How to block Youtube and facebook Android App in router Mikrotik

aih007 · Mon Apr 11, 2016 3:52 pm

Hi

i need block facebook and youtube from mobile android and iphone
i did block it from Pc and labtob but by mobile app still any one can access to facebook and youtube

ShayanFiroozi · Mon Apr 11, 2016 11:12 pm

Hi,
so tell us how did you do that on your PC and laptop ?

Tue Apr 12, 2016 3:13 am

probably people are just typing facebook.com which defaults to an http request first, which of course the service redirects, but since the initial request is http, the PC is getting "blocked" (if the users use a bookmark or have the homepage set to be facebook, I bet it doesn't get blocked).

The app is probably using SSL by default.

In a word - your only option is to use a DNS-based method to block these services (e.g. OpenDNS) because SSL is not possible to intercept with Layer7 rules.

Van9018 · Tue Apr 12, 2016 5:18 am

If it's just a few domains you'd wish to block, you can add static entries for the domain in IP > DNS > Static and resolve the host names to 127.0.0.1.

You can go a step further and redirect outbound DNS packets to your LAN interface to prevent clever users from specifying their own DNS servers on their computers.

Tue Apr 12, 2016 6:16 am

maybe using mikrotik dns server, create static dns entry for all facebook dns names

i have tested 13k static entry's on dns and 7000 on adress-list on a rb951g and works ok

the problem is to obtain facebook hosts dns names

SystemErrorMessage · Tue Apr 12, 2016 8:09 am

using mikrotik as dns server is not enough, many services have hard coded dns servers. Google chrome for example will use google dns regardless of your settings so your only option is to hijack DNS requests. Many ISPs do this as a way to block websites as it is very cheap in resource and admin.

I would not suggest blocking youtube or facebook completely. Many tutorials and video lessons are available on youtube. There are plenty of math tutorials on youtube for example and many other useful and beneficial things. Many use facebook for organising events so thats a positive use of facebook.

If you block these things (whether you are a workplace or school), people will use proxies and such so thats not the best way to deal with it. I would block facebook games and apps (not the phone app) but facebook is also a way for people to get in touch other than email and sms. Many useless and low quality browser games use facebook and are basically free to play but the game quality is so bad that blocking it would be a help (you would also have to block those sites too).

Mikrotik makes it so you cant install any software onto their routers, what some organisations do is just install a linux server and configure it to be a router so they can install customised filtering software which makes it easy to deal with things that reduce productivity. You can use multiple hijacking techniques and force use of a web proxy server (you can actually run squid, squidguard and clamav on a ubiquiti edgerouter which i do) but it may not work on apps. I do know that the facebook app uses web code so it is actually a web browser only pointing to facebook (it explains their high resource usage and battery draining).

If you are a parent and just wanting to stop your kids from wasting time with these things than blocking these things entirely doesnt help, rather you should just block the unhelpful facebook features and perhaps put them on the lowest priority in QoS (or put some bandwidth limitations to slow it down to encourage them to do other things).

scampbell · Tue Apr 12, 2016 8:10 am

Mikrotik offer a scripted method of blocking sites here :- http://wiki.mikrotik.com/wiki/Manual:Sc ... c_websites

SystemErrorMessage · Tue Apr 12, 2016 8:12 am

Catching DNS requests and redirecting them is called hijacking.

aih007 · Tue Apr 12, 2016 11:52 pm

thank you for your replay

my setup firewall for block Facebook and YouTube from PC and laptop
- from L7 create Regexp ^.+(facebook.com).*$
- create Filter Rule chain: forward Src.Address=192.168.1.2/24 layer 7 protocol= facebbok Action=Drop

i need some one did block Facebook app from mobile

ShayanFiroozi · Wed Apr 13, 2016 8:56 am

thank you for your replay

my setup firewall for block Facebook and YouTube from PC and laptop
- from L7 create Regexp ^.+(facebook.com).*$
- create Filter Rule chain: forward Src.Address=192.168.1.2/24 layer 7 protocol= facebbok Action=Drop

i need some one did block Facebook app from mobile

If App is using encryption connection you can not catch it with L7 , it's seems you have to find all facebook IP's !!

maherhaddad · Mon Aug 15, 2016 4:18 pm

I used this regular expression and worked to stop youtube app on phones, tablets as well as on computer browsers.

Regular Expression to copy:
^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.com|s.ytimg.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|googlevideo.com|youtu.be).*$

I have also recorded a video showing how to make the config if you like to watch it:
https://www.youtube.com/watch?v=6oAiUGAsfEY

Mon Aug 15, 2016 6:58 pm

You should start using the dns-based IP address list feature available in ROSv6.36

block www.youtube.com, youtube.com, m.youtube.com, etc.
That will block them from any sort of communication, not just http/https.

Furthermore, it will block even SSL communications.

R1CH · Tue Aug 16, 2016 1:00 am

If this is for a corporate network, you should be installing a transparent HTTPS proxy with a custom root certificate on the clients so you can inspect actual HTTP traffic and apply internet access policy there. There are many such appliances you can get for this, messing around blocking DNS and IP ranges is not a very reliable solution.

hgonzale · Tue Aug 16, 2016 8:13 pm

Yes, for them is a solution, for us is a problem.

doneware · Tue Aug 16, 2016 11:53 pm

lets consider we do regular HTTPS over TCP. [chrome and android uses QUIC to get data securely, which is google proprietary technology and bases on UDP]

although HTTPS as itself is not to be intercepted with layer-7 filters, you can disrupt the connection before SSL is fully negotiated.
certificate exchange takes place "in cleartext", so you can use layer7 to match the certificate common name or serial, then do your stuff mark/drop/reject
on the matched connection. this is not as "surgical" as it would be with URL matching, as multiple sites/services can use the same cert. and if you block it,
you will block connection to all of them.

theoretically.

"L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection and searches for the pattern in the collected data."
don't know how to interpret this, but in my case (see screenshot) the certificate is sent in packets 6,7,8,9 which would fit in there, but the 2k limit
is not enough. it this case you can match the certificate serial number and the common name.
alternatively you could match on the TLS client hello msg (packet #5), where the server name is sent as cleartext and block it.

now i am trying to put it together, but had no success so far.

matiaszon · Sat Sep 17, 2016 1:10 pm

Mikrotik offer a scripted method of blocking sites here :- http://wiki.mikrotik.com/wiki/Manual:Sc ... c_websites

It finally did the job for me!

The goal was to block youtube on my son's iPad. After running that script it blocked youtube site (even on https) but still, the app on iPad was working fine. I changed the line:

    :if (([:find $cacheName "rapidshare"] != 0) || ([:find $cacheName "youtube"] != 0)) do={

to:

    :if ([:find $cacheName "ytimg"] != 0) do={

and that did the job!

If you want to block the specific device, you only have to remember to point the proper source address or source MAC.

Thank you for your help.

matiaszon · Sat Sep 17, 2016 8:11 pm

Unfortunately my happines didn't last too long... The script works, but once it's started, the CPU usage is 100%... Can anybody see and say something clever?

:foreach i in=[/ip dns cache find] do={
    :local bNew "true";
    :local cacheName [/ip dns cache all get $i name] ;
#    :put $cacheName;

    :if ([:find $cacheName "ytimg"] != 0) do={

        :local tmpAddress [/ip dns cache get $i address] ;
#	:put $tmpAddress;

# if address list is empty do not check
        :if ( [/ip firewall address-list find list="restricted" ] = "") do={
            :log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
            /ip firewall address-list add address=$tmpAddress list=restricted comment=$cacheName;
        } else={
            :foreach j in=[/ip firewall address-list find list="restricted"] do={
                :if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
                    :set bNew "false";
                }
            }
            :if ( $bNew = "true" ) do={
                :log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
                /ip firewall address-list add address=$tmpAddress list=restricted comment=$cacheName;
            }
        }
    }
}

EDIT
I have eraseed lines started with "#" and it helped...

stoser · Sat Sep 17, 2016 10:16 pm

You should start using the dns-based IP address list feature available in ROSv6.36

block http://www.youtube.com, youtube.com, m.youtube.com, etc.
That will block them from any sort of communication, not just http/https.

Furthermore, it will block even SSL communications.

ZeroByte: Just wanted to thank you for pointing this out. I hadn't realized that adress lists in 6.36 supported dns based IP. It is really going to simplify my design. Hopefully address lists will support regular expressions on a future release. FYI to the other members, adding a CNAME to the addess list seems to add dynamic entries for all associated A record IP addresses.

Mon Sep 19, 2016 6:29 pm

Hopefully address lists will support regular expressions on a future release. FYI to the other members, adding a CNAME to the addess list seems to add dynamic entries for all associated A record IP addresses.

It doesn't seem likely that there will ever be regex support in this feature because of how it works.
Whenever you define a hostname in an address list, the router immediately performs a DNS lookup on the name you specified, and all IP addresses returned by the DNS server are added as dynamic IP entries in the list, with timeouts set the same as the TTL returned by DNS. In other words, the IPs cannot live in the list for any longer than DNS....

Ok, so far so good, but why can't you use regex here?

It has been best practice for at least as long as I have been in the industry (since the 90s) to deny anyone having access to read your entire zone - in other words, DNS is like that children's card game "go fish" - clients may ask any name they like, and the DNS server will give the answer if it has one, or else say "not found" (i.e. 'go fish'). You can't just say "give me all of your cards."
So you can't say to a DNS server - give me every possible name you have that ends in google.com

So when you specify a regex, that's essentially what you're doing....

Another complication is that reverse DNS doesn't necessarily match forward DNS. Since the packet filter table is dealing in packets and IP addresses (not names), it doesn't know what name may or may not map to a certain IP address. Take the famous 8.8.8.8 public DNS server at Google.... I could go into my own DNS server, and set a host name "silly.dns.server.example.com" and resolve that to 8.8.8.8 How would the firewall know that I had typed "ping silly.dns.server.example.com" to generate ICMP echo requests to 8.8.8.8?

One thing that could be done is to snoop DNS and if any DNS replies contain hostnames which match your definition, then the IP addresses contained in those DNS responses could be added to the address list.... This could be worked around by clever clients though - if they know which hostnames are going to be used and a valid IP to go with them, they could just place these hostnames into their local hosts file and bypass the DNS snooping. Or they could use DNScrypt, or VPN.....

In the end, blocking outgoing user activity is a never-ending battle. Like Princess Leah told Governer Tarkin: "The more you tighten your grip, the more star systems will slip through your fingers."

migueloty · Fri Sep 23, 2016 7:14 pm

Works
https://www.youtube.com/watch?v=Sf4XePdJ5Ug

aih007 · Tue Oct 04, 2016 11:00 pm

Works
https://www.youtube.com/watch?v=Sf4XePdJ5Ug

Thank you migueloty. Is work with me also

mikronsultiK · Fri May 12, 2017 8:25 pm

lets consider we do regular HTTPS over TCP. [chrome and android uses QUIC to get data securely, which is google proprietary technology and bases on UDP]

although HTTPS as itself is not to be intercepted with layer-7 filters, you can disrupt the connection before SSL is fully negotiated.
certificate exchange takes place "in cleartext", so you can use layer7 to match the certificate common name or serial, then do your stuff mark/drop/reject
on the matched connection. this is not as "surgical" as it would be with URL matching, as multiple sites/services can use the same cert. and if you block it,
you will block connection to all of them.

theoretically.

"L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection and searches for the pattern in the collected data."
don't know how to interpret this, but in my case (see screenshot) the certificate is sent in packets 6,7,8,9 which would fit in there, but the 2k limit
is not enough. it this case you can match the certificate serial number and the common name.
alternatively you could match on the TLS client hello msg (packet #5), where the server name is sent as cleartext and block it.

now i am trying to put it together, but had no success so far.

this post was very interesing on my side. thanks to take time to focus on the specific relevant aspects of the topic.

reinerotto · Sat May 13, 2017 10:12 am

Instead of messing around with this one
>...you can disrupt the connection before SSL is fully negotiated.
certificate exchange takes place "in cleartext", <
on MT on low level, similar can be done in a clean way using squids https interception.
Which also allows to block facebook etc.
However, this needs squid to be setup, which is not possible on MT, AFAIK.

tangram · Mon May 15, 2017 12:35 pm

Hi,

Drop any dns requests using l7 list.

;;; Drop Blacklist - DNS
chain=forward action=drop layer7-protocol=blacklist protocol=udp dst-port=53

If they don't use ip instead of name you're covered.

tnrclkr · Sun Aug 20, 2017 10:46 pm

Calm down

As he mentioned before. Dropping layer7 and adding his pages to L7 list is enough. and woking... BEST SOLLUTION. Point is just finding all pages tried to be reached.

aarango · Tue Aug 22, 2017 10:46 am

Mikrotik offer a scripted method of blocking sites here :- http://wiki.mikrotik.com/wiki/Manual:Sc ... c_websites
It finally did the job for me!

The goal was to block youtube on my son's iPad. After running that script it blocked youtube site (even on https) but still, the app on iPad was working fine. I changed the line:
Code: Select all
    :if (([:find $cacheName "rapidshare"] != 0) || ([:find $cacheName "youtube"] != 0)) do={
to:
Code: Select all
    :if ([:find $cacheName "ytimg"] != 0) do={
and that did the job!

If you want to block the specific device, you only have to remember to point the proper source address or source MAC.

Thank you for your help.

Why didn't block you youtube in Ipad but yes it blocked when you used "ytimg"?

matiaszon · Thu Aug 31, 2017 1:20 am

Mikrotik offer a scripted method of blocking sites here :- http://wiki.mikrotik.com/wiki/Manual:Sc ... c_websites
It finally did the job for me!

The goal was to block youtube on my son's iPad. After running that script it blocked youtube site (even on https) but still, the app on iPad was working fine. I changed the line:
Code: Select all
    :if (([:find $cacheName "rapidshare"] != 0) || ([:find $cacheName "youtube"] != 0)) do={
to:
Code: Select all
    :if ([:find $cacheName "ytimg"] != 0) do={
and that did the job!

If you want to block the specific device, you only have to remember to point the proper source address or source MAC.

Thank you for your help.
Why didn't block you youtube in Ipad but yes it blocked when you used "ytimg"?

Because I want to learn a bit of MikroTik.

SilverNodashi · Tue Sep 05, 2017 10:00 am

Hi,
Can someone please tell me, do I add these rules to the bottom, or the top of the Firewall list? Or does it not matter?

msatter · Tue Sep 05, 2017 12:50 pm

Maybe time that the comes a sticky post on blocking. The DNS does now regex and became a good tool to block unwanted sites. You have then block also acces to external DNS servers. A user can still create a host file to bypass the Mikrotik filtering.

poizzon · Sat Dec 23, 2017 1:57 pm

I'm still wondering why you're not using an openDNS to block some sites ?

Of course you need static wan up address, but it is simple solution with some feedback .

sebastia · Sat Dec 23, 2017 2:03 pm

The recommended solution has been documented by Mikrotik support: have a look at the video at 3:30 https://www.youtube.com/watch?v=D80_a_O ... cqdP43-B13

djarole · Wed Oct 23, 2019 5:21 am

maybe using mikrotik dns server, create static dns entry for all facebook dns names

i have tested 13k static entry's on dns and 7000 on adress-list on a rb951g and works ok

the problem is to obtain facebook hosts dns names

Would you share the code or how to configure that?

How to block Youtube and facebook Android App in router Mikrotik

How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Re: How to block Youtube and facebook Android App in router Mikrotik

Who is online