One could still use RFC2549 ... even under those conditions.you unplug the PCs from internet, turn off the routers and turn off mobile data.
Unfortunately, not being able to control users' devices, DoH/DoQ/DoT/VPN are simply enough....+
supposed: no control on user devices
+
block youtube:
layer7 filtering useless with HTTPS.
+
modern web browser uses QUIC
+
android apps can not be blocked using Layer 7 filtering
+
blocking all youtube ip addresses would be inefficient to me
+
I tried every possible way I saw on the Internet but didn't work with me
+
supposed: no control on user devices
+
supposed: do not want spend $50.000 and more for non-mikrotik deep packet inspection machine or similar
=
IS-NOT-POSSIBLE
And before open useless topic for the same arguments already present dozen of times, at least deign to do a search on the forum.
modern web browser uses QUIC
/ip firewall raw add action=drop chain=prerouting comment="Ban QUIC" dst-port=443 protocol=udp
MikroTik Routers and RouterOS cannot do Deep Packet Inspection [DPI] so any site that uses HTTPS:\\ [like YouTube, Facebook, etc.] cannot be inspected and blocked .... to do that you need to have the Router/Hardware capable of doing DPI efficiently without impacting performance greatly ... Those type of Router systems are generally defined as Content Management Systems [CMS].
If that interest you then Vendors like DrayTek and their Vigor2962/3910 routers can do it nicely -- for those type of devices the CMS portion usually has an licensing cost associated to the CMS modules as addons ...
@LarsaDPI (Deep Packet Inspection) is currently impossible to perform on standard encrypted payloads which is what almost all traffic is these days, thus you have just IP address and port number to play with. Also, there is no hardware that can crack today's encryption algorithms and decrypt traffic in real-time. It's worth noticing that the most current algorithms are also quantum-safe.
Not absolutely correct. You _can_ stop DoH/DoT, and VPNs as well, at least, many or most of them.Until you do not have full control of user device, you can not stop DoH & Co. with pihole (and neither the VPNs).
some of them. Since you can not see inside 443 encrypted packets, you have no way to see if it just normal https traffic or any VPN going over port 443.You can stop DoH/DoT, and VPNs as well, at least, many or most of them.
TLS 1.3 encrypts SNI. So this method is gone now.BTW: SNI intercept can also help in blocking youtube etc.
This is the worst group. I have been working with network for high school student over many years, and they find away around everything. If one finds out all knows how to bypass blockage in just some seconds.This mostly limits access for the average school student
Yes. In my case I wanted to slow down youtube traffic, so used mangle with tls-host *googlevideo.com* to mark packets for the queues. But specially for you I tried to do:"Voilà! shit", but have you tried it?
Browsers will still use https/TLS anyway,
it's not that QUIC is the only thing that exists.
add action=reject chain=forward protocol=tcp reject-with=tcp-reset tls-host=*googlevideo.com*
add action=reject chain=forward in-interface-list=LAN protocol=tcp reject-with=tcp-reset tls-host=*.googlevideo.com
Yay! The point here (especially for ipv6 (Always) OR ipv4 on cake located on the nat router) is that it manages flows to hosts better. A host doing voip and one doing netflix and one doing torrent get balanced automatically, each getting 1/3 the bandwidth, and what you dont use gets shared equally, so voip experiences zero queuing delay, because it is lightweight.I'm not
I only apply such filters for stupid paying customers wanting it. Because they only know YouTube for video and Facebook for social media. So they think trying to block those two sites helps anything.
What I sometimes do on sites with low bandwidth uplink is using tls-host rules to apply youtube/netflix etc. (whatever their favorite video/streaming sites are) to low priority queues. So they can watch videos without having to fear disrupting ongoing Zoom/Teams/SIP calls.
But even for such use cases, I started to prefer Cake queues. Cake does priorisation automatically with mostly good results without requiring to maintain a set of tls-host rules for individual DNS hosts.
You turn it off in the clients.Do you say that you can stop me from browsing where I want without having 100% control of the client? PC/Mobil etc.
How do you block DoH/DoQ/DoT?
I accompished the goal by having some control on the clients and Pi-Hole..I tried every possible way I saw on the Internet but didn't work with me, I would really appreciate your help.
Thanks in advance.
And this is what I say, to do that you need to have control of the clients, just as I did write above.You turn it off in the clients.Do you say that you can stop me from browsing where I want without having 100% control of the client? PC/Mobil etc.
How do you block DoH/DoQ/DoT?
-----------------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s).--> MikroTik->Splunk
Backup config to Gmail -->Backup
Block users that tries too use non open ports -->Block-----------------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s).--> MikroTik->Splunk
Backup config to Gmail -->Backup
Block users that tries too use non open ports -->Block
Thank you for your courtesy. Really... thanks...I will do.
If it was exquisite Italian Art, it may pass the rextended litmus test.I will do.
Please, stop to spread wrong info. You can not assume, that, in case, you did not succeed in blocking, nobody else can do, as well.All this posts, but still valid what is written on post #2...
What I wrote, does work.All this posts, but still valid what is written on post #2...
All is useless after that post, no matter what users writes...
Did you forget about the topic?Please, stop to spread wrong info. You can not assume, that, in case, you did not succeed in blocking, nobody else can do, as well.All this posts, but still valid what is written on post #2...
I.e. what does any browser, trying to use QUIC, in case UDP port 443 blocked in router ?
There is an old proverb, in Chinese: Those, who do not know, talk. Those, who know, do not talk.
Is not correct, on post #2What I wrote, does work.
You said in Post #2, that it isn't possible..Is not correct, on post #2What I wrote, does work.
supposed: no control on user devices
What, you want evidence? Hearsay and opinion are not enough!And this is with MikroTik Router?
Post your config.
My AP (Cisco Aironet) has a checkbox to disallow 'randomized' MACs.And this is with MikroTik Router?
Post your config.
No.So you block everything, not youtube selectively, and continue to be offtopic.
If a LAN IP has internet traffic but no local DNS lookups, they lose internet access.
No one has posted a NON-invasive method on the client device, which selectively blocks youtube ONLY,
no matter if the user use VPN, private DoH (yes... PRIVATE...), ICMP tunnels, etc...
It's invasive to block everything in retaliation because you are not able to just block youtube...What does non-invasive mean to you?
No solution can do that unless internet access overall is white-listed.
Too bad we are not close, otherwise I would show you how easy it is to get around this thing...they are not allowed to use VPN/Proxy or DoH. They use those, they lose network access
Everything can be gotten around with time and effort.. My primary method is to remove users with traffic that do not have DNS lookups, which would work for the OP and majority of users.
As long as you don't blacklist EVERYTHING and only allow certain IPs/sites, there is always a way around the blocks.
Even that can be gotten around, speaking from experience.. haha Time and effort..As long as you don't blacklist EVERYTHING and only allow certain IPs/sites, there is always a way around the blocks.
Haha, really showing your age, family members will use cell data to watch tik tok as the main vector is smartphone... Get with the times Kev!.... I will have TikTok blocked for the foreseeable future though.
I can block traffic youtube ...
/ip firewall filter
add action=add-dst-to-address-list address-list="Youtube Block" \
address-list-timeout=4d chain=forward dst-port=443 protocol=tcp tls-host=\
*youtube*
add action=drop chain=forward dst-address-list="Youtube Block" src-address=\
192.168.88.0/24
/ip firewall raw
add action=add-dst-to-address-list address-list="Youtube Block" \
address-list-timeout=3d chain=prerouting dst-port=443 protocol=tcp \
tls-host=*youtube*
add action=drop chain=prerouting dst-address-list="Youtube Block"
You're right, I read that this kind of traffic can't be analyzed even with a DPI firewall.It will work until Youtube hosts implements ESNI.