Community discussions

 
aih007
just joined
Topic Author
Posts: 12
Joined: Sun Apr 03, 2016 10:18 am

How to block Youtube and facebook Android App in router Mikrotik

Mon Apr 11, 2016 3:52 pm

Hi

i need block facebook and youtube from mobile android and iphone
i did block it from Pc and labtob but by mobile app still any one can access to facebook and youtube
 
User avatar
ShayanFiroozi
Member Candidate
Member Candidate
Posts: 284
Joined: Sat Jun 01, 2013 12:44 pm
Location: Bandar Abbas , Iran

Re: How to block Youtube and facebook Android App in router Mikrotik

Mon Apr 11, 2016 11:12 pm

Hi,
so tell us how did you do that on your PC and laptop ?
The price of your knowledge which you have to pay is to share it with others !!
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Apr 12, 2016 3:13 am

probably people are just typing facebook.com which defaults to an http request first, which of course the service redirects, but since the initial request is http, the PC is getting "blocked" (if the users use a bookmark or have the homepage set to be facebook, I bet it doesn't get blocked).

The app is probably using SSL by default.

In a word - your only option is to use a DNS-based method to block these services (e.g. OpenDNS) because SSL is not possible to intercept with Layer7 rules.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
Van9018
Long time Member
Long time Member
Posts: 505
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Apr 12, 2016 5:18 am

If it's just a few domains you'd wish to block, you can add static entries for the domain in IP > DNS > Static and resolve the host names to 127.0.0.1.

You can go a step further and redirect outbound DNS packets to your LAN interface to prevent clever users from specifying their own DNS servers on their computers.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1740
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Apr 12, 2016 6:16 am

maybe using mikrotik dns server, create static dns entry for all facebook dns names

i have tested 13k static entry's on dns and 7000 on adress-list on a rb951g and works ok

the problem is to obtain facebook hosts dns names
 
SystemErrorMessage
Member
Member
Posts: 378
Joined: Sat Dec 22, 2012 9:04 pm

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Apr 12, 2016 8:09 am

using mikrotik as dns server is not enough, many services have hard coded dns servers. Google chrome for example will use google dns regardless of your settings so your only option is to hijack DNS requests. Many ISPs do this as a way to block websites as it is very cheap in resource and admin.

I would not suggest blocking youtube or facebook completely. Many tutorials and video lessons are available on youtube. There are plenty of math tutorials on youtube for example and many other useful and beneficial things. Many use facebook for organising events so thats a positive use of facebook.

If you block these things (whether you are a workplace or school), people will use proxies and such so thats not the best way to deal with it. I would block facebook games and apps (not the phone app) but facebook is also a way for people to get in touch other than email and sms. Many useless and low quality browser games use facebook and are basically free to play but the game quality is so bad that blocking it would be a help (you would also have to block those sites too).

Mikrotik makes it so you cant install any software onto their routers, what some organisations do is just install a linux server and configure it to be a router so they can install customised filtering software which makes it easy to deal with things that reduce productivity. You can use multiple hijacking techniques and force use of a web proxy server (you can actually run squid, squidguard and clamav on a ubiquiti edgerouter which i do) but it may not work on apps. I do know that the facebook app uses web code so it is actually a web browser only pointing to facebook (it explains their high resource usage and battery draining).

If you are a parent and just wanting to stop your kids from wasting time with these things than blocking these things entirely doesnt help, rather you should just block the unhelpful facebook features and perhaps put them on the lowest priority in QoS (or put some bandwidth limitations to slow it down to encourage them to do other things).
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Apr 12, 2016 8:10 am

Mikrotik offer a scripted method of blocking sites here :- http://wiki.mikrotik.com/wiki/Manual:Sc ... c_websites
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
SystemErrorMessage
Member
Member
Posts: 378
Joined: Sat Dec 22, 2012 9:04 pm

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Apr 12, 2016 8:12 am

Catching DNS requests and redirecting them is called hijacking.
 
aih007
just joined
Topic Author
Posts: 12
Joined: Sun Apr 03, 2016 10:18 am

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Apr 12, 2016 11:52 pm

thank you for your replay

my setup firewall for block Facebook and YouTube from PC and laptop
- from L7 create Regexp ^.+(facebook.com).*$
- create Filter Rule chain: forward Src.Address=192.168.1.2/24 layer 7 protocol= facebbok Action=Drop

i need some one did block Facebook app from mobile
 
User avatar
ShayanFiroozi
Member Candidate
Member Candidate
Posts: 284
Joined: Sat Jun 01, 2013 12:44 pm
Location: Bandar Abbas , Iran

Re: How to block Youtube and facebook Android App in router Mikrotik

Wed Apr 13, 2016 8:56 am

thank you for your replay

my setup firewall for block Facebook and YouTube from PC and laptop
- from L7 create Regexp ^.+(facebook.com).*$
- create Filter Rule chain: forward Src.Address=192.168.1.2/24 layer 7 protocol= facebbok Action=Drop

i need some one did block Facebook app from mobile
If App is using encryption connection you can not catch it with L7 , it's seems you have to find all facebook IP's !!
The price of your knowledge which you have to pay is to share it with others !!
 
maherhaddad
just joined
Posts: 3
Joined: Mon Aug 15, 2016 4:02 pm

Re: How to block Youtube and facebook Android App in router Mikrotik

Mon Aug 15, 2016 4:18 pm

I used this regular expression and worked to stop youtube app on phones, tablets as well as on computer browsers.

Regular Expression to copy:
^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.com|s.ytimg.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|googlevideo.com|youtu.be).*$

I have also recorded a video showing how to make the config if you like to watch it:
https://www.youtube.com/watch?v=6oAiUGAsfEY
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How to block Youtube and facebook Android App in router Mikrotik

Mon Aug 15, 2016 6:58 pm

You should start using the dns-based IP address list feature available in ROSv6.36

block www.youtube.com, youtube.com, m.youtube.com, etc.
That will block them from any sort of communication, not just http/https.

Furthermore, it will block even SSL communications.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 896
Joined: Sun Oct 01, 2006 11:44 pm

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Aug 16, 2016 1:00 am

If this is for a corporate network, you should be installing a transparent HTTPS proxy with a custom root certificate on the clients so you can inspect actual HTTP traffic and apply internet access policy there. There are many such appliances you can get for this, messing around blocking DNS and IP ranges is not a very reliable solution.
 
User avatar
hgonzale
Member Candidate
Member Candidate
Posts: 267
Joined: Thu Nov 06, 2014 1:12 pm
Location: Fuengirola, Spain
Contact:

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Aug 16, 2016 8:13 pm

Yes, for them is a solution, for us is a problem.
 
User avatar
doneware
Trainer
Trainer
Posts: 522
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Aug 16, 2016 11:53 pm

lets consider we do regular HTTPS over TCP. [chrome and android uses QUIC to get data securely, which is google proprietary technology and bases on UDP]

although HTTPS as itself is not to be intercepted with layer-7 filters, you can disrupt the connection before SSL is fully negotiated.
certificate exchange takes place "in cleartext", so you can use layer7 to match the certificate common name or serial, then do your stuff mark/drop/reject
on the matched connection. this is not as "surgical" as it would be with URL matching, as multiple sites/services can use the same cert. and if you block it,
you will block connection to all of them.

theoretically.

"L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection and searches for the pattern in the collected data."
don't know how to interpret this, but in my case (see screenshot) the certificate is sent in packets 6,7,8,9 which would fit in there, but the 2k limit
is not enough. it this case you can match the certificate serial number and the common name.
alternatively you could match on the TLS client hello msg (packet #5), where the server name is sent as cleartext and block it.

now i am trying to put it together, but had no success so far.
You do not have the required permissions to view the files attached to this post.
#TR0359
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: How to block Youtube and facebook Android App in router Mikrotik

Sat Sep 17, 2016 1:10 pm

Mikrotik offer a scripted method of blocking sites here :- http://wiki.mikrotik.com/wiki/Manual:Sc ... c_websites
It finally did the job for me!

The goal was to block youtube on my son's iPad. After running that script it blocked youtube site (even on https) but still, the app on iPad was working fine. I changed the line:
    :if (([:find $cacheName "rapidshare"] != 0) || ([:find $cacheName "youtube"] != 0)) do={
to:
    :if ([:find $cacheName "ytimg"] != 0) do={
and that did the job!

If you want to block the specific device, you only have to remember to point the proper source address or source MAC.

Thank you for your help.
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: How to block Youtube and facebook Android App in router Mikrotik

Sat Sep 17, 2016 8:11 pm

Unfortunately my happines didn't last too long... The script works, but once it's started, the CPU usage is 100%... Can anybody see and say something clever? :)
:foreach i in=[/ip dns cache find] do={
    :local bNew "true";
    :local cacheName [/ip dns cache all get $i name] ;
#    :put $cacheName;

    :if ([:find $cacheName "ytimg"] != 0) do={

        :local tmpAddress [/ip dns cache get $i address] ;
#	:put $tmpAddress;

# if address list is empty do not check
        :if ( [/ip firewall address-list find list="restricted" ] = "") do={
            :log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
            /ip firewall address-list add address=$tmpAddress list=restricted comment=$cacheName;
        } else={
            :foreach j in=[/ip firewall address-list find list="restricted"] do={
                :if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
                    :set bNew "false";
                }
            }
            :if ( $bNew = "true" ) do={
                :log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
                /ip firewall address-list add address=$tmpAddress list=restricted comment=$cacheName;
            }
        }
    }
}
EDIT
I have eraseed lines started with "#" and it helped...
 
stoser
Member Candidate
Member Candidate
Posts: 107
Joined: Sun Aug 21, 2016 12:04 am

Re: How to block Youtube and facebook Android App in router Mikrotik

Sat Sep 17, 2016 10:16 pm

You should start using the dns-based IP address list feature available in ROSv6.36

block http://www.youtube.com, youtube.com, m.youtube.com, etc.
That will block them from any sort of communication, not just http/https.

Furthermore, it will block even SSL communications.
ZeroByte: Just wanted to thank you for pointing this out. I hadn't realized that adress lists in 6.36 supported dns based IP. It is really going to simplify my design. Hopefully address lists will support regular expressions on a future release. FYI to the other members, adding a CNAME to the addess list seems to add dynamic entries for all associated A record IP addresses.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How to block Youtube and facebook Android App in router Mikrotik

Mon Sep 19, 2016 6:29 pm

Hopefully address lists will support regular expressions on a future release. FYI to the other members, adding a CNAME to the addess list seems to add dynamic entries for all associated A record IP addresses.
It doesn't seem likely that there will ever be regex support in this feature because of how it works.
Whenever you define a hostname in an address list, the router immediately performs a DNS lookup on the name you specified, and all IP addresses returned by the DNS server are added as dynamic IP entries in the list, with timeouts set the same as the TTL returned by DNS. In other words, the IPs cannot live in the list for any longer than DNS....

Ok, so far so good, but why can't you use regex here?

It has been best practice for at least as long as I have been in the industry (since the 90s) to deny anyone having access to read your entire zone - in other words, DNS is like that children's card game "go fish" - clients may ask any name they like, and the DNS server will give the answer if it has one, or else say "not found" (i.e. 'go fish'). You can't just say "give me all of your cards."
So you can't say to a DNS server - give me every possible name you have that ends in google.com

So when you specify a regex, that's essentially what you're doing....

Another complication is that reverse DNS doesn't necessarily match forward DNS. Since the packet filter table is dealing in packets and IP addresses (not names), it doesn't know what name may or may not map to a certain IP address. Take the famous 8.8.8.8 public DNS server at Google.... I could go into my own DNS server, and set a host name "silly.dns.server.example.com" and resolve that to 8.8.8.8 How would the firewall know that I had typed "ping silly.dns.server.example.com" to generate ICMP echo requests to 8.8.8.8?

One thing that could be done is to snoop DNS and if any DNS replies contain hostnames which match your definition, then the IP addresses contained in those DNS responses could be added to the address list.... This could be worked around by clever clients though - if they know which hostnames are going to be used and a valid IP to go with them, they could just place these hostnames into their local hosts file and bypass the DNS snooping. Or they could use DNScrypt, or VPN.....

In the end, blocking outgoing user activity is a never-ending battle. Like Princess Leah told Governer Tarkin: "The more you tighten your grip, the more star systems will slip through your fingers."
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
migueloty
Trainer
Trainer
Posts: 5
Joined: Sat Nov 29, 2014 7:47 pm
Location: Colombia
Contact:

Re: How to block Youtube and facebook Android App in router Mikrotik

Fri Sep 23, 2016 7:14 pm

 
aih007
just joined
Topic Author
Posts: 12
Joined: Sun Apr 03, 2016 10:18 am

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Oct 04, 2016 11:00 pm

Thank you migueloty. Is work with me also
 
mikronsultiK
just joined
Posts: 23
Joined: Wed Feb 01, 2017 12:57 am
Location: Italy
Contact:

Re: How to block Youtube and facebook Android App in router Mikrotik

Fri May 12, 2017 8:25 pm

lets consider we do regular HTTPS over TCP. [chrome and android uses QUIC to get data securely, which is google proprietary technology and bases on UDP]

although HTTPS as itself is not to be intercepted with layer-7 filters, you can disrupt the connection before SSL is fully negotiated.
certificate exchange takes place "in cleartext", so you can use layer7 to match the certificate common name or serial, then do your stuff mark/drop/reject
on the matched connection. this is not as "surgical" as it would be with URL matching, as multiple sites/services can use the same cert. and if you block it,
you will block connection to all of them.

theoretically.

"L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection and searches for the pattern in the collected data."
don't know how to interpret this, but in my case (see screenshot) the certificate is sent in packets 6,7,8,9 which would fit in there, but the 2k limit
is not enough. it this case you can match the certificate serial number and the common name.
alternatively you could match on the TLS client hello msg (packet #5), where the server name is sent as cleartext and block it.

now i am trying to put it together, but had no success so far.

this post was very interesing on my side. thanks to take time to focus on the specific relevant aspects of the topic.
IP Networking / Mikrotik Consultant
mikronsultik [at] gmail.com
skype mikronsultik
 
reinerotto
Member
Member
Posts: 437
Joined: Thu Dec 04, 2008 2:35 am

Re: How to block Youtube and facebook Android App in router Mikrotik

Sat May 13, 2017 10:12 am

Instead of messing around with this one
>...you can disrupt the connection before SSL is fully negotiated.
certificate exchange takes place "in cleartext", <
on MT on low level, similar can be done in a clean way using squids https interception.
Which also allows to block facebook etc.
However, this needs squid to be setup, which is not possible on MT, AFAIK.
 
tangram
Member Candidate
Member Candidate
Posts: 132
Joined: Wed Nov 16, 2016 9:55 pm

Re: How to block Youtube and facebook Android App in router Mikrotik

Mon May 15, 2017 12:35 pm

Hi,

Drop any dns requests using l7 list.

;;; Drop Blacklist - DNS
chain=forward action=drop layer7-protocol=blacklist protocol=udp dst-port=53

If they don't use ip instead of name you're covered.
 
tnrclkr
newbie
Posts: 25
Joined: Tue Aug 25, 2015 8:36 am

Re: How to block Youtube and facebook Android App in router Mikrotik

Sun Aug 20, 2017 10:46 pm

Calm down :)

As he mentioned before. Dropping layer7 and adding his pages to L7 list is enough. and woking... BEST SOLLUTION. Point is just finding all pages tried to be reached.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Aug 22, 2017 10:46 am

Mikrotik offer a scripted method of blocking sites here :- http://wiki.mikrotik.com/wiki/Manual:Sc ... c_websites
It finally did the job for me!

The goal was to block youtube on my son's iPad. After running that script it blocked youtube site (even on https) but still, the app on iPad was working fine. I changed the line:
    :if (([:find $cacheName "rapidshare"] != 0) || ([:find $cacheName "youtube"] != 0)) do={
to:
    :if ([:find $cacheName "ytimg"] != 0) do={
and that did the job!

If you want to block the specific device, you only have to remember to point the proper source address or source MAC.

Thank you for your help.
Why didn't block you youtube in Ipad but yes it blocked when you used "ytimg"?
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: How to block Youtube and facebook Android App in router Mikrotik

Thu Aug 31, 2017 1:20 am

Mikrotik offer a scripted method of blocking sites here :- http://wiki.mikrotik.com/wiki/Manual:Sc ... c_websites
It finally did the job for me!

The goal was to block youtube on my son's iPad. After running that script it blocked youtube site (even on https) but still, the app on iPad was working fine. I changed the line:
    :if (([:find $cacheName "rapidshare"] != 0) || ([:find $cacheName "youtube"] != 0)) do={
to:
    :if ([:find $cacheName "ytimg"] != 0) do={
and that did the job!

If you want to block the specific device, you only have to remember to point the proper source address or source MAC.

Thank you for your help.
Why didn't block you youtube in Ipad but yes it blocked when you used "ytimg"?
Because I want to learn a bit of MikroTik.
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Sep 05, 2017 10:00 am

Hi,
Can someone please tell me, do I add these rules to the bottom, or the top of the Firewall list? Or does it not matter?
 
msatter
Forum Guru
Forum Guru
Posts: 1241
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: How to block Youtube and facebook Android App in router Mikrotik

Tue Sep 05, 2017 12:50 pm

Maybe time that the comes a sticky post on blocking. The DNS does now regex and became a good tool to block unwanted sites. You have then block also acces to external DNS servers. A user can still create a host file to bypass the Mikrotik filtering.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
poizzon
Member Candidate
Member Candidate
Posts: 113
Joined: Fri Jun 21, 2013 12:53 pm

Re: How to block Youtube and facebook Android App in router Mikrotik

Sat Dec 23, 2017 1:57 pm

I'm still wondering why you're not using an openDNS to block some sites ?

Of course you need static wan up address, but it is simple solution with some feedback .
You do not have the required permissions to view the files attached to this post.
--
poi
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1785
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: How to block Youtube and facebook Android App in router Mikrotik

Sat Dec 23, 2017 2:03 pm

The recommended solution has been documented by Mikrotik support: have a look at the video at 3:30 https://www.youtube.com/watch?v=D80_a_O ... cqdP43-B13

Who is online

Users browsing this forum: Baidu [Spider], MSN [Bot] and 72 guests