Block Streaming Video

Hi folks,

I am trying to block all streaming video. I have tried the following scripts which don’t work:

From http://forum.mikrotik.com/t/how-to-block-streaming-video/67797/1

/ip firewall layer7-protocol 
add name=streaming regexp="\"^.*get.+\\\\.(3gp|mov|mpe|mpeg|mpeg2|mpeg3|mpeg4|mkv|avi|flv|f4v|f4p|f4a|f4b|x-flv|msi|wmv|mp2|mp3|mp4|swf|rm|rmvb|vcd|pdf|dat|iso|nrg|bin|cab|vcd|ogg|wma|divx|d2v|qt|0[0-9][0-9])

/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark Packet Streaming" disabled=no \
layer7-protocol=streaming new-packet-mark=streaming passthrough=no

/queue tree add name="streaming" parent=global packet-mark=streaming limit-at=0 queue=default \
priority=8 max-limit=48k burst-limit=0 \
burst-threshold=0 burst-time=0s

From: http://mikrotik-scripts.blogspot.com/2011/09/limit-queue-video-streaming.html

/ip firewall layer7-protocol
add comment="" name=http-video regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0-9][\\x09-\\x0d-~]*(content-type: video)"

/ip firewall mangle
add action=mark-packet chain=forward comment="Limit Video Streaming" disabled=no \
layer7-protocol=http-video new-packet-mark=Limit-Video passthrough=no \
protocol=tcp

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=256000 \
max-limit=256000 name=Limit-Video packet-mark=Limit-Video parent=global-out \
priority=8 queue=default

from: http://www.fazar.net/restricts-limiting-videos-streaming-mikrotik

/ip firewall layer7-protocol add name=http-video regexp="http/(0.9|1.0|1.1)[x09-x0d ][1-5][0-9][0-9][x09-x0d -~]*(content-type: video)"

/ip firewall mangle add action=mark-packet chain=prerouting comment="http-video mark-packet" disabled=no layer7-protocol=http-video new-packet-mark=http-video passthrough=no

/ip firewall filter add action=drop chain=forward comment="http-video blocking" packet-mark=http-video

Can someone give me a hint as to why none of these scripts work?

Thanks,

donjames

is that all the rules you put to block streaming video?
if yes then there is some inconsistancies.

you made layer 7 firewall rule called Streaming but did nit drop them( as you mention in title to block but instead you limit the bandwidth).

and also you made mangle rule for “http-vid” twice
one with prerouting and one with forwarding chain

if i find some free time i will clean the inconsistancies and send you the correct version.

Sent from my SM-N910C using Tapatalk

HI, Razavim

I don’t completely understand how streaming video blocking works. Yes, I want to block all streaming video – not just limit the bandwidth.

I would appreciate any help that I can get on this.
Thanks,

donjames

Mikrotik strongly suggest to not filter any web content with firewall layer 7 filter and instead use web proxy feature. ofcourse it is very depend on what hardware you use and also it is resource(cpu) intensive but still it is better to use web proxy.



Sent from my SM-N910C using Tapatalk

Alright,
after looking at your rules i finally managed to correct the ruls.
so please follow each step as i have written here.
therefore please bare in mind you are not able to block “https” urls like facebook and youtube because of encryption.

first open new terminal from winbix and copy pate the code step by step

/ip firewall layer7-protocol
add name=streaming regexp=“(3gp|mov|mpe|mpeg|mpeg2|mpeg3|mpeg4|mkv|avi|flv|f4v|f4p|f4a|f4b|x-flv|msi|wmv|mp2|mp3|mp4|swf|rm|rmvb|vcd|pdf|da
t|iso|nrg|bin|cab|vcd|ogg|wma|divx|d2v|qt|0[0-9][0-9])”
add name=http-video regexp=“http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d-~]*(content-type: video)”




/ip firewall mangle
add action=mark-connection chain=prerouting comment=“Mark Connection for Video and media Extensions” !connection-bytes !connection-limit
!connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list
!in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options layer7-protocol=streaming !limit log=no log-prefix=“”
new-connection-mark=STConn !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !p2p !packet-mark
!packet-size passthrough=yes !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !routing-table
!src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=mark-packet chain=prerouting comment=“Mark packet of previous marked connection(media file extentions)” !connection-bytes
!connection-limit connection-mark=STConn !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=
no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port
!in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no
log-prefix=“” new-packet-mark=STConn !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !p2p !packet-mark
!packet-size passthrough=no !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !routing-table
!src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=mark-connection chain=prerouting comment=“Mark Connection for Http video Content” !connection-bytes !connection-limit
!connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list
!in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options layer7-protocol=http-video !limit log=no log-prefix=“”
new-connection-mark=http-Vid !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !p2p !packet-mark
!packet-size passthrough=yes !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !routing-table
!src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=mark-packet chain=prerouting comment=“Mark Packet for previous marked connection(http)” !connection-bytes !connection-limit
connection-mark=http-Vid !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port
!in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no
log-prefix=“” new-packet-mark=httpVid !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !p2p !packet-mark
!packet-size passthrough=no !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !routing-table
!src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl




Gratitude:
add action=drop chain=forward comment=“Drop Packet” packet-mark=STConn
add action=drop chain=forward packet-mark=httpVid




hope this would help you.
just to remind you there is a better way for content filtering in Mikrotik as suggested earlier and that is web-proxy.



Sent from my SM-N910C using Tapatalk

sorry i forgot to take out my nickname “Gratitude” from the code.
please remove that from your code.

Sent from my SM-N910C using Tapatalk

HI Razavim,

I will install and test your script. I will let you know the result.

Thanks,

donjames

Sorry, but you can not block any streaming video from https sources.

Actually the “web” is moving from http to https for not be filtered or inspected in any way…
The last line of defence from “ad” are inside the browser and the ISP can not do anything for distinguish the type of traffic on “encrypted” connection…

Also all the form of the virus can not be detected anymore inside one anti-virus-proxy…