Community discussions

MikroTik App
 
RubberBullet
just joined
Topic Author
Posts: 1
Joined: Thu Sep 24, 2020 5:20 pm

Why not a definitive solution to block Youtube?

Fri Sep 25, 2020 10:56 am

Hello All

I've seen articles, youtube videos and I don't find a definitive solution that once and for all allow me to

- Block Youtube for a specific IP or Mac Address in a given time frame

I've tried REG and others without success and I do not want to be using a DNS that is filtering my traffic like OpenDNS

Why Mikrotik does not have a knowledge base with all this FAQ and people like don't have to be asking the same question.

Thanks for any final HOWTO you can refer

JF
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: Why not a definitive solution to block Youtube?

Fri Sep 25, 2020 2:41 pm

First stablish a separate vlan or assign static dhcp to the devices that you want to block.

Next create a layer 7 rule that filters youtube content and assign it to vlan o specific addresses that you want.

Regards.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Why not a definitive solution to block Youtube?

Fri Sep 25, 2020 2:55 pm

One cannot effectively block anything anymore with a basic soho router. You need enterprise grade equipment or business class with IDS/IPS etc......
Typically that kind of inspection kills throughput.
 
Moba
Member Candidate
Member Candidate
Posts: 206
Joined: Sun Sep 27, 2020 6:15 pm

Re: Why not a definitive solution to block Youtube?

Sun Sep 27, 2020 7:21 pm

There is no definitive solution because RouterOS just has too many options. Not knowing what you are trying to achieve, this is one way I tested to block websites using L7.

The idea is to block outbound requests to the site via DNS (traffic you usually control on any router connected to the Web).

So assuming you already made the proper L7 regex named youtube:

Mangle:

add action=mark-connection chain=prerouting comment=youtube-con dst-port=53 \
layer7-protocol=youtube new-connection-mark=youtube-con passthrough=yes \
protocol=udp
add action=mark-packet chain=prerouting comment=youtube-pk connection-mark=\
youtube-con new-packet-mark=youtube-pk passthrough=no

You then add a drop rule for those packets in the firewall for both the input and forward chain. I tested this last night, and it worked on my home router for Youtube, Pornhub, etc. It even blocked web proxies from reaching those sites. I had to use Tor to bypass the block. It might cause unforeseen issues, but I couldn't see any when I tried this method. I didn't test it with Apple/Android connected devices though.

Furthermore, since you don't require a global block, you will need to use DHCP to assign a static address to the clients/schedule you want to block and add that information to one of the mangle rules.

Please note that if you try to filter all inbound traffic by making L7 rules directly in the forward chain, or worse, in the firewall, as suggested in many online tutorials, it will be CPU intensive with many clients and any encrypted packets (port 443) will bypass the filter easily i.e. Chrome will not be blocked. Trying to control that traffic for QOS purposes is also quite futile in my limited experience (only works with Firefox).

Hope this helps.

Edit: Does not work with Google's DNS.
Last edited by Moba on Tue Sep 29, 2020 3:46 pm, edited 5 times in total.
 
Moba
Member Candidate
Member Candidate
Posts: 206
Joined: Sun Sep 27, 2020 6:15 pm

Re: Why not a definitive solution to block Youtube?

Mon Oct 05, 2020 12:29 am

This is another method to block websites using an address list:

In this case, I am building the list for Netflix with a L7 regex named netflix and marking the packets.

Mangle:

add action=add-dst-to-address-list address-list=netflix address-list-timeout=\
none-dynamic chain=prerouting comment=netflix-con layer7-protocol=netflix
add action=mark-packet chain=forward comment=netflix-dw-pk new-packet-mark=\
netflix-dw-pk passthrough=no src-address-list=netflix

I then block those packets in the firewall. This method seems effective to control bandwidth in queues as well (worked for Chrome and my smart TV). YMMV.
 
User avatar
Spof80
just joined
Posts: 5
Joined: Wed Dec 01, 2021 1:14 pm

Re: Why not a definitive solution to block Youtube?

Wed Dec 01, 2021 11:19 pm

Sorry for stealing this thread, but what is the simplest way if you just wanna block a certain website adress for all users on the router att all times?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Why not a definitive solution to block Youtube?

Thu Dec 02, 2021 5:51 am

By removing internet privileges if they break the rules..........
 
ErkDog
just joined
Posts: 23
Joined: Thu Dec 02, 2021 5:51 pm

Re: Why not a definitive solution to block Youtube?

Thu Dec 02, 2021 6:00 pm

Spof, the best way to deal with blocking specific websites at all times for everyone is an override in DNS.

so you can just set for example www.netflix.com and netflix.com to resolve to 0.0.0.0 or 127.0.0.1 instead.
 
Moba
Member Candidate
Member Candidate
Posts: 206
Joined: Sun Sep 27, 2020 6:15 pm

Re: Why not a definitive solution to block Youtube?

Sat Dec 04, 2021 10:51 pm

Firewall Raw if it's a limited range - you can use the firewall connections tab to get the addresses. Alternatively, L7 and TLS Host methods can work to build an address list, but are easily bypassed. MT doesn't offer simple URL or keyword filtering like those found on consumer routers.

With a DNS server, you can block ads and any site you wish. If it's only a few Windows computers, you can also block sites with the HOST file.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Why not a definitive solution to block Youtube?

Sat Dec 04, 2021 11:00 pm

Youtube are now also using Quic
https://www.fastvue.co/fastvue/blog/goo ... lications/
https://groups.google.com/a/chromium.or ... 32KU?pli=1

There are no easy block for that.
As long as you do not have 100% control of the client on your network, you are out of luck.
On a corporate network, you can use Forecpoint or Palo Alto that intercepts the certificate and examine all https packets.
Even there Quic passes trough, so you need to block the Quic protocol (HTTP/3) so that communication goes to HTTP/2.
https://en.wikipedia.org/wiki/QUIC

Make a rule for what IP each user can reach and then block the rest...
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Why not a definitive solution to block Youtube?

Fri Dec 10, 2021 12:00 pm

This rule works perfectly for me:

add action=reject chain=blocklist comment="block youtube" protocol=tcp reject-with=icmp-network-unreachable tls-host=*youtube*

please don't use l7 rules for blocking webpages
 
tangent
Forum Guru
Forum Guru
Posts: 1330
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Why not a definitive solution to block Youtube?

Sat Dec 11, 2021 1:51 am

what is the simplest way if you just wanna block a certain website adress

The problem is that there isn't a single simple "address" in many cases.

Creating a global-scale video hosting system is non-trivial in the extreme. You can't do that with a single machine, nor even safely so with a single domain name. Thus round robin DNS, the distinctions between youtube.com, yimg.com, gstatic.com, 1e100.net and whatever else Google's got set up these days.

Simple address blocking works for simple services where such measures aren't in place. (e.g. This web forum.) Blocking a whole cloud service without breaking everything else using the same cloud (e.g. GMail) is nontrivial for the same reason the service itself is nontrivial.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Why not a definitive solution to block Youtube?

Sat Dec 11, 2021 3:09 pm

This rule works perfectly for me:

add action=reject chain=blocklist comment="block youtube" protocol=tcp reject-with=icmp-network-unreachable tls-host=*youtube*

please don't use l7 rules for blocking webpages

How do you upload your videos if that works? Don't worry Chrome let me watch. :)

And the Filter docs do pretty well at clarifying most of the discussion here – basically it says there are some case this method doesn't work...

The MT docs even have a yellow warning box specifically about YouTube filter using the "tls-host" method:
A tls-host matcher is a powerful tool to block HTTPS-based websites, but for example, Youtube is using QUIC (UDP-based protocol) instead of normal HTTP/2 (TCP-based protocol). TLS-host does not work with QUIC as it depends on TCP connection.

On tls-host in a Firewall>Filter filter rules, there are some subtleties here:
Allows matching HTTPS traffic based on TLS SNI hostname. Accepts GLOB syntax for wildcard matching. Note that the matcher will not be able to match hostname if the TLS handshake frame is fragmented into multiple TCP segments (packets).

So if "tls-host=*domainname*" isn't working more generally with other website, check/fix the MTU and/or MSS cramping setting/config are right. If you do have fragmentation, you'd likely get a performance increase by fixing it – that might allow you not worry about some YouTube escaping. ;). On the other hand, using any Layer7/L7 RegEx on your router is certainly a good way to decrease your performance. While this is in fact largely what enterprise/other content filtering solution do – but it takes a large CPU because they use a complex set of match rules that have way more context (e.g. L7 rules can't use the whole packet), typically with some automatic updating as blocking rules need to change with websites methods to avoid.

Which is why folks here suggest this + firewall + DNS redirection as the "best you can" approach for Mikrotik. But even if you do all that, still have to consider IPv6 path something like Google/Apple try to steer folks to, and now enabled by default in V7. The Mikrotik IPv6 firewall will protect inbound, but it allow LAN IPv6 without issue by default.

But in the case of YouTube with a Chrome browser... you really are trying to fight a US$1T company whose revenue depends on people seeing content like YouTube with all the tools – they control the client AND server, thus can employ a variety of technique so it "just works" for the customer – including bypassing most common things a home router could to block traffic. This isn't necessary an attack – people do misconfigure routers and some find it a feature that Chrome "fixes it". Or in case of QUIC, try to do something about design problems with TLS+TCP that limit performance.

Not taking sides on approach here, but if your technical need is "stopping YouTube from working" it's just hard and/or lot of work/money.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Why not a definitive solution to block Youtube?

Sat Dec 11, 2021 3:36 pm

There's one simple and reliable solution, but it may not be very convenient. If it's some company network, then don't give users direct internet access at all. Only allow it via proxy with ACL, where you allow only hostnames (not numeric addresses). Then if you block connections to www.youtube.com, no simple trick will allow to get around that, QUIC, DoH, ESNI, nothing will help, everything will be reliably blocked. There's still VPN, that's another level, but if you find what people use, you can block its servers the same way. Downside is that it's not commonly used, so not everything may be ready for that.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Why not a definitive solution to block Youtube?

Sat Dec 11, 2021 3:57 pm

Sob can you give an example of what you mean with proxy???
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Why not a definitive solution to block Youtube?

Sat Dec 11, 2021 4:27 pm

I don't have any ready-to-use and fine-tuned solution, but generally for example SOCKS proxy.

As user you'd have PC in LAN, without any connection to internet. To access internet, e.g. to browse web, you'd configure web browser to use SOCKS proxy provided by admin. Proxy would be configured to only accept hostnames, not numeric addresses, so even if you'd write down blocked server's IP address, you wouldn't be able to connect to it and get around blocking this way.

From admin perspective, it would be easy to block anything by hostname (any port, any protocol), including subdomains, because proxy gets that in readable form (it's the hostname client wants to connect to), no matter if the connection is encrypted or anything. A purposedly built solution could easily make statistics for each user (proxy could require unique login for each to make sure that it's able to tell them apart), show most accessed domains, amount of transferred data, etc. So if someone would e.g. tunnel traffic through own VPN server at home, it would show up immediatelly.

Two main problems is that not all software supports proxy (so some wouldn't work at all with this), and that there's no simple system-wide config for this (in Windows, some software takes proxy from IE settings, but probably not many), so it would be annoying for users travelling between different networks.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Why not a definitive solution to block Youtube?

Sat Dec 11, 2021 4:54 pm

you'd configure web browser to use SOCKS proxy provided by admin.
Thats all I needed, not transparent to users,,,,,,, not viable at home, just businesses
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Why not a definitive solution to block Youtube?

Sat Dec 11, 2021 5:49 pm

you'd configure web browser to use SOCKS proxy provided by admin.
Thats all I needed, not transparent to users,,,,,,, not viable at home, just businesses
@SoB is right – more pointing out Normis false hope it's just one config line. Useful feature, incomplete as comprehensive web blocking tool.

I really do think trying to effectively block YouTube without effecting things too much is difficult on Mikrotik.

Since I don't mind playing devil advocate... SOCKS5 is designed for this kinda of thing – all traffic goes through a single port, if the OS/browser respect it. I wouldn't recommend trying SOCKS on v7.1 yet...

But I'd imagine home device support auto-proxy configuration via a "PAC file": https://en.wikipedia.org/wiki/Proxy_auto-config. Zscaller had a picture/description of how PAC work. Recall also being some DHCP things to do to enable SOCKS5 too. If stuff didn't allow PAC file/app didn't work, or needed more access, etc – then you can could allow direct access of those services in the firewall per device. For really tricky things, allow direct HTTPS direct for "trusted device" in firewall config. Or perhaps device-class via script in DHCP server that put in a firewall list for IoT devices based on starting MAC or reservations, etc...).

Certainly re-architecting you config/network to enable blocking using this method. I think it's a game of whack-a-mole to try with only a Mikrotik in the tool bag. But if that's the case, SOCKS may be worth looking at – something to try – since the DNS approach's days are numbered, and not much to do about QUIC. Again stick to v6 if you do.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Why not a definitive solution to block Youtube?

Sat Dec 11, 2021 7:28 pm

Problem with this solution is that evolution simply went in different direction. It's easier to give devices direct access to internet, and not bother with any proxy server, because that's extra.

In the past, with plaintext everywhere, it wasn't even too difficult to block something. But that's action and reaction, more blocking means more incentive to invent something that will get around it. So now we have encryption everywhere, and when there's direct access, filtering becomes more and more problematic. I don't think that proxies are magical solution, but if all traffic has to go through proxy, as admin you definitely have tighter grip on it.

I don't know if someone will reinvent this, and if it has any chance to become popular. I wouldn't bet on it, but who knows...
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Why not a definitive solution to block Youtube?

Sat Dec 11, 2021 9:40 pm

I don't know if someone will reinvent this, and if it has any chance to become popular. I wouldn't bet on it, but who knows...
I wouldn't recommend SOCKS either. Or even trying to solve this "problem" on a Mikrotik – focus on managing the bandwidth. If you need to restrict user in fine grain manner, look beyond the Mikrotik. But if you looking for novel Mikrotik approach that do something to block website (how much YMMV), MT offer something LOTS to do and try, but never be "definitive solution".

So more fodder for trying. At least SOCKS knows the always knows domain names, and if device/browser did support it, they probably respect any policy. DNS tricks are easy, but eventually avoided by clients. SOCKS5 at least be stable (eventually in V7), has a UI, and either clearly work, or not. Basically turn an SOCKS from yet-another-method avoid the very same MT content filters discussed here (e.g. the force DNS firewall rules discussed here would do nothing if some DID configure their device to use SOCKS) – into SOCKS more historical form as the defensive gatekeeper. Start with a deny on all IPv4, then white list what doesn't work with SOCKS. Since blocking a one website is likely not the only thing someone might want to block.

What to do about IPv6 and block – this I'm more clueless – that seems even harder (but maybe easier). Sure there are some [likely partial] solutions out there. If you wanted to foist IPv6 usage, another idea along these lines is offering only SOCKS5 access for IPv4 is certainly an approach – allow you to focus your blocking effects on what to secure IPv6. More idea – since whatever you do in IPv4 firewall would have to be replicated in IPv6 firewall to enable it – making any block on a MT literally TWICE as much work. Since if you have IPv6 on the WAN, in most cases, you'd want to use it – outside being able to block websites, it generally offers speed benefits.

Also the other thing to consider is if you only have mobile device (Apple/Android), there may be easy/cheap ways to restrict websites. There is lots of Apple's MDM approach for iPhone and iPad, including using using Profile Manager on a Mac - that lets you block website (and more). Android has similar stuff, again an expert. Also there are a lot of DHCP options that might be able to control some policy (can't think if web site blocking, but sometimes there are esoteric DHCP things to implement a network policy. Also believe there are Made for Mikrotik SaaS solutions out there that attack this same problem by applying these MT blocking techniques more automatically.

Basically a Mikrotik asking the network device to respect some protocol and block if they don't is different way of skinning this cat. You'd be looking for why something didn't respect. Or accept you may need to apply large org technique at the home to more realistically solve to do any website blocking effectively.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Why not a definitive solution to block Youtube?

Sat Dec 11, 2021 11:10 pm

Well, I could recommend SOCKS for some environments (company network, etc), if the whole ecosystem was more ready for it. But it isn't. It's not entirely hopeless, there's old autoconfiguration using WPAD, supposedly supported even by current web browsers (I didn't test it), but it's far from perfect. And it's just web browsers.

But if you want control, ability to work with hostnames would be huge advantage. Because that's exactly what you need, to block something by name, but firewall works with numeric addresses, and even if tls-host may work today, it too will be useless once they get rid of readable SNI.

As for IPv4/IPv6, there's no major difference. If you want some firewall-based filtering (tls-host, L7), it's the same for both (only current RouterOS doesn't support L7 for IPv6). With proxy-based approach, you don't need to care about it at all, because it's proxy actually connecting to outside, so even internal IPv4-only network can have access to external IPv6-only servers.
 
PackElend
Member Candidate
Member Candidate
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Why not a definitive solution to block Youtube?

Mon Jan 31, 2022 3:37 pm

add action=reject chain=blocklist comment="block youtube" protocol=tcp reject-with=icmp-network-unreachable tls-host=*youtube*
how can you say it works perfectly, when MikroTik's own manual says it can fail?
 
PackElend
Member Candidate
Member Candidate
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Why not a definitive solution to block Youtube?

Mon Jan 31, 2022 3:52 pm

what about doing a frequent DNS Lookup to read all IP's of youtube etc. a blacklist these IPs? That would require that you block any tunnelling service as well...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why not a definitive solution to block Youtube?

Mon Jan 31, 2022 6:56 pm

The problem with that is the resulting lookups for the DNS name will vary all the time, and will also vary depending on where the queries are done.
So when your router does DNS queries for youtube.com and is configured to use your ISP as a resolver, and your user has 8.8.8.8 as a resolver (either configured that way, or uses Google software that always tries that even when you do not configure it), it will get a different list of IP addresses and it will go around your blocklist.
The way to avoid that was (in the past) to make sure that all accesses to port 53 (UDP and TCP) are redirected to your router (dstnat), so users would always use the same DNS resolver as your router does.
But that does not work anymore because now users use DoT and DoH. (DNS over HTTPS)

This way, every method previously available to block sites is being taken away from you. Step by step.
It is better to yield and stop wanting to block sites.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Why not a definitive solution to block Youtube?

Mon Jan 31, 2022 7:05 pm

It is better to yield and stop wanting to block sites.
Corporate Policy. - Use of company internet for non-business needs constititues grounds for a warning, second office is firing.
House Policy - Why block youtube, the educational aspects are amazing.......... Other uses of youtube are up to parental education.
 
PackElend
Member Candidate
Member Candidate
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Why not a definitive solution to block Youtube?

Mon Jan 31, 2022 8:57 pm

It is better to yield and stop wanting to block sites.
House Policy - Why block youtube, the educational aspects are amazing.......... Other uses of youtube are up to parental education.
replace youtube by pornhub and having kids ;)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Why not a definitive solution to block Youtube?

Mon Jan 31, 2022 9:16 pm

These days you can replace Pornhub with Netflix. Same content.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why not a definitive solution to block Youtube?

Mon Jan 31, 2022 11:38 pm

When you think you can achieve anything by blocking a couple of sites (and still allowing millions of others)...
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: Why not a definitive solution to block Youtube?

Tue Feb 01, 2022 2:16 pm

replace youtube by pornhub and having kids ;)
That's the point: What do you achive with blocking pornhub? There is redtube, xvideos, xhamster and many, many more.
They will always find one not on your blocklist, ending in a hare and hedgehog game.
And they have friends with parents not caring or lacking the know-how were they have access to all the want.

There is no way but preparing kids to live in a world where porn is everwhere. If we like it or not.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why not a definitive solution to block Youtube?

Tue Feb 01, 2022 2:23 pm

The closest you can get to blocking on content basis is to use a DNS service that filters DNS names based on such information.
E.g. OpenDNS, CloudFlare etc.

However that means that you have to set these DNS servers in your router, and make sure access to other DNS services direct from the LAN is blocked.
You can block TCP and UDP port 53 in the forward chain, and only allow it in the input from LAN and established/related on WAN.

However, it is not enough anymore. You need to block TCP port 853 for DNS over TCP, and then there is DNS over HTTPS which you cannot block altogether because it uses port 443.
Only maintaining a list of "wellknown DoH servers" in an address list can come close to solving this.

When you have done all that, they can just setup a VPN or Proxy.
 
PackElend
Member Candidate
Member Candidate
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Why not a definitive solution to block Youtube?

Tue Feb 01, 2022 3:55 pm

When you have done all that, they can just setup a VPN or Proxy.
thaught the same thing, thanks for the clarification / conformation
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Why not a definitive solution to block Youtube?

Tue Feb 01, 2022 4:30 pm

On plus side, at least they will learn something about network stuff. :)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Why not a definitive solution to block Youtube?

Tue Feb 01, 2022 7:36 pm

When you have done all that, they can just setup a VPN or Proxy.
Why not just turn off secure filter on google or bing search. Then just search for any pron you like and select pictures.
There are no way to prevent this (can be controlled some on a company pc with forced policy)
 
dejoebad
just joined
Posts: 16
Joined: Mon Jul 21, 2014 5:05 pm

Re: Why not a definitive solution to block Youtube?

Sat Feb 19, 2022 1:22 am

This rule works perfectly for me:

add action=reject chain=blocklist comment="block youtube" protocol=tcp reject-with=icmp-network-unreachable tls-host=*youtube*

please don't use l7 rules for blocking webpages
are you sure this rule also work with youtube app users?
anyway, i'll try this...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Why not a definitive solution to block Youtube?

Sat Feb 19, 2022 1:25 am

QUIC use UDP...
tls host is encrypted on new version, and you can not read that
Google & Co. want you to see AD and collect all your data,
anything that possibly prevents AD or data collection must be removed,
like filtering ...
 
xbmcgotham
just joined
Posts: 13
Joined: Thu Feb 13, 2020 3:00 pm

Re: Why not a definitive solution to block Youtube?

Sat Nov 12, 2022 7:17 pm

Hi,

I am using the TLS host method (https://know.al/en/blocking-youtube-tra ... -protocol/) for blocking Youtube web site and Youtube App for computers of some users. It is not really working for me.

Not sure of course if something is wrong with my setup, but its not doing the blocking. It stores the IP address of youtube, but still opens the youtube page. Can someone see if I did something wrong in the config? I attached some screenshots.

Thanks for any support.

EDIT: Removed screenshots as TLS is no longer working according to next post
Last edited by xbmcgotham on Sat Nov 12, 2022 7:49 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why not a definitive solution to block Youtube?

Sat Nov 12, 2022 7:30 pm

Please read all of the above before you post your screenshots. It is not working anymore.
Also, to explain what you did, do not post screenshots put show an export of the router config.
 
xbmcgotham
just joined
Posts: 13
Joined: Thu Feb 13, 2020 3:00 pm

Re: Why not a definitive solution to block Youtube?

Sat Nov 12, 2022 7:48 pm

Hi, thanks for the quick response.

Ok, so I read it incorrectly. How unfortunate that this is not working anymore. Any other techniques that are in the making? Layer7 is not possible, fully blocking is not realistic, removing the apps is often not possible as they are embedded into root permissions on devices.

What is left? Mikrotik working on anything?

Full config export is to much to share here. for this reason I condense it into a couple of screenshots. I will remove them again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Why not a definitive solution to block Youtube?

Sat Nov 12, 2022 8:14 pm

Please read this post until you understand what it says.........
viewtopic.php?t=166748#p819025

(PS. I hurl flatulence at the direction of Normis for creating fake news in this thread)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why not a definitive solution to block Youtube?

Sat Nov 12, 2022 10:19 pm

How unfortunate that this is not working anymore.
The mission of the internet app developers over the past years has been to prevent network administrators from fiddling with their applications.
Put everything in https, make DNS encrypted, add additional measures to https to make filtering even more difficult (encrypted SNI), make it more difficult to do state tracking by using UDP (QUIC), move everything to "content delivery" services that you cannot block because you would block more than one app or site, introduce services like "login using twitter" or "login using facebook" that make it impossible to block those services because you would block their login facility as well, etc etc.
So now your position has been reduced to a facilitator of network traffic. Influencing what your users are doing is made impossible for you.
Anyway, there is no reason to block Youtube. If you want a datacap, make that. Do not try blocking sites because they cause too much traffic for you, their role will be replaced by other sites that do the same.
When you want to show some config, use export. No need to show everything, but do not show in a screenshot what you can show in 1-3 export lines.
 
xbmcgotham
just joined
Posts: 13
Joined: Thu Feb 13, 2020 3:00 pm

Re: Why not a definitive solution to block Youtube?

Sun Nov 13, 2022 1:36 am

Please read this post until you understand what it says.........
viewtopic.php?t=166748#p819025

(PS. I hurl flatulence at the direction of Normis for creating fake news in this thread)
Thanks, I will check this out.
 
xbmcgotham
just joined
Posts: 13
Joined: Thu Feb 13, 2020 3:00 pm

Re: Why not a definitive solution to block Youtube?

Sun Nov 13, 2022 1:40 am

How unfortunate that this is not working anymore.
The mission of the internet app developers over the past years has been to prevent network administrators from fiddling with their applications.
Put everything in https, make DNS encrypted, add additional measures to https to make filtering even more difficult (encrypted SNI), make it more difficult to do state tracking by using UDP (QUIC), move everything to "content delivery" services that you cannot block because you would block more than one app or site, introduce services like "login using twitter" or "login using facebook" that make it impossible to block those services because you would block their login facility as well, etc etc.
So now your position has been reduced to a facilitator of network traffic. Influencing what your users are doing is made impossible for you.
Anyway, there is no reason to block Youtube. If you want a datacap, make that. Do not try blocking sites because they cause too much traffic for you, their role will be replaced by other sites that do the same.
When you want to show some config, use export. No need to show everything, but do not show in a screenshot what you can show in 1-3 export lines.

Thanks for the detailed explanation.
I am trying to prevent my children going on these sites like youtube. I guess for this time, I will have to close the full connection and only let through specific sites. A lot of work but that's probably the only way instead of totally removing the hardware. :-)
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Why not a definitive solution to block Youtube?

Sun Nov 13, 2022 3:19 am

The mission of the internet app developers over the past years has been to prevent network administrators from fiddling with their applications.
Put everything in https, make DNS encrypted, add additional measures to https to make filtering even more difficult (encrypted SNI), make it more difficult to do state tracking by using UDP (QUIC), move everything to "content delivery" services that you cannot block because you would block more than one app or site, introduce services like "login using twitter" or "login using facebook" that make it impossible to block those services because you would block their login facility as well, etc etc.
excellent explanation 8)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Why not a definitive solution to block Youtube?

Sun Nov 13, 2022 9:11 am

My post above describe how it can be done:
viewtopic.php?p=895182#p895182
But you need 100% control of each clients.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why not a definitive solution to block Youtube?

Sun Nov 13, 2022 11:56 am

I am trying to prevent my children going on these sites like youtube. I guess for this time, I will have to close the full connection and only let through specific sites.
That isn't possible (anymore) either! See, there is no way you can let through "a site". You may think that to make www.somesite.domain working, the only thing you need to do is to lookup its address and allow access to that address.
However:
- sites usually do not have a constant address anymore (see above to know what trouble that causes)
- what you see on screen as "a site" in fact consists of a collection of many different sources. text comes from one domain, images come from another, scripts come from many other domains, adverts are loaded, etc.
So it will be a lot of work to investigate what "a site" needs to be working, at it changes all the time as the site is being maintained.

And then, what is wrong with your children going to sites like Youtube? There is A LOT to learn on Youtube!
It is your task to learn them what they can watch and what not.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Why not a definitive solution to block Youtube?

Sun Nov 13, 2022 6:04 pm

Kids need very little computer time anyway. Its not supposed to take the place of parenting.
They should be involved in activities that stimulate the mind, make them think. Often computer just like TV is one way and wasted time.
Thank god I had books when young and not a computer, I am far more literate and have an active healthy imagination.
If one isn't able to create characters appearances and voices and associated images and places, for example by reading Harry Potter books and your life is just'
watching the movies............... I feel sorry for kids stuck in that scenario by deadbeat parents.
 
eenpahlefi
just joined
Posts: 4
Joined: Wed Mar 19, 2014 12:40 pm
Location: Banjarmasin
Contact:

Re: Why not a definitive solution to block Youtube?

Sun Apr 09, 2023 11:23 pm

solved .. first..
1.block first, quic protocol
2. and then block googlevideo.com
/ip firewall raw
add action=drop chain=prerouting dst-port=443 protocol=udp
add action=drop chain=prerouting dst-address-list=googlevideo

/ip firewall filter
add action=add-dst-to-address-list address-list=googlevideo address-list-timeout=none-dynamic chain=forward content=googlevideo.com dst-port=443 protocol=tcp
add action=add-dst-to-address-list address-list=googlevideo address-list-timeout=none-dynamic chain=forward content=googlevideo.com dst-port=443 protocol=udp

Regards
Een Pahlefi Al Banjari
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Why not a definitive solution to block Youtube?

Mon Apr 10, 2023 12:42 am

Are you sure that unconditional blocking port 443/UDP is a good step?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Why not a definitive solution to block Youtube?

Mon Apr 10, 2023 2:54 am

Are you sure that unconditional blocking port 443/UDP is a good step?
Don't pay attention, they are those of the "TLS 1.2-" solution as long as it goes & I don't give a damn about blocking the other services on the same IP too...

What do you expect from one that before
/ip firewall raw
add action=drop chain=prerouting dst-port=443 protocol=udp
and later
/ip firewall filter
add action=add-dst-to-address-list address-list=googlevideo address-list-timeout=none-dynamic chain=forward content=googlevideo.com dst-port=443 protocol=udp
???

(Translated for others: If you regardless block all UDP traffic on port 443, why is checked uselessly on another firewall section???...)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why not a definitive solution to block Youtube?

Mon Apr 10, 2023 1:01 pm

Another reason why this does not work properly is that the addresses returned for "googlevideo.com" will vary depending on who is making the query.
So when your router gets the DNS resolvers from the ISP and makes the DNS query via that, and your users have 8.8.8.8 as DNS resolver (either configured it themselves or because Google devices often do that even when you do not configure it) they will have different addresses for googlevideo.com than your router blocklist, and it will still work.
 
brg3466
Member Candidate
Member Candidate
Posts: 177
Joined: Sat Aug 01, 2015 7:29 am

Re: Why not a definitive solution to block Youtube?

Tue May 23, 2023 9:33 pm

This rule works perfectly for me:

add action=reject chain=blocklist comment="block youtube" protocol=tcp reject-with=icmp-network-unreachable tls-host=*youtube*

please don't use l7 rules for blocking webpages
Can anyone tell me if above Normis way to block youtube works ? And what is exactly the "chain=blocklist" ? I would like to give it a try but don't know what is the chain he chose.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Why not a definitive solution to block Youtube?

Tue May 23, 2023 10:01 pm

Please read all of the above before you post your useless addition!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Why not a definitive solution to block Youtube?

Wed May 24, 2023 3:30 am

@brg For Real??

You believe an MT marketer but not all the actual people that a. use this for real at home or b. provides support to MT devices for a living.
You sir, need a reality check.
 
elico
Member Candidate
Member Candidate
Posts: 143
Joined: Mon Nov 07, 2016 3:23 am

Re: Why not a definitive solution to block Youtube?

Wed May 24, 2023 9:13 am

What about a proxy?
The main issue that you might try to be as transparent as possible.
With a good proxy software you will be able to do whatever you want.
Also, with containers you can have any proxy of your choice.
You will still need to block quic and port 80,443 and maybe other parts of the network but... it works.
Also you don't really need to look into a layer 7 things.
You might also be able to use proxy autoconfiguration script file that will be hosted in another container on the same MT device.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Why not a definitive solution to block Youtube?

Wed May 24, 2023 9:51 am

This whole topic is like dog chasing his own tail

On one side you have admin, who wants to block youtube
On other side you have people who want to avoid government control

You can't have both
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Why not a definitive solution to block Youtube?

Wed May 24, 2023 10:11 am

Good morning everyone,
the problem is not the administrators or the government,
but the ignorant people who don't know how things work.
They wouldn't even make certain assumptions if they knew how things work (or at least read previous posts).

Who is online

Users browsing this forum: h1ghrise and 39 guests