How to block Youtube and facebook Android App in router Mikrotik

aih007 · October 4, 2016, 8:00pm

Thank you migueloty. Is work with me also

mikronsultiK · May 12, 2017, 5:25pm

doneware:

lets consider we do regular HTTPS over TCP. [chrome and android uses QUIC to get data securely, which is google proprietary technology and bases on UDP]

although HTTPS as itself is not to be intercepted with layer-7 filters, you can disrupt the connection before SSL is fully negotiated.
certificate exchange takes place “in cleartext”, so you can use layer7 to match the certificate common name or serial, then do your stuff mark/drop/reject
on the matched connection. this is not as “surgical” as it would be with URL matching, as multiple sites/services can use the same cert. and if you block it,
you will block connection to all of them.

theoretically.

“L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection and searches for the pattern in the collected data.”
don’t know how to interpret this, but in my case (see screenshot) the certificate is sent in packets 6,7,8,9 which would fit in there, but the 2k limit
is not enough. it this case you can match the certificate serial number and the common name.
alternatively you could match on the TLS client hello msg (packet #5), where the server name is sent as cleartext and block it.

now i am trying to put it together, but had no success so far.

this post was very interesing on my side. thanks to take time to focus on the specific relevant aspects of the topic.

reinerotto · May 13, 2017, 7:12am

Instead of messing around with this one

…you can disrupt the connection before SSL is fully negotiated.
certificate exchange takes place “in cleartext”, <
on MT on low level, similar can be done in a clean way using squids https interception.
Which also allows to block facebook etc.
However, this needs squid to be setup, which is not possible on MT, AFAIK.

tangram · May 15, 2017, 9:35am

Hi,

Drop any dns requests using l7 list.

;;; Drop Blacklist - DNS
chain=forward action=drop layer7-protocol=blacklist protocol=udp dst-port=53

If they don’t use ip instead of name you’re covered.

tnrclkr · August 20, 2017, 7:46pm

Calm down

As he mentioned before. Dropping layer7 and adding his pages to L7 list is enough. and woking… BEST SOLLUTION. Point is just finding all pages tried to be reached.

aarango · August 22, 2017, 7:46am

matiaszon:

scampbell:

Mikrotik offer a scripted method of blocking sites here :- http://wiki.mikrotik.com/wiki/Manual:Scripting-examples#Block_access_to_specific_websites

It finally did the job for me!

The goal was to block youtube on my son’s iPad. After running that script it blocked youtube site (even on https) but still, the app on iPad was working fine. I changed the line:
    :if (([:find $cacheName "rapidshare"] != 0) || ([:find $cacheName "youtube"] != 0)) do={
to:
    :if ([:find $cacheName "ytimg"] != 0) do={
and that did the job!

If you want to block the specific device, you only have to remember to point the proper source address or source MAC.

Thank you for your help.

Why didn’t block you youtube in Ipad but yes it blocked when you used “ytimg”?

matiaszon · August 30, 2017, 10:20pm

aarango:

matiaszon:
scampbell:

Mikrotik offer a scripted method of blocking sites here :- http://wiki.mikrotik.com/wiki/Manual:Scripting-examples#Block_access_to_specific_websites

It finally did the job for me!

The goal was to block youtube on my son’s iPad. After running that script it blocked youtube site (even on https) but still, the app on iPad was working fine. I changed the line:
    :if (([:find $cacheName "rapidshare"] != 0) || ([:find $cacheName "youtube"] != 0)) do={
to:
    :if ([:find $cacheName "ytimg"] != 0) do={
and that did the job!

If you want to block the specific device, you only have to remember to point the proper source address or source MAC.

Thank you for your help.
Why didn’t block you youtube in Ipad but yes it blocked when you used “ytimg”?

Because I want to learn a bit of MikroTik.

SilverNodashi · September 5, 2017, 7:00am

Hi,
Can someone please tell me, do I add these rules to the bottom, or the top of the Firewall list? Or does it not matter?

msatter · September 5, 2017, 9:50am

Maybe time that the comes a sticky post on blocking. The DNS does now regex and became a good tool to block unwanted sites. You have then block also acces to external DNS servers. A user can still create a host file to bypass the Mikrotik filtering.

poizzon · December 23, 2017, 11:57am

I’m still wondering why you’re not using an openDNS to block some sites ?

Of course you need static wan up address, but it is simple solution with some feedback .

sebastia · December 23, 2017, 12:03pm

The recommended solution has been documented by Mikrotik support: have a look at the video at 3:30 https://www.youtube.com/watch?v=D80_a_O86jc&index=5&list=PLXr-HoBo2VtU531RaS2ZG-1cqdP43-B13

djarole · October 23, 2019, 2:21am

Would you share the code or how to configure that?