block this 2 Websites)

I Add this Address List to Src.Address List of the Firewall Rule ,but doing so will let all the computers access Facebook and Youtube.

I believe if you want to filter on src addresses in your lan you'll need to filter on your LAN link/port (ie. ether-2). As your L7 filter stands it's looking at Ether-1. By the time your outbound traffic hits ether-1 it's been masqueraded so the src addrss is that of the router not the machine that sent it.