Marking Youtube Traffic

RouterOS Beginner Basics
1

Is there any way I can mark traffic for youtube ?
(so that i can route it to second gateway)

I saw few posts on forum as well but most guys telling that not working. any working solution for it?

Profile access for only Facebook and Whatsapp
2

Use layer 7 protocol to find youtube connections and mangle to mark them.
Or use layer 7 name direct in NAT rule.

3

Try this:

/ip firewall layer7-protocol add name=youtube regexp="^.+(youtube.com).*$"
/ip firewall filter add chain=forward protocol=tcp dst-port=80,443 layer7-protocol=youtube action=drop comment="Block YouTube"

P.S. You may need to restart your router.

4

its giving following error
mterror.PNG

5

Try

/ip firewall layer7-protocol
add name=VIDEO-L7 regexp="^.*(youtube.com).*\\\$"
6

I’m not sure if it’s still needed now, in 2017, but this is my solution, which I was developing for several days to make everything work nicely.

First, switch on the IP firewall:

/interface bridge settings
set use-ip-firewall=yes

Then, add some YouTube networks to a new access list (just some you’re sure belong to YouTube):

/ip firewall address-list
add address=208.117.224.0/24 list=youtube
add address=208.117.225.0/24 list=youtube
add address=208.117.228.0/24 list=youtube
add address=208.117.229.0/24 list=youtube
add address=208.117.232.0/24 list=youtube
add address=208.117.233.0/24 list=youtube
add address=208.117.234.0/24 list=youtube
add address=208.117.238.0/24 list=youtube
add address=208.65.152.0/24 list=youtube
add address=208.65.153.0/24 list=youtube
add address=208.65.154.0/24 list=youtube
add address=64.15.112.0/20 list=youtube
add address=208.117.236.0/24 list=youtube
add address=74.125.96.0/19 list=youtube
add address=72.14.221.0/24 list=youtube

Add layer-7 protocol to determine YouTube traffic:

/ip firewall layer7-protocol
add name=youtube regexp="^.*(youtube\\.com|googlevideo\\.com).*\$"

Add mangle rule to add found IP addresses of YouTube to address-list (with timeout of 30 mins):

/ip firewall mangle
add action=add-dst-to-address-list address-list=youtube address-list-timeout=30m chain=prerouting layer7-protocol=youtube protocol=tcp

Add mangle rule to mark YouTube traffic at last. The first rule marks a connection to youtube and then all the packets inside the connection are marked:

/ip firewall mangle
add action=mark-connection chain=forward connection-state=new dst-address-list=youtube dst-port=80 new-connection-mark=youtube passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-state=new dst-address-list=youtube dst-port=443 new-connection-mark=youtube passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=youtube new-packet-mark=youtube passthrough=no

Viola! All the Youtube traffic is now marked.

7

Some addition to my previous post - it appeared that Opera uses UDP for YouTube traffic (i guess any browser which still uses flash player does so, or it’s due to this QUIC protocol usage by google, read about it on wikipedia), and you should mark it as well.
Keeping this in mind, your mangle rules for marking YouTube traffic are like this (no changes for the rest):

/ip firewall mangle
add action=mark-connection chain=forward dst-address-list=youtube dst-port=443 new-connection-mark=youtube passthrough=yes protocol=udp
add action=mark-connection chain=forward connection-state=new dst-address-list=youtube dst-port=80 new-connection-mark=youtube passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-state=new dst-address-list=youtube dst-port=443 new-connection-mark=youtube passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=youtube new-packet-mark=youtube passthrough=no
8

NO, nothing gets marked as youtube when accessing youtube.com with above! (all counters stay on 0)
And as nothing is marked, I can not process it in firewall (in any way)

9

Very good. Thanks Man.:slight_smile: