Block youtube and not google earth

Mariosg · July 24, 2018, 8:18pm

Is there any way to block YouTube and work the Google Earth, Gmail, the Google Search Engine?
Sorry for my English, I speak Spanish
Thank you
Mario

mkx · July 24, 2018, 8:33pm

No, not when https is used to access those web pages.

sindy · July 24, 2018, 9:57pm

Wouldn’t an action=reject reject-with=tcp-reset tls-host=youtube.com be a way?

vecernik87 · July 25, 2018, 5:30am

No. I was never able to really make this reliably working, and there is reason behind this.
I noticed that for example anonymous mode of Google Chrome will always start with http/2 (which is TCP) and only after that, it will switch to http/2+quic. After support for QUIC is cached, it will always start with it. TCP is required for TLS host, but QUIC is UDP. In non-anonymous mode, Chrome remembers it since first visit (unless cache is cleared)

As this is cached probably in every client (unless it is brand new and never visited youtube) you can’t reliably use it. Chrome (both desktop and android) and youtube app (android) will pass it without issue. I tested these personally. I believe Opera and maybe some other browsers today have support for QUIC, but I have not tested it.

sindy · July 25, 2018, 5:34am

I’ve known about QUIC, but didn’t know its availability at server side was cached by the browsers. Thank you for pointing that out.

vecernik87 · July 25, 2018, 6:10am

I didn’t know either, until I tried to do this few month ago, failed and started looking why the hell…
If you ever find some workaround, I believe many people would be very glad for that (including myself)

edit: i couldn’t help myself so I started digging and found that despite QUIC support being stored in cache of browser, sometime, new QUIC - Client Hello (CHLO) packet is sent when reaching youtube. This packet (according to wireshark) has easily visible SNI in plain-text. This is good enough to be filtered but not quite sure if as fast as native TSL-Host feature.

I noticed this CHLO packet is sent after some unspecified timeout. Therefore if you just visited youtube, any request (even newly opened tab or after browser restart) will not send CHLO but continue straight with already encrypted QUIC session… So we are back on begining - not reliable…
(just sharing my thoughts - maybe it is useful for someone)

edit2: While reading more about QUIC, I realized that CHLO is required everytime UDP connection needs to be (re)opened - which simply must happen every time after user joins the network. That effectively means we can consider QUIC-CHLO packet as reliable source of communication start. However, I have no idea how to use this knowledge to filter it…

For now, I was able to filter youtube by following:

/ip firewall filter
add action=drop chain=forward dst-address-list=youtube
/ip firewall address-list
add address=www.youtube.com list=youtube
add address=i.ytimg.com list=youtube
add address=youtubei.googleapis.com list=youtube

Not reliable, not neat, probably some side-effects … but it is the best I can do for now. (And I believe it is better than hand-written list of many IP addresses which I saw in some other topics)

msatter · July 25, 2018, 8:36pm

I just don’t allow UDP 80,443 to escape to the internet. I do this by blocking that traffic in RAW with any port.

Leinadmontilla · July 26, 2018, 2:48am

You can block youtube using layer7 protocol.

vecernik87 · July 26, 2018, 3:55am

No you can’t and it was described many times, again and again. Layer7 filtering does not work if website use HTTPS. Only result will be slow router and CPU on 100% because every connection will be checked again and again… please watch following: https://youtu.be/XkKj9rj4quQ?t=25m43s It explains why you cant use Layer7
Unfortunately even suggested method (tls-host) is not working properly because youtube now use QUIC (if supported by browser or app), which is not TCP but UDP, therefore TLS-host rules will not match it…

Jotne · July 26, 2018, 5:28am

There are ways to do it but not with Mikrotik.

In our office, we do block many sites.
We do use “Enabling SSL decryption”
Find out more here:
https://www.websense.com/content/support/library/web/hosted/admin_guide/ssl_enable.aspx

But there are many catches with that.
Some sites does not work
Some sites should not be inspected (bank/political)++
Some software that uses HTTPS sites needs to be white listed to work.
+++

vecernik87 · July 26, 2018, 7:13am

“To implement SSL decryption for your end users, you need a root certificate on each client machine that acts as a Certificate Authority for SSL requests to the cloud proxy.”

So - you have to manually set up each client to support this, otherwise you will see famous “your connection is not secure” message. Some apps which simply rely on https and do not allow modification of SSL (because they have hard-coded certificate to avoid tampering) will not work. Some sites as you say may also not work.

That is not solution, merely terrible band-aid approach causing compromised security and many other issues. If you have to do such thing, fine, but please - never ever promote it or suggest to people, who are unaware of consequences.

pe1chl · July 26, 2018, 7:27am

Those solutions are at the end of their lifetime anyway now that more and more initiatives are made
to actually check the certificate authority for certificates (DANE etc). The browser will alarm the user
when accessing e.g. youtube but the certificate is not the one that youtube indicates.

Jotne · July 26, 2018, 10:24am

Do you know when this would be implemented?
I do not see any message like this.
PS I do not like this way of implementation that my work has done, cannot do anything about it.

pe1chl · July 26, 2018, 11:05am

Google Chrome does this already for some of Google’s own sites.
It is only a matter of time until this is extended to other sites and other browsers.

Jotne · July 26, 2018, 11:16am

Can you give me a site to try from my work PC.
It would be interesting to se if it is detected.

krafg · July 27, 2018, 5:17pm

Today you CAN block Youtube using Layer7. It works with HTTP and HTTPS!
Try it!
Regards.

pe1chl · July 27, 2018, 8:10pm

… but now Google/Youtube has moved on to QUIC, read above!

Jotne · July 27, 2018, 8:25pm

According to wikipedia QUIC is an experimenta protocol.

Since our work do inspect HTTPS using Forecepoint to intercept HTTPS, Quic should give problem with blocking HTTPS.
As far as I can see HTTPS/Youtube and HTTPS/Google are logged and tracked by Forepoint.
Can also be blocked.
I do not see any error inn Chrome (v68) that there are anything wrong with those site.
So you as far as I can see, you can block HTTPS sites, but not with Mikrotik.

kevinds · July 28, 2018, 12:28am

Could this not be done with DNS?

Simple hosts file or on the DNS server?

nitrohydride · October 9, 2018, 7:14am

You can make it, but it will affect every DNS user. Unless Mikrotik can redirect only chosen ones to another dns server (but i guess it is impossible).

@vacernik87 I’ve tested TLS host and Layer 7 solution. It works for me after browser restart, i will do more test anyway..