Hello My friends..!
so i am trying to block youtube users on my RB-951ui Ros, i create this filter rule
chain:forward, src address:my LAN IPs, protocol:tcp, port:443, TLS host:youtube, action: add dst to add list, timout: 30d 00:00:00
by this rule i am trying to collect most youtube servers in the address list from any clients who trying to connect to youtube, to apply drop filter to this address list later, but in my address list no thing happen, even if i open youtube the address list stay empty, so please any advise..
Dont bother, not practically possible.
Why do you want to block youtube??
for a testing purpose, not any thing else.
well i saw your replay in a different posts in this forum related to same topic. but i am trying a different steps here, maybe its also not effective,
but for now i just want to see the youtube DNS IPs in my address list and i couldnt yet.
Youtube uses QUIC protocol, not HTTPS.
No one will waste their time to help you flog a dead horse (or should not waste their time).
as i mentioned above i just want to make the youtube IPs to appear in my address list, i dont want to blaock it, forget the youtube.. how can i make the address list as a dynamic…?
Beside protocol issues, the important thing to know is that youtube content is delivered using a world wide CDS (content delivery system). Most of it runs on Google’s own infrastructure, part of it is also rented from Akamai and similar. So the list of youtube hosts is a) large and b) constantly changing.
As anav said: It is practically not feasible.
For those interested in technical details, there is a quite recent paper about the behavior of the Google/Youtube CDN.
Some precisation on Italian;
Per cosa?
Dipende come li metti dentro la lista… non hai specificato come la crei…
When you add with RAW/filter/NAT/mangle rule the src/dst IP on one address list, you can choice between
static / dynamic forever till reboot (or removed) / dynamic autodeleted after x time or at reboot
For put the “Youtube IPs” on address list, find all google/akamai/etc. IP blocks on www.ripe.net www.arin.net www.lacnic.net www.afrinic.net etc. …
Fixed for accuracy "at the cafe"
there are many topic about this in the forum just search
another forum user wrote this , i agree with him
The mission of the internet app developers over the past years has been to prevent network administrators from fiddling with their applications.
Put everything in https, make DNS encrypted, add additional measures to https to make filtering even more difficult (encrypted SNI), make it more difficult to do state tracking by using UDP (QUIC), move everything to "content delivery" services that you cannot block because you would block more than one app or site, introduce services like "login using twitter" or "login using facebook" that make it impossible to block those services because you would block their login facility as well, etc etc.
So now your position has been reduced to a facilitator of network traffic. Influencing what your users are doing is made impossible for you.
Anyway, there is no reason to block Youtube. If you want a datacap, make that. Do not try blocking sites because they cause too much traffic for you, their role will be replaced by other sites that do the same.
Eh, Jletti42
My Italian is rusty, but still I think I got that one 