good evening everybody.
I would like to know now to manage bandwidth youtube with layer7?, this is detail as below
Thanks
Regard
hehehe same problem… does any one have solution to this problem…
Have a look at it. Its just only for youtube.
http://radiusm.blogspot.com/2014/08/youtube-limitfull-access-mikrotik.html
Hi,
what is the speed will clients will get for youtube?
sorry I am beginner in Mikrotik.
thank you,
Ven
ip firewall layer7-protocol
add name=streaming regexp=videoplayback|video
/ip firewall mangle
add action=mark-connection chain=prerouting comment=“Youtube_ Client”
disabled=no layer7-protocol=streaming new-connection-mark=youtube
passthrough=no src-address-list=256kbps+
add action=mark-packet chain=output connection-mark=youtube disabled=no
new-packet-mark=youtube passthrough=no protocol=tcp
/queue type
add kind=pcq name=PCQ_Upload pcq-burst-rate=0 pcq-burst-threshold=0
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32
pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=1024k
pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000
I have set 1024kbps for Youtube, for limitation set 1024k to 1k or so.
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0
max-limit=0 name=Youtube_Up packet-mark=youtube parent=global-out
priority=8 queue=PCQ_Upload
Your client will get 1024kbps for youtube. You can change as
add kind=pcq name=PCQ_Upload pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=your rate \
pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000
change your rate above.
Also, you don’t have to set src-address-list=256kbps+ (if you want to provide all users the same bandwidth for youtube)
My Question :
MT = RouterBoard 750UP
Ether1: 200.200.201.100/29 (WAN)
Ether2: 192.168.1.100 (LAN network)
I want PC1- 192.168.1.150/24 get only 1Mbps traffic while he requesting for browsing internet, but PC1 get 10M speed while it’s request for youtube streaming.
I am using this script to achieve this task.
/ip firewall mangle add action=add-dst-to-address-list address-list=Youtube address-list-timeout=10m chain=prerouting comment=youtube content=youtube.com dst-port=80,443 protocol=tcp
/ip firewall mangle add action=mark-packet chain=forward comment=youtube new-packet-mark=Youtube passthrough=no src-address-list=Youtube
but i don’t know how to create separates parent queue to match.
Thanks
Abbas
You can’t use layer7 for Youtube because Youtube uses SSL.
Period.
You could use an IP list from somewhere, but that wouldn’t be easy to get or easy to maintain because Youtube has content delivery networks all over the world and I’m sure that they change and that other services use the same IP addresses for content delivery as well…
Some people suggest using Regexp videoplayback|video in Layer-7 protocol feature, this means all type videos anywhere will be limited/prevented, you should be carefull.
@ZeroByte : I totally agree with you. Mikrotik could only recognize YouTube traffic if having SSL certification by YouTube 
we use tls-host matcher for eba.gov.tr online education portal’s bandwidth management
you can do the same, just need to rename rules and hostname (domain)
/ip firewall mangle
add action=mark-connection chain=forward comment="eba tls host eba.gov.tr" new-connection-mark=eba passthrough=yes port=443 \
protocol=tcp tls-host=*.eba.gov.tr
add action=mark-connection chain=forward comment="eba tls host eba-video.mncdn.com" new-connection-mark=eba passthrough=yes \
port=443 protocol=tcp tls-host=eba-video.mncdn.com
add action=mark-packet chain=forward comment="eba packet mark for eba connections" connection-mark=eba new-packet-mark=eba \
passthrough=yes
/queue simple
add max-limit=1G/1G name=eba packet-marks=eba target=192.168.0.0/16
I currently use following setup
/ip firewall mangle
add action=mark-connection chain=forward comment="youtube tls host youtube.com" new-connection-mark=youtube passthrough=yes \
port=443 protocol=tcp tls-host=*.youtube.com
add action=mark-connection chain=forward comment="youtube tls host googlevideo.com" new-connection-mark=youtube passthrough=\
yes port=443 protocol=tcp tls-host=*.googlevideo.com
add action=mark-packet chain=forward comment="youtube packet mark for youtube connections" connection-mark=youtube \
new-packet-mark=youtube passthrough=yes
/queue simple
add max-limit=10M/10M name=youtube packet-marks=youtube target=192.168.0.0/16
quic & http/3 has SNI, too.
I can see www.youtube.com domain with QUIC in wireshark, But mikrotik does not have matcher for that, yet. maybe one can write L7/content matcher
temporary solution;
/ip firewall filter
add action=reject chain=forward comment="block QUIC & HTTP/3" port=80,443 protocol=udp reject-with=icmp-port-unreachable
two days of unsuccessful tries & searching, i discovered the QUIC/HTTP3 snipped you added. applied it, and it worked.
but here’s the question .. did you have any luck with this or maybe someone else?
But mikrotik does not have matcher for that, yet. maybe one can write L7/content matcher
Maybe configure the filter rule to only work on youtube.com/googlevideo.com
Thanks!
Unfortunately, most, if not all, firewalls do not currently recognize QUIC traffic as ‘web’ traffic, therefore it is not inspected, logged or reported on, leaving a gaping hole in your network’s security.
it is crypted.
With Google making changes to their protocol, we recommend creating additional security policy to block QUIC UDP traffic (UDP/443 and UDP/80).
just block UDP/443 and UDP/80.