Community discussions

MikroTik App
 
drahit88
just joined
Topic Author
Posts: 1
Joined: Tue Sep 07, 2021 6:15 am

Robust Youtube Block

Tue Sep 07, 2021 7:08 am

I've been trying a bunch of different configs out that I've found in various threads, but still haven't found anything that can robustly block Youtube. I've read that DNS sinkholes are better than firewall filters, but I'd really like to be able to block it on a schedule, something that it appears sinkholes can't do.

And I've read in order to block Youtube successfully, you'd need to hit a number of DNS names including:
googlevideo.com
youtu.be
youtube-nocookie.com
youtube.com
youtube.googleapis.com
youtubei.googleapis.com
ytimg.com
ytimg.l.google.com

And/or, you'd need to go after Youtube's IP address ranges which according to this site, https://www.lifewire.com/ip-address-of-youtube-818157 are:
199.223.232.0 - 199.223.239.255 (199.223.232.0/24)
207.223.160.0 - 207.223.175.255 (207.223.160.0/24)
208.65.152.0 - 208.65.155.255 (208.65.152.0/24)
208.117.224.0 - 208.117.255.255 (208.117.224.0/24)
209.85.128.0 - 209.85.255.255 (209.85.128.0/24)
216.58.192.0 - 216.58.223.255 (216.58.192.0/24)
216.239.32.0 - 216.239.63.255 (216.239.32.0 /24)

I've tried blocking all of these in some form or another so I must not be doing something right. I've followed instructions from here:
viewtopic.php?t=151490
...tried blocking IP ranges like this:
viewtopic.php?t=134315

I've also read that for some of these configs, the rules need to be placed before "defconf: accept established, related" and to also disable "fasttrack connection" but weasely Youtube persists, even after flushing dns and reopening my browser. Additionally, I don't know if this is a recent YT change, but I've noticed it seemingly pulling data from various sites in the *.1e100.net domain as well.

I'm running 6.47.3, BTW. Any help appreciated.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Robust Youtube Block

Mon Nov 08, 2021 2:19 am

Many different ways to Block Websites....
When Static-Address-List isn't possible i use the following...
viewtopic.php?t=179557

Step 1: Create Block-Rule
Basic-Exemple, needs to be at the top of "Forward" rules
I usually Block only one direction (LAN -> WAN)
But because you want to enable and disable the Rules, you may want both.
/ip firewall filter
add action=drop chain=forward in-interface-list=WAN out-interface-list=LAN src-address-list=YouTube
add action=drop chain=forward in-interface-list=LAN out-interface-list=WAN dst-address-list=YouTube
Step 2: Create Static address-list
This Step is optional, so populate as needed....

Exemple:
ip firewall address-list
add address=www.youtube.com list=YouTube
Step 3: Create Dynamic-List
Basic-Exemple, needs to be at the top of "Forward" (LAN -> WAN) rules
add action=add-dst-to-address-list address-list=YouTube address-list-timeout=none-dynamic chain=forward in-interface-list=LAN out-interface-list=WAN protocol=tcp tls-host=*youtube*
add action=add-dst-to-address-list address-list=YouTube address-list-timeout=none-dynamic chain=forward in-interface-list=LAN out-interface-list=WAN protocol=tcp tls-host=*ytimg*

Who is online

Users browsing this forum: arm920t, ccrsxx and 51 guests