Как заблокировать youtube на роутере mikrotik

Hello everyone;

I would like to ask how to block youtube (or facebook) website and apps using Mikrotik RB951Ui-2HnD
Note that I tried using layer7 filtering, I tried what was said in this video:
https://www.youtube.com/watch?v=D80_a_O … 13&index=7, MIN: 3:30

Note that modern web browser uses QUIC, note also that android apps can not be blocked using Layer 7 filtering
Note that blocking all youtube ip addresses would be inefficient to me.

I tried every possible way I saw on the Internet but didn’t work with me, I would really appreciate your help.
Thanks in advance.

block youtube:

layer7 filtering useless with HTTPS.
+
modern web browser uses QUIC
+
android apps can not be blocked using Layer 7 filtering
+
blocking all youtube ip addresses would be inefficient to me
+
I tried every possible way I saw on the Internet but didn’t work with me
+
supposed: no control on user devices
+
supposed: do not want spend $50.000 and more for non-mikrotik deep packet inspection machine or similar
=
IS-NOT-POSSIBLE

And before open useless topic for the same arguments already present dozen of times, at least deign to do a search on the forum.

It is true! Just remove the internet from users!!! Why I didn’t think about it before???

(sorry, I’m stupid)

you unplug the PCs from internet, turn off the routers and turn off mobile data.

One could still use RFC2549 … even under those conditions.

RFC2549 has been outdated few years ago… Why don’t you update?

RFC9200

@Znevna

Is hard to join all «block youtube» topics and concentrate all in one… (with something usable)

¯\_(ツ)_/¯

+
supposed: no control on user devices
+

Unfortunately, not being able to control users’ devices, DoH/DoQ/DoT/VPN are simply enough….

block youtube:

layer7 filtering useless with HTTPS.
+
modern web browser uses QUIC
+
android apps can not be blocked using Layer 7 filtering
+
blocking all youtube ip addresses would be inefficient to me
+
I tried every possible way I saw on the Internet but didn’t work with me
+
supposed: no control on user devices
+
supposed: do not want spend $50.000 and more for non-mikrotik deep packet inspection machine or similar
=
IS-NOT-POSSIBLE

And before open useless topic for the same arguments already present dozen of times, at least deign to do a search on the forum.

I would provide a report to this reply since you verbal abuse for no reason. Hope admins will react in a good way with such a kind of replies.
Since you have no reply with useful information and don’t like this post, you should have skip it instead of acting this rude.

As a new user in the forums I’m totally surprised in the comments that may seam coming from people lack knowledge or lack behaviors.

Hope moderators would take appropriate actions.

Primo: Rextended just suggested to do a «Search» and you can find a lot of info.

Secundo: The youtube film was about «Holy war against >>masquarade<<» what is loosely connected to «how to efficently block using L7 filters» even if it was mentioned there.

Tertio: … you want to block YouTube while learning yourself from YouTube …. kind of technical oxymoron

a8.PNG

modern web browser uses QUIC

/ip firewall raw add action=drop chain=prerouting comment="Ban QUIC" dst-port=443 protocol=udp

And modern browsers have started supporting HTTPS. Voila!

@yahyamemeh

MikroTik Routers and RouterOS cannot do Deep Packet Inspection [DPI] so any site that uses HTTPS:\\ [like YouTube, Facebook, etc.] cannot be inspected and blocked …. to do that you need to have the Router/Hardware capable of doing DPI efficiently without impacting performance greatly … Those type of Router systems are generally defined as Content Management Systems [CMS].

If that interest you then Vendors like DrayTek and their Vigor2962/3910 routers can do it nicely — for those type of devices the CMS portion usually has an licensing cost associated to the CMS modules as addons …

You could capture the IP Addresses that YouTube uses and then creates an YTBlock List that contains those IP’s then in Filter RAW create a block rule and that would be effective for as long as those IP are active … YouTube do change their IP’s from time to time so you have to stay on top of that to keep your block list current.

There are some creative ways of getting YouTube addresses from the following link:
https://stackoverflow.com/questions/934 … dows-firew

Yes,

the solution to this topic is still the post #2…

MikroTik Routers and RouterOS cannot do Deep Packet Inspection [DPI] so any site that uses HTTPS:\\ [like YouTube, Facebook, etc.] cannot be inspected and blocked …. to do that you need to have the Router/Hardware capable of doing DPI efficiently without impacting performance greatly … Those type of Router systems are generally defined as Content Management Systems [CMS].

If that interest you then Vendors like DrayTek and their Vigor2962/3910 routers can do it nicely — for those type of devices the CMS portion usually has an licensing cost associated to the CMS modules as addons …

DPI (Deep Packet Inspection) is currently impossible to perform on standard encrypted payloads which is what almost all traffic is these days, thus you have just IP address and port number to play with. Also, there is no hardware that can crack today’s encryption algorithms and decrypt traffic in real-time. It’s worth noticing that the most current algorithms are also quantum-safe.

There are some very specific solutions targeted at enterprise that disconnect certificates with a “man-in-the-middle” encryption server, but since end-to-end encryption (“aka zero trust”) is more or less standard in modern software, MitM solutions will soon become outdated as well. Moreover, that solution is also extremely expensive and cumbersome to implement because it requires extensive changes on all clients.

Bottom line, there are no standard firewalls or/and CMSs that can perform DPI, dynamic application routing, firewall L7 filtering or whatever you want to call this for the reasons explained above.

Excellent clear and honest advice rextended. Much appreciated.
Also Normis……… why! Concur, sometimes one needs to invoke something called parenting or business employee rules ( as in how to get fired ).

As for yahm……..
https://media.tenor.com/DGlbJWqzeNEAAAA … -truth.gif

Regarding the OP and how to block Youtube, here are my two recommendations where both should be used together for best effect:

1. Firstly and if it’s not for personal use I would subscribe to a service otherwise I’d use a tool like iplist-youtube to get the most current ip addresses for a blocklist. If you don’t want to host and run «iplist-youtube» yourself, the address lists are updates every 5 minutes and are available here

— Ipv4 list raw link => https://raw.githubusercontent.com/touhidurrr/iplist-youtube/main/ipv4_list.txt
— Ipv6 list raw link => https://raw.githubusercontent.com/touhidurrr/iplist-youtube/main/ipv6_list.txt

2. Implement pi-hole or similar.

Many cruise ships and airlines block YouTube and similar streaming services by using specialized providers that offer these as commercial services

NO, still valid post #2:
Until you do not have full control of user device, you can not stop DoH & Co. with pihole (and neither the VPNs).

If someone want go to youtube, go to youtube.

DPI (Deep Packet Inspection) is currently impossible to perform on standard encrypted payloads which is what almost all traffic is these days, thus you have just IP address and port number to play with. Also, there is no hardware that can crack today’s encryption algorithms and decrypt traffic in real-time. It’s worth noticing that the most current algorithms are also quantum-safe.

@Larsa
I happen to disagree with your opinion … I have a number of very successful inexpensive CMS systems in service made by Untangle that are very effective as MY Clients continue tell me …. and recently I have seen the DrayTek models I referred to earlier that are doing well in this area reported by some of my Colleagues that have peeked my interest due to there performance metrics that are also relatively inexpensive when compared to the big boys CMS offerings …

Until you do not have full control of user device, you can not stop DoH & Co. with pihole (and neither the VPNs).

Not absolutely correct. You _can_ stop DoH/DoT, and VPNs as well, at least, many or most of them.
I.e. for WiFi in schools, this is an important feature.
You can _not_ block DoH without DPI, in case the user is running his private DoH-server, or his private VPN-server.

You can stop DoH/DoT, and VPNs as well, at least, many or most of them.

some of them. Since you can not see inside 443 encrypted packets, you have no way to see if it just normal https traffic or any VPN going over port 443.

As rextended writes, you need full control of the client to make sure you now what are going on.

—————————————————————————————-
Use Splunk> to log/monitor your MikroTik Router(s). See link below.

MikroTik->Splunk

As always with technical problems: It is not about who is right. It is about what works.

In summary:
Youtube can be blocked to a certain extend for the average user by forwarding DNS to a commercial DNS service like Cloudflare, Umbrella etc. They have the abilities to track and adapt to the constant changes on youtubes’s CDS host entries and filter them out. You cannot block the youtube CDS IPs in general, as they run many other services beside youtube on the same IPs.
You can block DoHS/HTTPS VPN for the average user by blocking 443 to IPs of the well known public accessible VPN and DoHS servers.

This mostly limits access for the average school student or hotel guest.
But there is no way to block someone with the necessary skills to use HTTPS VPN and/or DoHS to connect to a server IP you do not know about.
Except enterprise HTTPS proxy solutions breaking up the SSH connection, doing DPI and reencrypting towards the internal client using a private root Cert installed as trusted on the internal clients.

Everyone claiming different is invited to provide working solutions instead of just presenting assertions on what they think works or does not.
Because again: It is not about who is right. It is about what works.

BTW: SNI intercept can also help in blocking youtube etc.

TLS 1.3 encrypts SNI. So this method is gone now.

This mostly limits access for the average school student

This is the worst group. I have been working with network for high school student over many years, and they find away around everything. If one finds out all knows how to bypass blockage in just some seconds.

—————————————————————————————-
Use Splunk> to log/monitor your MikroTik Router(s). See link below.

MikroTik->Splunk

«Voilà! shit», but have you tried it?
Browsers will still use https/TLS anyway,
it’s not that QUIC is the only thing that exists.

Yes. In my case I wanted to slow down youtube traffic, so used mangle with tls-host *googlevideo.com* to mark packets for the queues. But specially for you I tried to do:

add action=reject chain=forward protocol=tcp reject-with=tcp-reset tls-host=*googlevideo.com*

and it also works well. Yes, youtube.com still opened, but no one video was loaded.

Yes, using tls-host is in my experience the best result with least effort

add action=reject chain=forward in-interface-list=LAN protocol=tcp reject-with=tcp-reset tls-host=*.googlevideo.com

Plus a rule to block quic. It is resistant to DoHS, but not against VPN. It requires only one simple and easy to maintain filter rule.
Until you realize there are thousands of other video sites and streaming portals still working and requiring rules.
At the end it is a hare and hedgehog race with your users you hardly ever win.

I’m not

I only apply such filters for stupid paying customers wanting it. Because they only know YouTube for video and Facebook for social media. So they think trying to block those two sites helps anything.
What I sometimes do on sites with low bandwidth uplink is using tls-host rules to apply youtube/netflix etc. (whatever their favorite video/streaming sites are) to low priority queues. So they can watch videos without having to fear disrupting ongoing Zoom/Teams/SIP calls.
But even for such use cases, I started to prefer Cake queues. Cake does priorisation automatically with mostly good results without requiring to maintain a set of tls-host rules for individual DNS hosts.

Hi

blocking youtube will cos issues in some google services such as app/gmail/etc. they use same IPs and domains for google global cache and if you block it it will move your ip into next GGC node.
but you can burst queue for video like 2kbps for 5-10sec which make video in downloads loop.

google/Meta/Amazon CDNs they not one IP or range you can block it some videos stored in local GGC and other in another country.

if you need it urgently better talk with your ISP to block your Public IP from getting videos only but I don’t know if google accept to do it.

also Working on L7 filtering its but you on CPU load for mikrotik.

Regards.

I’m not

I only apply such filters for stupid paying customers wanting it. Because they only know YouTube for video and Facebook for social media. So they think trying to block those two sites helps anything.
What I sometimes do on sites with low bandwidth uplink is using tls-host rules to apply youtube/netflix etc. (whatever their favorite video/streaming sites are) to low priority queues. So they can watch videos without having to fear disrupting ongoing Zoom/Teams/SIP calls.
But even for such use cases, I started to prefer Cake queues. Cake does priorisation automatically with mostly good results without requiring to maintain a set of tls-host rules for individual DNS hosts.

Yay! The point here (especially for ipv6 (Always) OR ipv4 on cake located on the nat router) is that it manages flows to hosts better. A host doing voip and one doing netflix and one doing torrent get balanced automatically, each getting 1/3 the bandwidth, and what you dont use gets shared equally, so voip experiences zero queuing delay, because it is lightweight.

I am not big on the word prioritization, what lies underneath is per host/per flow fq. https://arxiv.org/abs/1804.07617

Do you say that you can stop me from browsing where I want without having 100% control of the client? PC/Mobil etc.
How do you block DoH/DoQ/DoT?

You turn it off in the clients.

I tried every possible way I saw on the Internet but didn’t work with me, I would really appreciate your help.
Thanks in advance.

I accompished the goal by having some control on the clients and Pi-Hole..

Disabled DoH (DNS over HTTPS) and set Pi-Hole to block YouTube.

I also have 8.8.8.8 and 8.8.4.4 blocked so that the Application can’t try it’s own lookups.

Do you say that you can stop me from browsing where I want without having 100% control of the client? PC/Mobil etc.
How do you block DoH/DoQ/DoT?

You turn it off in the clients.

And this is what I say, to do that you need to have control of the clients, just as I did write above.
In a company network with company rules ok. As an IPS not.

————————————————————————————————
Use Splunk> to log/monitor your MikroTik Router(s).—> MikroTik->Splunk
Backup config to Gmail —>Backup
Block users that tries too use non open ports —>Block

————————————————————————————————
Use Splunk> to log/monitor your MikroTik Router(s).—> MikroTik->Splunk
Backup config to Gmail —>Backup
Block users that tries too use non open ports —>Block

————————————————————————————————
Use Splunk> to log/monitor your MikroTik Router(s).—> MikroTik->Splunk
Backup config to Gmail —>Backup
Block users that tries too use non open ports —>Block

Please stop adding fake signatures, on the forum they are disabled on purpose, and adding this is spam, because users can’t block your text from being seen.

I will do.

Thank you for your courtesy. Really… thanks…

I will do.

If it was exquisite Italian Art, it may pass the rextended litmus test.
So perhaps next time a naked David with half a prick

All this posts, but still valid what is written on post #2…

Please, stop to spread wrong info. You can not assume, that, in case, you did not succeed in blocking, nobody else can do, as well.
I.e. what does any browser, trying to use QUIC, in case UDP port 443 blocked in router ?
There is an old proverb, in Chinese: Those, who do not know, talk. Those, who know, do not talk.

An old North American Proverb, if you open your mouth any further, will be able to fit both feet in it !!

[ caveat: I know sheite about quic, quiddich etc. but I do like proverbs and the occasional reverb ]

All this posts, but still valid what is written on post #2…
All is useless after that post, no matter what users writes…

What I wrote, does work.

My network, my rules.. Don’t like my rules, you’ll find your MAC address(es) blocked.

My AP already doesn’t allow ‘randomized MACs’ from connecting.

All this posts, but still valid what is written on post #2…

Please, stop to spread wrong info. You can not assume, that, in case, you did not succeed in blocking, nobody else can do, as well.
I.e. what does any browser, trying to use QUIC, in case UDP port 443 blocked in router ?
There is an old proverb, in Chinese: Those, who do not know, talk. Those, who know, do not talk.

Did you forget about the topic?
Please point me to the point where you explain exactly how: «Block Youtube on computers and smartphone apps» and we mean, youtube only, of course.

What I wrote, does work.

Is not correct, on post #2
supposed: no control on user devices

And if some tries to block some, you can always use an external service.

This is not a commercial, since it free, but you get a free Oracle VPS with:
4 strong ARM CPU (aarc64)
24 GB ram
200GB disk
+ much more
Free for life

So I can setup a proxy server/vpn +++ for free and bypass the most.

I can set it up so when I do go to youtube.jotne.it than it opens youtube.com in my url. Cloudflare ZeroTrust (free for home users)

What I wrote, does work.

Is not correct, on post #2
supposed: no control on user devices

You said in Post #2, that it isn’t possible..

It is..

If the client devices want internet access, they follow my rules (no VPNs and no DoH).. Internet traffic without DNS lookups, they get null-routed.

I have TikTok permanently blocked, sometimes YouTube.

The problem with blocking YouTube for students, is that some (many) teachers assign YouTube videos as instruction and/or homework.

And this is with MikroTik Router?
Post your config.

What, you want evidence? Hearsay and opinion are not enough!

And this is with MikroTik Router?
Post your config.

My AP (Cisco Aironet) has a checkbox to disallow ‘randomized’ MACs.

PiHole blocks TikTok and YouTube (when desired).

RouterOS drops 1.1.1.1, 8.8.4.4, and 8.8.8.8 and individual clients as needed. Plus a few other well-known DoH servers.

I look at the PiHole logs manually, if a client isn’t making lookups, I manually add them to the firewall drop rules.

Evidens that some are done that I would say can not be down without control of the client.

Try this:
https://ultrasurf.us/

Its a simple exe file, that your run on your PC (or other), that makes a proxy for your browser. No need to admin rights.
Its made for passing the great wall of china.
And this is just one of many tools that can be used to bypass the most blockage.

puTTY.exe can do this too with an SSH server.

My network, I would notice both (no DNS lookups for the host), and then drop the host’s traffic.

So you block everything, not youtube selectively, and continue to be offtopic.

No one has posted a NON-invasive method on the client device, which selectively blocks youtube ONLY,
no matter if the user use VPN, private DoH (yes… PRIVATE…), ICMP tunnels, etc…

All empty talks…

Still valid post #2, that is the reply of this topic, not about change client device config or block everything if the user do not use that DNS, etc.

So you block everything, not youtube selectively, and continue to be offtopic.

No.

I *only* block everything if the host continues to use DoH and/or VPN/Proxy services.

No one has posted a NON-invasive method on the client device, which selectively blocks youtube ONLY,
no matter if the user use VPN, private DoH (yes… PRIVATE…), ICMP tunnels, etc…

If a LAN IP has internet traffic but no local DNS lookups, they lose internet access.

What does non-invasive mean to you?

What does non-invasive mean to you?

It’s invasive to block everything in retaliation because you are not able to just block youtube…

It is invasive to act on the customer’s device.

The customer must be able to do anything freely, except use youtube, and you must not touch the device config or install some software.
If you alter this premise in anything, is not anymore on topic.
It’s obvious if I break the client device, with that he doesn’t go on youtube anymore… (but not anywhere else either…)

How is this not on topic? That wasn’t a stated requirement in the OP.

Otherwise you are being dumb.. User is allowed whatever proxy and VPN they want, but still ‘required’ to block YouTube? No solution can do that unless internet access overall is white-listed.

My network, my rules. If the user wants internet access, they are not allowed to use VPN/Proxy or DoH. They use those, they lose network access. User can do it themselves or they can ask for help with the settings if they need.

Post #2….

No solution can do that unless internet access overall is white-listed.

they are not allowed to use VPN/Proxy or DoH. They use those, they lose network access

Too bad we are not close, otherwise I would show you how easy it is to get around this thing…
Of course, if you know I’m there and you purposely watch what I do…
But try to catch me with hundreds of other people surfing on the same network…
As long as you don’t blacklist EVERYTHING and only allow certain IPs/sites, there is always a way around the blocks.

As long as you don’t blacklist EVERYTHING and only allow certain IPs/sites, there is always a way around the blocks.

Everything can be gotten around with time and effort.. My primary method is to remove users with traffic that do not have DNS lookups, which would work for the OP and majority of users.

Blocking YouTube for students, is not a good idea because teachers assign/use YouTube for lessons, but it can be done. I will have TikTok blocked for the foreseeable future though.

As long as you don’t blacklist EVERYTHING and only allow certain IPs/sites, there is always a way around the blocks.

Even that can be gotten around, speaking from experience.. haha Time and effort..

…. I will have TikTok blocked for the foreseeable future though.

Haha, really showing your age, family members will use cell data to watch tik tok as the main vector is smartphone… Get with the times Kev!
By the way tik tok also makes large balloons!

They tried that when I blocked YouTube…

I turned off their cellular data in response..

I will encourage both options.. Especially «b».

Already have a longer-term goal of talking to the ISS as it passes over..

Likely less effort to hack the Pi-Hole server and disable the custom domain blacklists..

Quick/dirty solution to «b» would be deauths though..

BOFH, I am well aware, but it works well.. haha