RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

dunga · Tue Mar 29, 2016 5:42 pm

hello Friends,
I am faced with this challenge to setup a network using mikrotik in an office environment, where we have to block and restrict the use of facebook and youtube streaming in the network. This is because the limited available bandwidth will not be enuf for all the staff, assuming the start streaming some online movies and videos expecially from youtube.

Please, your guided help is needed as urgently as possible.
I have tried this but it seems not working, yet some sites like yahoomail is not opening very well.
This is the script I used,
(This will block youtube and other video playback in mikrotik)

/ip firewall layer7-protocol
add comment="" name=streaming regexp="videoplayback|video"

/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark Packet Streaming" disabled=no \
layer7-protocol=streaming new-packet-mark=streaming passthrough=no

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s comment=\
"Block youtube streaming" disabled=no limit-at=0 max-limit=64k name=\
streaming packet-mark=streaming parent=global-in priority=8 queue=default

This is for version 5, i mean the queue

Version 6
/queue tree
add comment="Block youtube streaming" max-limit=64k name=streaming packet-mark=\
streaming parent=global queue=default

pe1chl · Tue Mar 29, 2016 7:20 pm

This is a lost case!
What you constructed will slow down any connection that has those words in it (including visiting this thread
on the forum), but it will do nothing for youtube because that is all https now so you cannot look in its content.

Tell your boss that it is not going to happen. You need either a directive towards the personnel that it is not
allowed to do these things over the office network (with corresponding sanctions to offenders), or you need
more bandwidth so that it will allow this usage.

Van9018 · Wed Mar 30, 2016 12:16 am

Your layer-7-protocols won't work in many cases because youtube and facebook redirect to HTTPS

Mikrotik isn't geared towards restricting websites by URL.

However maybe you can block DNS requests to facebook.com and youtube.com.

- Add firewall rule to forward chain to block outbound DNS requests (UDP port 53). So now nobody can use any other DNS server other than the Mikrotik.

- Enable DNS server in Mikrotik

- Add firewall rule to input chain to block inbound DNS requests on ether1-gateway (only LAN users should be able to use your DNS server)

- Add static DNS entries to resolve facebook.com to 0.0.0.0

As for the time restrictions, might have to use scripts in the scheduler to add/remove the static DNS entries at 8am/4pm

Wed Mar 30, 2016 11:49 am

i suggest you to use opendns

dunga · Mon Apr 04, 2016 7:25 pm

Using OpenDns will jot work for me because we are not using a public or live ip, rather thru a USB/3G network connection.

Does opendns work with ip not live ip?

Mon Apr 04, 2016 8:10 pm

Using OpenDns will jot work for me because we are not using a public or live ip, rather thru a USB/3G network connection.

Does opendns work with ip not live ip?

you have to try, some times it works

Van9018 · Wed Apr 06, 2016 3:13 am

Using OpenDns will jot work for me because we are not using a public or live ip, rather thru a USB/3G network connection.

Does opendns work with ip not live ip?

OpenDNS will work with USB/3G connection. However I think you have to have a public static IP in order to have an account to filter websites you define.

Sticking websites you wish to block in the static DNS of the Mikrotik with IP resolving to 0.0.0.0 will block them. But to make time restrictions work, you'd need to learn a little Mikrotik scripting.

rextended · Wed Apr 06, 2016 3:48 am

I consider only Facebook, but can be used also for youtube.

1) Identify all the common facebook address using this lists:
http://www.armabloggin.com/facehost.php (but really is not the full list, for example some sites like fbcdn.net are missing)
This list is from one user that try to help other user to BYPASS the block of Facebook, but really we help us to block it....

My method works until the user use one vpn or one external proxy.
Any try to bypass the block changing the DNS or contact directly the IP's are unuseful...

Create one address list on firewall called "allowed_ip_AD" with the IP of the devices you want allow to use facebook, youtube, etc.

Add this to firewall and move the rules at the top (the rule is valid from "monday" to "friday", change if the time is different, or duplicate for saturday if the working time are different):

/ip firewall filter
add action=drop chain=forward src-address-list=lista_ip_AD dst-address-list!=allowed_ip_AD  time=8h-16h,mon,tue,wed,thu,fri
add action=drop chain=forward dst-address-list=lista_ip_AD src-address-list!=allowed_ip_AD  time=8h-16h,mon,tue,wed,thu,fri

Schedule this each 1 min:

:do { add address=[/resolve a.ns.facebook.com] comment=a.ns.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve b.ns.facebook.com] comment=b.ns.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve facebook.com] comment=facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve apps.facebook.com] comment=apps.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve ar-ar.facebook.com] comment=ar-ar.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve blog.facebook.com] comment=blog.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve connect.facebook.com] comment=connect.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve creative.ak.facebook.com] comment=creative.ak.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve cs-cz.facebook.com] comment=cs-cz.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve da-dk.facebook.com] comment=da-dk.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve de-de.facebook.com] comment=de-de.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve developer.facebook.com] comment=developer.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve developers.facebook.com] comment=developers.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve el-gr.facebook.com] comment=el-gr.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve en-gb.facebook.com] comment=en-gb.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve es-es.facebook.com] comment=es-es.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve es-la.facebook.com] comment=es-la.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve fi-fi.facebook.com] comment=fi-fi.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve fr-fr.facebook.com] comment=fr-fr.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve hi-in.facebook.com] comment=hi-in.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve hr-hr.facebook.com] comment=hr-hr.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve hs.facebook.com] comment=hs.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve id-id.facebook.com] comment=id-id.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve iphone.facebook.com] comment=iphone.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve it-it.facebook.com] comment=it-it.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve ja-jp.facebook.com] comment=ja-jp.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve ko-kr.facebook.com] comment=ko-kr.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve login.facebook.com] comment=login.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve m.facebook.com] comment=m.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve ms-my.facebook.com] comment=ms-my.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve nb-no.facebook.com] comment=nb-no.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve new.facebook.com] comment=new.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve nl-nl.facebook.com] comment=nl-nl.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve pl-pl.facebook.com] comment=pl-pl.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve pt-br.facebook.com] comment=pt-br.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve register.facebook.com] comment=register.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve ru-ru.facebook.com] comment=ru-ru.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve s-static.ak.facebook.com] comment=s-static.ak.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve secure.facebook.com] comment=secure.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve sl-si.facebook.com] comment=sl-si.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve sv-se.facebook.com] comment=sv-se.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve tr-tr.facebook.com] comment=tr-tr.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve upload.facebook.com] comment=upload.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve www-college.facebook.com] comment=www-college.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve www.facebook.com] comment=www.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve zh-cn.facebook.com] comment=zh-cn.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve zh-hk.facebook.com] comment=zh-hk.facebook.com list=lista_ip_AD } on-error={ };
:do { add address=[/resolve zh-tw.facebook.com] comment=zh-tw.facebook.com list=lista_ip_AD } on-error={ };

Happy blocking....

pe1chl · Wed Apr 06, 2016 11:28 am

I consider only Facebook, but can be used also for youtube.

1) Identify all the common facebook address using this lists:
http://www.armabloggin.com/facehost.php (but really is not the full list, for example some sites like fbcdn.net are missing)

This really isn't possible anymore, certainly with those big players.
They have more servers than you care to put in a list you have to maintain, and even worse: there is nothing that
prevents them from serving different types of content from the same CDN with the same IP address, so blocking by
IP is going to block unwanted things as well.

Interesting that you add Facebook in the mix, because they have done something very "clever" to avoid blocking:
they try to get all kinds of sites and services to use their authentication mechanism ("login using your Facebook account")
and they run this auth service on the same IP addresses, yes even on the same domain name, as their main site.

So, when you block Facebook on your network, at the same time you block a lot of other services like Prezi etc,
and in no-time you have the users whining that they cannot work because Facebook is blocked.
With Youtube there is less of this particular problem, but you still have the problem that they share the CDN with others.

rextended · Wed Apr 06, 2016 1:45 pm

I understand, but actually I do not see any shared IP used by Facebook with another stand-alone service.

This is different for Youtube, rarely sometime share the ip with some ADvertising from google (ehm... you notice "lista_ip_AD" ? All is started for block many ADvisors on the web as possible***).

If you want use Prezi, use normal login or login with LinkedIn, instead of Facebook login.

*** is like when you call an hydraulic for some reason, when he come to your house he come also with some promoters without ADvertising you before...

Akaii · Thu Apr 07, 2016 1:27 pm

there is one way it can be done setup a ssl proxy and place a redirect rule which activates at working hours and disables after well that is what I use but messing with ssl can be intrusive you might want to check it legally where you live and get written to company policy.well hope it provides an idea where to start

solar77 · Fri Apr 08, 2016 12:06 pm

Have you tried

^.+(facebook.com|youtube|iplayer).*$

I use it to block these sites

pe1chl · Fri Apr 08, 2016 12:11 pm

Have you tried
Code: Select all
^.+(facebook.com|youtube|iplayer).*$
I use it to block these sites

That does not work anymore!! See above.

rextended · Fri Apr 08, 2016 11:00 pm

Have you tried
Code: Select all
^.+(facebook.com|youtube|iplayer).*$
I use it to block these sites

Where you put that string?

Fending · Mon Apr 11, 2016 6:38 am

i suggest you to use opendns

I want a similar set up but want to restrict several sites only on work days. Will opendns also work this?

Mon Apr 11, 2016 6:40 am

i suggest you to use opendns
I want a similar set up but want to restrict several sites only on work days. Will opendns also work this?

yes you can set on mikrotik the hours where you want to send queries to opendns, at the the hours without restriction you can change the rules on mikrotik to send dns queries to another dns without restriction

dunga · Fri Apr 15, 2016 11:00 am

Have you tried
Code: Select all
^.+(facebook.com|youtube|iplayer).*$
I use it to block these sites
Where you put that string?

Hello all,
Thanks for your inputs, Solar77 and others,
The above code, Where do you put it and how do you implement them in mikrotik.

I mean the l7 filter, mangle and other commands that linked to it, so that I can try it and give feed back. This is very important as people are required to concentrate of their work from 8:00 - 16:00, but can do their facebooking and youtube after those working hours.

Thanks all for your help

pe1chl · Fri Apr 15, 2016 11:34 am

The above code, Where do you put it and how do you implement them in mikrotik.

I mean the l7 filter, mangle and other commands that linked to it, so that I can try it and give feed back. This is very important as people are required to concentrate of their work from 8:00 - 16:00, but can do their facebooking and youtube after those working hours.

Thanks all for your help

Please note again: L7 filters DO NOT WORK ANYMORE.
They are a thing of the past, that worked before these services went to https.
You should not keep copying solutions from the past to the situation of today.

dunga · Fri Apr 15, 2016 11:44 am

The above code, Where do you put it and how do you implement them in mikrotik.

I mean the l7 filter, mangle and other commands that linked to it, so that I can try it and give feed back. This is very important as people are required to concentrate of their work from 8:00 - 16:00, but can do their facebooking and youtube after those working hours.

Thanks all for your help
Please note again: L7 filters DO NOT WORK ANYMORE.
They are a thing of the past, that worked before these services went to https.
You should not keep copying solutions from the past to the situation of today.

What is the best solution to achieve this, and the commands/script incase of implementing them

Van9018 · Thu Apr 21, 2016 10:42 am

Actually the L7 rule on DNS may work well enough, and with minimal scripting to enable/disable the firewall rule will get you your time restrictions.

In IP > Firewall > Layer 7 Protocols, create an entry with name BlockedSites and Regexp of:
^.+(facebook|youtube|iplayer).*$

Next go to Filter Rules, create two rules and move them to the top.
Chain=Input, Protocol=17 (UDP), Dst. Port=53, Layer 7 Protocol=BlockedSites, Action=drop

Chain=Forward, Protocol=17 (UDP), Dst. Port=53, Layer 7 Protocol=BlockedSites, Action=drop

The first rule is for PCs that query the router for DNS. The second rule are for those that try and query an outside DNS server.

When testing, your PC may cache DNS so to actually test these rules you have to clear your DNS cache. On windows go to command prompt and type ipconfig /flushdns

Next create a schedule to enable the rules at 8am with script:
/ip firewall filter enable numbers=0
/ip firewall filter enable numbers=1

Then create a schedule to disable the rules at 4pm with script:
/ip firewall filter disable numbers=0
/ip firewall filter disable numbers=1

Note that the "numbers=0" must correspond with the # in firewall filter rules.

Because we're blocking DNS requests, this will block both HTTP and HTTPS. A user can still add entries to his HOSTS file to get around this type of blocking. But most users won't know how to do that and for the purposes of reducing bandwidth during the day, this may work fine enough.

loveman · Thu Apr 21, 2016 12:42 pm

if you can using method to block facebook and youtube ? if you need this reply me and i helping you

shaoranrch · Sun Apr 24, 2016 11:12 pm

Hello,

You can't really filter requests based on L7 due to most of them being HTTPS, you can't use OpenDNS either because you need to register your public IP to your account in order for it to work, and since 3G/4G providers use CGNAT this won't really work at all as it should.

You either use regexp to filter DNS requests to FB and youtube.com, or set the router as a DNS resolver, then catch all the DNS requests and redirect them to 127.0.0.1 (or somewhere else, you could even have a web server put a page here telling users the new rules).

#This should work
#This is highly dependant on the router having always the current time

/ip dns
set allow-remote-requests=yes 
/ip dns static
add address=127.0.0.1 name=.*.facebook.com ttl=5m
add address=127.0.0.1 name=.*.youtube.com  ttl=5m
add address=127.0.0.1 name=.*.vimeo.com  ttl=5m
#and in general any service you want to restrict... 
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53 time=8h-16h,sun,mon,tue,wed,thu,fri,sat

RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)

Re: RESTRICT FACEBOOK AND YOUTUBE STREAMING BASED ON OFFICE HOUR FROM 8:00 - 4:00 (08:00 - 16:00)