Block Quic Protocol

erdosain9 · August 25, 2016, 9:26pm

Hi.
Please, can someone give me a hand to block quic protocol???
I want to control youtube bandwith… im using squid for that, but if i can not block quic, then not work…
What would be the syntax ??

Thanks!!!

jarda · August 28, 2016, 6:51pm

You have to distinguish the traffic first. Then you can block or controll it. Have you noticed that YouTube uses ssl encryption like everyone these days?

loveman · August 28, 2016, 8:20pm

You need to control youtube bandwidth from any direction? Like speed or block website

erdosain9 · August 29, 2016, 1:53pm

Hi.
Yes, now the youtube video is limit by squid… and is working… im doing ssl-bump.
But equally i want to block quic protocol from mikrotik.

Feklar · August 29, 2016, 3:51pm

The problem is, it’s not a protocol in the sense of layer 4, it is a layer7 protocol, something that a router is generally not aware of since they are primarily a layer3 device.
https://en.wikipedia.org/wiki/OSI_model#Description_of_OSI_layers

Now the MikroTik does have some layer7 filtering functionality, but it is very limited in what it can do. It is very CPU intensive, and will only match on the first 10 packets or 2 KB of a connection. So anything that you want to match with it needs to be within that frame work. It is further complicated by the fact that Youtube by default uses SSL so everything is encrypted, meaning you have random bits of information to work with, instead of something that is consistent that you can match.

All of this to say, if you want to block this layer 7 protocol, the MikroTik is not the tool for the job.

stillnick · November 25, 2016, 3:23pm

Hi erdosain9
Do you have skype or another IM? I would like to know how did you manage to work in ssl-bump. Is that a transparent proxy you are using? If so, is your cliente receiving the certificate warning in their browser?

Thanks a lot.

pe1chl · November 25, 2016, 4:50pm

ssl-bump is an old feature that already has been replaced twice.
however, this kind of function can only work in a network where you manage all the computers,
e.g. in an office within a company with centralized ICT, or at home where daddy can arrange this.
it is not possible to use this with clients or even random users.

leonsapiens · November 27, 2024, 12:19am

Hi erdosain9
I would like to know how did you manage to work in ssl-bump with youtube
am using now ROS 6.49.15 and squid 4.13 in transparent mode
i have configured hotspot on mikrotik with the proxy on digitalocean

if you could help me on configuring that and i wish to configure a central hotspot on the cloud (CHR)
and administer every hotspot client from the cloud hotspot (with centralized dhcp, dns server, capsman, roaming … etc. )

Thanks a lot.

anav · November 27, 2024, 3:43am

Stuffing a wet noodle up a straw request.