Hi guys,
I've a medium size network here, we've a 20Mbps business class fiber optic connection with 1024 public IP addresses, so we've IP addresses in all our hosts, that works fine, but main problem now is that our fiber connection is very congested due to youtube, we don't want to block it, but we want to use a cheap 40Mbps cable modem connection to forward all youtube traffic using that connection. Main problem is that we're not doing NAT at all. Can we do a youtube "bypass", I guess using NAT, but only for youtube traffic and keep all the other connections transparent using the public IP addresses?

Thanks,

In general this should be possible. You could do NAT between the public IP of your cheap connection and your public subnet.
If you configure your router to use the cheap connection for youtube the packet would be sent out the cheap connection and therefore it will get back over this connection too.
The problem is that youtube/google have several different IP-Subnets which have to be configured in the routing table of your router to make it choose the right path. Alternatively you could use the Layer 7 feature of the firewall to mark these packets. But I never used it, so I can't help with that.

- Mat

Hi SwissISP,
Thank you for reply. Do you know how can I get the list of youtube IP addresses? I googled "Youtube IP address list" but I wasn't able to find it.

Thanks

Thank you for reply. Do you know how can I get the list of youtube IP addresses? I googled "Youtube IP address list" but I wasn't able to find it.

Well... that's the problem. Maybe you can find a list of all Subnets announced by AS15169.

OK, I did some work for you...

This is what Google announces to us:

8.8.4.0/24
8.8.8.0/24
8.34.208.0/21
8.34.216.0/21
8.35.192.0/21
8.35.200.0/21
64.233.160.0/19
64.233.168.0/23
66.102.0.0/20
66.249.64.0/19
70.32.128.0/19
72.14.192.0/18
74.125.0.0/16
89.207.224.0/21
108.59.80.0/20
108.170.192.0/18
108.177.0.0/17
113.197.105.0/24
113.197.106.0/24
142.250.0.0/15
172.217.0.0/16
173.194.0.0/16
173.255.112.0/20
192.178.0.0/15
193.142.125.0/24
199.192.112.0/22
199.223.232.0/21
207.223.160.0/20
209.85.128.0/17
209.85.228.0/23
209.85.238.0/24
216.58.192.0/19
216.239.32.0/19
216.239.44.0/23


Some of these Subnets aren't used for youtube but you need to check which ones. Or you don't care and route all traffic from/to Google over the cheap link...

- Mat

I'd start with routing 173.194.0.0/16 to the cable modem and go from there.

the better is to use layer 7...

the better is to use layer 7...

If it can be filtered correctely, I'm sure this is the best solution, because IP-Subnets can change without notice.
Do you have an example config for the thread starter?

I captured the youtube and others video about 90% by this regexp:

/ip firewall layer7-protocol
add name=Youtube regexp=videoplayback

you can test it...

Great, thanks folks! Do you think it will consume many CPU resources?

Great, thanks folks! Do you think it will consume many CPU resources?

Layer 7 filters use always more CPU than others. I would say try it and you'll see...

Hi guys,
I used this:
/ip firewall layer7-protocol
add name=Youtube regexp=videoplayback

/ip mangle
add action=mark-connection chain=prerouting comment="" disabled=no layer7-protocol="YouTube " new-connection-mark="Youtube Downloads" passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting comment="" connection-mark="Youtube Downloads" disabled=no new-packet-mark=youtube passthrough=no protocol=tcp

But it didn't work, do you see anything wrong here?

At the moment your config does nothing but mark packets and connections.
You don't need the second mangle (postrouting) btw.

1. You have to set a routing mark -> new-routing-mark=Youtube
2. You need to add a new route for the routing mark

So it's more like: (not tested) You can find more infos if you search for "PBR" or "Policy Based Routing".

- Mat

It will be simpler, and much more reliable, to use a proxy, like squid. Then you can direct all traffic containing youtube.com to a dedicated interface, which must be on the squid box, of course.
Fiddling around with all the different youtube IPs will be a pain, especially, because google plays some tricks with DNS.
These tricks are googles way to mimic a CDN.

When using squid, you have to look at
acl dstdom_regex tube -i youtube\.com
tcp_outgoing_address tube x.x.x.x
(x.x.x.x IP of special interface for youtube)

Hi guys,
I used this:
/ip firewall layer7-protocol
add name=Youtube regexp=videoplayback

be careful to change the name of layer 7 from Youtube to YouTube as you put it in Mangle (layer7-protocol="YouTube ")