Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Marking Youtube Traffic

Locked
 
cicserver
Member
Member
Topic Author
Posts: 303
Joined: Sun Jul 24, 2011 12:04 pm

Marking Youtube Traffic

Tue Jan 26, 2016 7:59 am

Is there any way I can mark traffic for youtube ?
(so that i can route it to second gateway)

I saw few posts on forum as well but most guys telling that not working. any working solution for it?
Top
 
User avatar
grusu
Member Candidate
Member Candidate
Posts: 140
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: Marking Youtube Traffic

Tue Jan 26, 2016 8:13 am

Use layer 7 protocol to find youtube connections and mangle to mark them.
Or use layer 7 name direct in NAT rule.
Top
 
alxnegrila
just joined
Posts: 14
Joined: Tue Jan 26, 2016 9:14 am

Re: Marking Youtube Traffic

Tue Jan 26, 2016 6:25 pm

Try this:
Code: Select all
/ip firewall layer7-protocol add name=youtube regexp="^.+(youtube.com).*$"
/ip firewall filter add chain=forward protocol=tcp dst-port=80,443 layer7-protocol=youtube action=drop comment="Block YouTube"
P.S. You may need to restart your router.
Top
 
cicserver
Member
Member
Topic Author
Posts: 303
Joined: Sun Jul 24, 2011 12:04 pm

Re: Marking Youtube Traffic

Wed Jan 27, 2016 7:33 am

Try this:
Code: Select all
/ip firewall layer7-protocol add name=youtube regexp="^.+(youtube.com).*$"
/ip firewall filter add chain=forward protocol=tcp dst-port=80,443 layer7-protocol=youtube action=drop comment="Block YouTube"
.
its giving following error
mterror.PNG
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
aacable
Member
Member
Posts: 435
Joined: Wed Sep 17, 2008 11:58 am
Location: ISLAMIC Republic of PAKISTAN
Contact:
Contact aacable

Re: Marking Youtube Traffic

Wed Jan 27, 2016 7:52 am

Try
Code: Select all
/ip firewall layer7-protocol
add name=VIDEO-L7 regexp="^.*(youtube.com).*\\\$"
Top
 
ZZa
just joined
Posts: 2
Joined: Sat Apr 15, 2017 12:52 pm

Re: Marking Youtube Traffic

Sat Apr 15, 2017 1:05 pm

I'm not sure if it's still needed now, in 2017, but this is my solution, which I was developing for several days to make everything work nicely.

First, switch on the IP firewall:
Code: Select all
/interface bridge settings
set use-ip-firewall=yes
Then, add some YouTube networks to a new access list (just some you're sure belong to YouTube):
Code: Select all
/ip firewall address-list
add address=208.117.224.0/24 list=youtube
add address=208.117.225.0/24 list=youtube
add address=208.117.228.0/24 list=youtube
add address=208.117.229.0/24 list=youtube
add address=208.117.232.0/24 list=youtube
add address=208.117.233.0/24 list=youtube
add address=208.117.234.0/24 list=youtube
add address=208.117.238.0/24 list=youtube
add address=208.65.152.0/24 list=youtube
add address=208.65.153.0/24 list=youtube
add address=208.65.154.0/24 list=youtube
add address=64.15.112.0/20 list=youtube
add address=208.117.236.0/24 list=youtube
add address=74.125.96.0/19 list=youtube
add address=72.14.221.0/24 list=youtube
Add layer-7 protocol to determine YouTube traffic:
Code: Select all
/ip firewall layer7-protocol
add name=youtube regexp="^.*(youtube\\.com|googlevideo\\.com).*\$"
Add mangle rule to add found IP addresses of YouTube to address-list (with timeout of 30 mins):
Code: Select all
/ip firewall mangle
add action=add-dst-to-address-list address-list=youtube address-list-timeout=30m chain=prerouting layer7-protocol=youtube protocol=tcp
Add mangle rule to mark YouTube traffic at last. The first rule marks a connection to youtube and then all the packets inside the connection are marked:
Code: Select all
/ip firewall mangle
add action=mark-connection chain=forward connection-state=new dst-address-list=youtube dst-port=80 new-connection-mark=youtube passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-state=new dst-address-list=youtube dst-port=443 new-connection-mark=youtube passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=youtube new-packet-mark=youtube passthrough=no
Viola! All the Youtube traffic is now marked.
Top
 
ZZa
just joined
Posts: 2
Joined: Sat Apr 15, 2017 12:52 pm

Re: Marking Youtube Traffic

Sun Apr 16, 2017 8:57 pm

Some addition to my previous post - it appeared that Opera uses UDP for YouTube traffic (i guess any browser which still uses flash player does so, or it's due to this QUIC protocol usage by google, read about it on wikipedia), and you should mark it as well.
Keeping this in mind, your mangle rules for marking YouTube traffic are like this (no changes for the rest):
Code: Select all
/ip firewall mangle
add action=mark-connection chain=forward dst-address-list=youtube dst-port=443 new-connection-mark=youtube passthrough=yes protocol=udp
add action=mark-connection chain=forward connection-state=new dst-address-list=youtube dst-port=80 new-connection-mark=youtube passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-state=new dst-address-list=youtube dst-port=443 new-connection-mark=youtube passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=youtube new-packet-mark=youtube passthrough=no
Top
 
sebus
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Sun Mar 12, 2017 6:29 pm

Re: Marking Youtube Traffic

Mon May 15, 2017 12:15 am

NO, nothing gets marked as youtube when accessing youtube.com with above! (all counters stay on 0)
And as nothing is marked, I can not process it in firewall (in any way)
Top
 
shujanster
just joined
Posts: 24
Joined: Wed Apr 05, 2017 7:02 pm

Re: Marking Youtube Traffic

Sat Sep 16, 2017 12:23 pm

I'm not sure if it's still needed now, in 2017, but this is my solution, which I was developing for several days to make everything work nicely.

First, switch on the IP firewall:
Code: Select all
/interface bridge settings
set use-ip-firewall=yes
Then, add some YouTube networks to a new access list (just some you're sure belong to YouTube):
Code: Select all
/ip firewall address-list
add address=208.117.224.0/24 list=youtube
add address=208.117.225.0/24 list=youtube
add address=208.117.228.0/24 list=youtube
add address=208.117.229.0/24 list=youtube
add address=208.117.232.0/24 list=youtube
add address=208.117.233.0/24 list=youtube
add address=208.117.234.0/24 list=youtube
add address=208.117.238.0/24 list=youtube
add address=208.65.152.0/24 list=youtube
add address=208.65.153.0/24 list=youtube
add address=208.65.154.0/24 list=youtube
add address=64.15.112.0/20 list=youtube
add address=208.117.236.0/24 list=youtube
add address=74.125.96.0/19 list=youtube
add address=72.14.221.0/24 list=youtube
Add layer-7 protocol to determine YouTube traffic:
Code: Select all
/ip firewall layer7-protocol
add name=youtube regexp="^.*(youtube\\.com|googlevideo\\.com).*\$"
Add mangle rule to add found IP addresses of YouTube to address-list (with timeout of 30 mins):
Code: Select all
/ip firewall mangle
add action=add-dst-to-address-list address-list=youtube address-list-timeout=30m chain=prerouting layer7-protocol=youtube protocol=tcp
Add mangle rule to mark YouTube traffic at last. The first rule marks a connection to youtube and then all the packets inside the connection are marked:
Code: Select all
/ip firewall mangle
add action=mark-connection chain=forward connection-state=new dst-address-list=youtube dst-port=80 new-connection-mark=youtube passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-state=new dst-address-list=youtube dst-port=443 new-connection-mark=youtube passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=youtube new-packet-mark=youtube passthrough=no
Viola! All the Youtube traffic is now marked.
Very good. Thanks Man.:-)
Top
Locked

Who is online

Users browsing this forum: rwf and 65 guests
  4. RouterOS
  5. Beginner Basics