Dear All,

I have router mikrotik RB951ui-2hnd ver 6.7, recently, I block the youtube and everything is ok; but, the issue is the google drive is block also. I don't know what the issue.

I want to stop youtube, but I also need to work with google Drive.

so, would you please to guide me to the solve this issue.

many thanks,

I block the youtube

how? we are not telepathists

By IP address I'm guessing... Since YouTube is owned by Google, they share their servers for all of their different sites, so when one blocks the IPs that YouTube is on, they inevitably block most (if not all) GoogleDrive servers.


I have no idea how one could solve this, since both YouTube and GoogleDrive use HTTPS... I mean, it's not like you could use proxy to white/black-list one or the other.

Try to mark youtube and drop it in firewall

Try to mark youtube

Code: Select all

/ip firewall layer7-protocol
add name="youtube.com test" regexp="^.+(www.youtube.com).*\$"

and drop it in firewall

This is worse! It will block not just YouTube, but any web resource that mentions it in any way! Granted that people rarely write out "www.youtube.com" in real content (and instead just say "youtube"), but hell - this very forum page will be blocked, because it contains "www.youtube.com".

And if you're talking about adding this as an additional restriction to the IP address - that won't work, because both GoogleDrive and YouTube use HTTPS. Thus, their content is unreadable. The only packets this could be applied to are the DNS messages, and the initial HTTP request (which would redirect you to the HTTPS page, except that if you go through Google, they'll redirect you to HTTPS instantly).


I guess to block just YouTube, you could block DNS requests to any DNS server other than yours, and make yours redirect to a non-existent IP, which would effectively block YouTube to any non-expert user. I mean, the only way for a user to add it back is if they modify their hosts file to include youtube.com and http://www.youtube.com both resolving to GoogleDrive's IP address... Few users would go to that length. And if you want to make sure that they can't access YouTube either... You MUST sacrifice GoogleDrive. There's no workaround for THAT part.

Dear All,

thanks for your replies, I tried Mr. vitaly777's idea, and your are right mr. boen_robot the solution is not working as i need.
and I found solution on the internet "Limit Youtube Video Stream" and I tried that solution but it didn't work with v6.7
===============================================================================================
/ip firewall layer7-protocol
add comment="" name=streaming regexp="^.*get.+\\.(c.youtube.com|cdn.dailymotion.com|metacafe.com|mccont.com).*\$"

/ip firewall mangle
add action=mark-packet chain=prerouting \
comment="Mark Packet Streaming" disabled=no \
layer7-protocol=streaming new-packet-mark=streaming \
passthrough=no

/queue tree add name="streaming" parent=global-out \
packet-mark=streaming limit-at=0 queue=default \
priority=8 max-limit=128k burst-limit=0 \
burst-threshold=0 burst-time=0s
=================================================================================================
So guys, any idea to try this script on v6.7, and is this script achieved the purpose?

Many thanks,

Don't use L7 rules to block web addresses. This checks all packet content, not just web URL! It will slow down your internet (because router inspects every packet) and will block all resources that mention this URL in the page even.

Use opendns as your dns server and block it there.

try this, its work for me. #ros 6.20
or:

hi,

it tried your solution mr. nat it s open google drive but it s not blocking youtube, and it tried also this:

Firewall Filter
Chain : Forward
Protocol : TCP
Port : 80
Content : youtube
Action : Drop

it's blocking youtube and also google drive.

proxy or dns blocking are your only options. like everyone has said, checking packet content will block all kinds of other websites as well

your are right mr. normis I will do it as you said.

many thanks for your help.

Dear All,

thanks for your replies, I tried Mr. vitaly777's idea, and your are right mr. boen_robot the solution is not working as i need.
and I found solution on the internet "Limit Youtube Video Stream" and I tried that solution but it didn't work with v6.7
===============================================================================================
/ip firewall layer7-protocol
add comment="" name=streaming regexp="^.*get.+\\.(c.youtube.com|cdn.dailymotion.com|metacafe.com|mccont.com).*\$"

/ip firewall mangle
add action=mark-packet chain=prerouting \
comment="Mark Packet Streaming" disabled=no \
layer7-protocol=streaming new-packet-mark=streaming \
passthrough=no

/queue tree add name="streaming" parent=global-out \
packet-mark=streaming limit-at=0 queue=default \
priority=8 max-limit=128k burst-limit=0 \
burst-threshold=0 burst-time=0s
=================================================================================================
So guys, any idea to try this script on v6.7, and is this script achieved the purpose?

Many thanks,

Thank U for this solution. Really help for me.

Remark:
/queue tree add name="streaming" parent=global packet-mark=streaming limit-at=0 queue=default priority=8 max-limit=128k burst-limit=0 burst-threshold=0 burst-time=0s
(delete -out after global).

/ip firewall mangle add action=mark-packet chain=prerouting comment="Mark Packet Streaming" disabled=no layer7-protocol=streaming new-packet-mark=streaming passthrough=no
need add src http://prntscr.com/djcu6h as your local subnet

Thank U very much!

The DNS method is the most suitable way. but going with this method, you must FORCE all users to use your mikrotik dns as there primary dns server, you can make a simple nat rule to redirect dns traffic to your local mikrotik dns service.

One working Example i implemented at some Ghana School & local networks, it worked great : 1- Schedule this script to run every 1 or 5 mnts. so when user will view youtube , dns cache will update, and when the scheduled script will run, It will start adding related ips to address list.
2- Create a filter rule that DROP requests destined (FORWARD CHAIN) to this address list

at least It worked 100% for me. I posted its complete method on blog as well. just in case if any 1 want complete commands

The DNS method is the most suitable way. but going with this method, you must FORCE all users to use your mikrotik dns as there primary dns server, you can make a simple nat rule to redirect dns traffic to your local mikrotik dns service.

One working Example i implemented at some Ghana School & local networks, it worked great :

Code: Select all

# Script to add target web sites DNS IP addresses into list / EXAMPLE YOUTUBE
# Tested with Mikrotik 6.3x.x
# Syed Jahanzaib / xxxxxxxxx
# List name YOUTUBE / script contents taken from mikrotik forum
:local LISTNAME "youtube"
# Check DNS entries and collect matching names
:foreach i in=[/ip dns cache all find where (name~"youtube.com" || name~"googlevideo.com") && (type="A") ] do={
# Get IP Address from the names and hold it in temporary buffer
:local Buffer [/ip dns cache get $i address];
delay delay-time=10ms
# Check if entry is already not exists, then OK, otherwise ignore duplication
:if ( [/ip firewall address-list find where address=$Buffer] = "") do={ 
# Fetch DNS names for the entries
:local sitednsname [/ip dns cache get $i name] ;
# Print name in LOG window
:log info ("added entry: $sitednsname $Buffer");
# Add IP addresses and there names to the address list
/ip firewall address-list add address=$Buffer list=$LISTNAME comment=$sitednsname;
}
}

1- Schedule this script to run every 1 or 5 mnts. so when user will view youtube , dns cache will update, and when the scheduled script will run, It will start adding related ips to address list.
2- Create a filter rule that DROP requests destined (FORWARD CHAIN) to this address list

at least It worked 100% for me. I posted its complete method on blog as well. just in case if any 1 want complete commands

Cool!

System->Scripts ?
And schedule in system->scheduler? What i must write in http://prntscr.com/djruds field?

I posted its complete method on blog as well. just in case if any 1 want complete commands

Im looking forward to se the complete method on the blog

I posted its complete method on blog as well. just in case if any 1 want complete commands

Im looking forward to se the complete method on the blog

Here it is.

https://aacable.wordpress.com/2014/02/1 ... ress-list/

I posted its complete method on blog as well. just in case if any 1 want complete commands

Im looking forward to se the complete method on the blog

Here it is.

https://aacable.wordpress.com/2014/02/1 ... ress-list/

Thank U!
A little bug in your article: http://prntscr.com/dk5xrv - must be group: facebook, not Youtube.

I`m sorry, but script doesen`t work for create youtube list. I try start script manually - no result. In log no errors and succesful messages.

UPD: i found problem: mikrotik DNS not cache YouTube. (not found name in DNS Cache).
How i can find youtube dns?

UPD2:

:resolve "youtube.com";

in start of script is help
Please, update Your manual.

Updated! thx

hmmm.... have a new problem:

YouTube distributes the load and a portion of their addresses on googledrive so collected addresses do not make sense - eventually you block at all services of Google.
I do not know how to solve this problem. I'm tired of fighting with this YouTube .
Does anyone have any ideas?

Yes the IP addressees are shared by various services, so blocking 1, caused 2nd one to blocked too.

[/quote]

The DNS method is the most suitable way. but going with this method, you must FORCE all users to use your mikrotik dns as there primary dns server, you can make a simple nat rule to redirect dns traffic to your local mikrotik dns service.

One working Example i implemented at some Ghana School & local networks, it worked great :

Code: Select all

# Script to add target web sites DNS IP addresses into list / EXAMPLE YOUTUBE
# Tested with Mikrotik 6.3x.x
# Syed Jahanzaib / xxxxxxxxx
# List name YOUTUBE / script contents taken from mikrotik forum
:local LISTNAME "youtube"
# Check DNS entries and collect matching names
:foreach i in=[/ip dns cache all find where (name~"youtube.com" || name~"googlevideo.com") && (type="A") ] do={
# Get IP Address from the names and hold it in temporary buffer
:local Buffer [/ip dns cache get $i address];
delay delay-time=10ms
# Check if entry is already not exists, then OK, otherwise ignore duplication
:if ( [/ip firewall address-list find where address=$Buffer] = "") do={ 
# Fetch DNS names for the entries
:local sitednsname [/ip dns cache get $i name] ;
# Print name in LOG window
:log info ("added entry: $sitednsname $Buffer");
# Add IP addresses and there names to the address list
/ip firewall address-list add address=$Buffer list=$LISTNAME comment=$sitednsname;
}
}

1- Schedule this script to run every 1 or 5 mnts. so when user will view youtube , dns cache will update, and when the scheduled script will run, It will start adding related ips to address list.
2- Create a filter rule that DROP requests destined (FORWARD CHAIN) to this address list

at least It worked 100% for me. I posted its complete method on blog as well. just in case if any 1 want complete commands

GRACIAS POR ESTE CODIGO ME AYUDO MUCHO