hi, im an user of mikrotik, im sorry for my language my nother language is spanish and im a lil bit bad in english, i have been using mikrotiks for arround 10 years as routers for some PYMES in my country and learning using videos codes that some share so i will share my own
okey first, i have an rb2011 mikrotik 6.49.18, in my home and iwith a lot of time and help i full configure the security of my mikrotik etc, so i was looking for a way to stop youtube since its a pain that always my clients ask and time after time it fails…
in my firewall config i use fastrack because withcout it the speed goes down…
i use my mikrotik as dns server so it has enabled the allow remote request and for protection i configure that only acept udp and tcp in the port 53 from inside the lan in the firewall rules and redirect dsnat of 53 port too on NAT
so how i finnaly block youtube… i set 2 rules in the firewall rules that will use the layer 7 to detect all the youtube conenctions everything has to be placed before fasttrack
/ip firewall filter
add action=drop chain=input comment="bloquea youtube" dst-port=53 \
in-interface=bridge protocol=udp src-address-list=RED_LAN layer7-protocol=BLOCKTUBE
add action=drop chain=input comment="bloquea youtube 2" dst-port=53 \
in-interface=bridge protocol=tcp src-address-list=RED_LAN layer7-protocol=BLOCKTUBE
add action=accept chain=input comment="Permitir DNS desde LAN" dst-port=53 \
in-interface=bridge protocol=udp src-address-list=RED_LAN
add action=accept chain=input comment="Permitir DNS desde LAN" dst-port=53 \
in-interface=bridge protocol=tcp src-address-list=RED_LAN
/ip firewall nat
add action=drop chain=input comment=\
"BLOQUEAR DNS DESDE CUALQUIER OTRA INTERFAZ" dst-port=53 \
in-interface-list=WAN protocol=udp
add action=drop chain=input comment=\
"BLOQUEAR DNS DESDE CUALQUIER OTRA INTERFAZ" dst-port=53 \
in-interface-list=WAN protocol=tcp
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN limit=\
100,5:packet protocol=udp src-address-list="!White List"
the while list is a list of o ip that include my trusted dns and my local network
red_lan ist my local lan ip range…
okey since the layer 7 need data some times its our fault that dowsnt work because we dont give it the right addrees to search … so this is my layer 7 the more specific the more easy and smoth will be
^.+(ytstatic.l.google.com|youtube-ui.l.google.com|youtubei.googleapis.com|youtube.googleapis.com|youtube.com|www.youtube.com|c.youtube.com|m.youtube.|.m.youtube.|youtu.be|ytimg.com|s.ytimg.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|googlevideo.com|youtu.be|youtube-nocookie.com).*$
now since anything is not that easy there is something more that i did i use the same layer7 but in the mangle so in the prerouting wharever the dns rule dont take down the prerouting will
/ip firewall mangle
add action=mark routing chain=prerouting connection-state=new, related, established layer7-protocol=BLOCKTUBE \
new-routing-mark=BLOCKMEDIA passthrough=yes
/ip route
add dst-address=0.0.0.0/0 type=blackhole routing-mark=BLOCKMEDIA \
comment="Ruta blackhole para tráfico YouTube"
other way iif you like s to create a dummy interface like this
/interface dummy add name=null_interface
/ip route add dst-address=0.0.0.0/0 gateway=null_interface routing-mark=BLOCKMEDIA
i think this will work for anyone why i dont use an address list of youtube sites? well youtube server are google servers and if i create an address list full of youtube servers and block them i wont be able to use maps, google, drive, gmail so because i dont want to go crazy again was looking for a beter solution…
why i didint use the layer 7 "directly " becasuse the fast track jump some firewall rules so it will not work …
why i didnt use a dns static cache addrees lie youtube.com 0.0.0.0 welll because it will not work on apps… or will be easy tu jump using proxys… etc .. using this code that i have been testing everithing works fine in my router and network…i hope it help you i will try to block facebook so if anyone has a layer 7 list of facebook instagram etc will be cool if they share it…
Have a nice day and God Bless you all
update: this is my FB regexp for the layer7 enjoy
^.+(www.facebook.com|facebook.com|login.facebook.com|www.login.facebook.com|www.facebook.net|facebook.net|.facebook.net|fbcdn.net|www.fbcdn.net|fbcdn.com|www.fbcdn.com|static.ak.fbcdn.net|.fbcdn.|static.ak.connect.facebook.com|connect.facebook.net|www.connect.facebook.net|apps.facebook.com|m.facebook.com|m.facebook.com|.facebook.|fbsbx.com|fb.com|fbpigeon.com|facebook-hardware.com|facebooklive.com).*$
P.D: please after you make these changes reboot your router
Please leave any comments try it so we can do it work better…