Hi friends, I want to mark youtube connection or IPs to make a separate youtube queue and assign bandwidth for the youtube connections for my clients, can any body help? Here in my area few ISP have done it with mikrotik but I don't know how, just saw a DSCP marking for that. Any idea?

Ask that ISP

http://codingtips.itwebsols.com/servers ... l7-layer7/ ?
http://svn.dd-wrt.com/ticket/2801#no1 ?

dynek Man, I think it'll work I'll let you know if it's work or not. Yes L7 is the key. Thanks

Can Any one give the youtube marking code for layer 7?

http://linksysinfo.org/index.php?thread ... ost-204861 says:

GET (\/videoplayback\?|\/crossdomain\.xml)

Now if people use HTTPS you're screwed.

Thanks dynek, I'm gonna try and let you know.

Man, people using https. what to do?!!

Man, people using https. what to do?!!

If they stream through https you can't do anything!
meaning this days pretty much everyone with a google account will open youtube page on https!

as dynek said: you're screwed

It seems impossible to mark youtube connections, but how an ISP of our area have mark youtube connections and assign extra bandwidth for youtube uses! And I can't even ask them because they'll never tell. I have seen a mangle rule for youtube using DSCP 60 that's it but I'm sure there are more. Ya as dynek said: I'm screwed

You should be able to identify CDN type hosts with mangle/firewall rules and connection-byte. If you add those hosts to an address-list you can shape traffic to that dst-address-list however you like. The devil is in the details.

Dear lambert, can you give an example? need that thing badly. Thanks

I cannot afford the time to build it for you. There are consultants who would be happy to do so.

http://lmgtfy.com/?q=mikrotik+qos+cdn

the whole reason of https is its name.... secure... it uses a ssl. the packets are encripted, you won't be able to see what the packet is even with layer 7, that's the whole point.
many have tried but i haven't seen a model working.
i haven't seen yet a layer 7 regex for https of any kind!

but... i might be wrong. if i am... i would like to see it

cheers

check this out http://l7-filter.sourceforge.net/protocols
there's no streaming over https regex

this layer7 identify intial https handshake....

/ip firewall layer7-protocol
add name=validcertssl regexp="^(.\?.\?\\x16\\x03.*\\x16\ \x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b).*(thawte|equifax secure|rsa data security, inc|verisign, inc|gte cybertrust root|entrust\\.net limited)"

yes, but that doesn't identify if the connection has any streaming video packet...

really is a reply for

i haven't seen yet a layer 7 regex for https of any kind!

but... i might be wrong. if i am... i would like to see it

really is a reply for

i haven't seen yet a layer 7 regex for https of any kind!

but... i might be wrong. if i am... i would like to see it

My bad, we were talking about streaming over https, I should have mentioned it!

the whole reason of https is its name.... secure... it uses a ssl. the packets are encripted, you won't be able to see what the packet is even with layer 7, that's the whole point.
many have tried but i haven't seen a model working.
i haven't seen yet a layer 7 regex for https of any kind!

but... i might be wrong. if i am... i would like to see it :)

cheers

That's why I say just identify IPs from which a lot of data is downloaded in individual connections. Add those IPs to an address-list. Shape traffic to those IPs.

The method I have seen shapes the traffic for the first x bytes then lets it run at full speed to allow things like windows updates to come in quickly. It is claimed that Netflix figures out the available data rate in the first thirty seconds or so, then locks that stream to a rate which is less than the available link size. By limiting the first X connection-bytes to say, 1Mbps you get a 512 to 768kbps quality stream. The problem seems to be that Apple TV and anything using silverlight keeps trying to "improve" the quality of the video throughout the playing of the stream so it will go back to using 12Mbps after the first x connection-bytes rule expires.

lambert, in my case identifying youtube IPs is crazy.

If you'd like to target YouTube's IPs (overall; not just video content), you can use something like this utility in PHP (running on Windows) to keep the IPs updated.

Dear boen_robot, thanks for the idea but PHP is not my cup of tea. Searching for a way to do the job.. I'll let you all know if I find something

Here is what I use in my boards and it is working perfect. Just to clarify I found the rules somewhere on the internet or even this forum, but I don't remember exactly where to credit them atm.
The idea is to inspect the header of the packets and see if they contain the keyword we need, in this case youtube, but can be substituted for other streaming site :

/ip firewall mangle add action=add-dst-to-address-list address-list=Youtube address-list-timeout=10m chain=prerouting comment=youtube content=youtube.com dst-port=80,443 protocol=tcp

This puts the ip's in an address list, next we mark the packets :

/ip firewall mangle add action=mark-packet chain=forward comment=youtube new-packet-mark=Youtube passthrough=no src-address-list=Youtube

Now we have marked all the packets. And you can use that for queue's or whatever you need.
This even works for https, because the GET query goes to the server in plain text.

Dear CyberTod, Thanks a lot nice idea man. I think now I'm getting all the youtube ips, Cool. Thanks again. I'll let you know if I can fulfill my purpose with your rules.

Dear CyberTod, is the mark-packet chain would be forward or prerouting?

CyberTod,

/ip firewall mangle add action=add-dst-to-address-list address-list=Youtube address-list-timeout=10m chain=prerouting comment=youtube content=youtube.com dst-port=80,443 protocol=tcp

But how to save the address-list, few addresses happens to gone from the list, how to save the ip list forever

Remove this from the command :
address-list-timeout=10m

But is really not needed. When someone requests again some ip it is again added to the list. Otherwise the list could become quite long, but if this is not a problem for you go ahead with this change.

Dear CyberTod, I have found a problem with your add-dst-to-address-list rules, it grabs other than youtube.com IPs and for that I can't do what I wanna do with that rules. But don't know why it's grabing other ips than youtube!?

You can try changing this part :

content=youtube.com

It's rather generic I know, but it works well enough for me. I havent tried inspecting a tcp session to youtube to see some more specific string to type there. But that is the thing you can play with to fix it for you.

Here is what I use in my boards and it is working perfect. Just to clarify I found the rules somewhere on the internet or even this forum, but I don't remember exactly where to credit them atm.
The idea is to inspect the header of the packets and see if they contain the keyword we need, in this case youtube, but can be substituted for other streaming site :

/ip firewall mangle add action=add-dst-to-address-list address-list=Youtube address-list-timeout=10m chain=prerouting comment=youtube content=youtube.com dst-port=80,443 protocol=tcp

This puts the ip's in an address list, next we mark the packets :

/ip firewall mangle add action=mark-packet chain=forward comment=youtube new-packet-mark=Youtube passthrough=no src-address-list=Youtube

Now we have marked all the packets. And you can use that for queue's or whatever you need.
This even works for https, because the GET query goes to the server in plain text.

with ros 6.25 not work more ?

I see marked packets on a board with v6.25 so it should be working.

this first rule for me not working: marking packet is work because I have list ...

EDIT sory it work my mistake ... im litle modify

this first rule for me not working:

Code: Select all

/ip firewall mangle add action=add-dst-to-address-list address-list=Youtube address-list-timeout=10m chain=prerouting comment=youtube content=youtube.com dst-port=80,443 protocol=tcp

marking packet is work because I have list ...

EDIT sory it work my mistake ... im litle modify

Entered.
Doesnt work.
Im 6.28 OS.

What means "It doesn´t work"?
I say it does. This is a very simple L7 rule, why should it have stopped working?