Page 1 of 1
How to block Youtube and facebook Android App in router Mikrotik
Posted: Mon Apr 11, 2016 3:52 pm
by aih007
Hi
i need block facebook and youtube from mobile android and iphone
i did block it from Pc and labtob but by mobile app still any one can access to facebook and youtube
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Mon Apr 11, 2016 11:12 pm
by ShayanFiroozi
Hi,
so tell us how did you do that on your PC and laptop ?
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Apr 12, 2016 3:13 am
by ZeroByte
probably people are just typing facebook.com which defaults to an http request first, which of course the service redirects, but since the initial request is http, the PC is getting "blocked" (if the users use a bookmark or have the homepage set to be facebook, I bet it doesn't get blocked).
The app is probably using SSL by default.
In a word - your only option is to use a DNS-based method to block these services (e.g. OpenDNS) because SSL is not possible to intercept with Layer7 rules.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Apr 12, 2016 5:18 am
by Van9018
If it's just a few domains you'd wish to block, you can add static entries for the domain in IP > DNS > Static and resolve the host names to 127.0.0.1.
You can go a step further and redirect outbound DNS packets to your LAN interface to prevent clever users from specifying their own DNS servers on their computers.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Apr 12, 2016 6:16 am
by chechito
maybe using mikrotik dns server, create static dns entry for all facebook dns names
i have tested 13k static entry's on dns and 7000 on adress-list on a rb951g and works ok
the problem is to obtain facebook hosts dns names
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Apr 12, 2016 8:09 am
by SystemErrorMessage
using mikrotik as dns server is not enough, many services have hard coded dns servers. Google chrome for example will use google dns regardless of your settings so your only option is to hijack DNS requests. Many ISPs do this as a way to block websites as it is very cheap in resource and admin.
I would not suggest blocking youtube or facebook completely. Many tutorials and video lessons are available on youtube. There are plenty of math tutorials on youtube for example and many other useful and beneficial things. Many use facebook for organising events so thats a positive use of facebook.
If you block these things (whether you are a workplace or school), people will use proxies and such so thats not the best way to deal with it. I would block facebook games and apps (not the phone app) but facebook is also a way for people to get in touch other than email and sms. Many useless and low quality browser games use facebook and are basically free to play but the game quality is so bad that blocking it would be a help (you would also have to block those sites too).
Mikrotik makes it so you cant install any software onto their routers, what some organisations do is just install a linux server and configure it to be a router so they can install customised filtering software which makes it easy to deal with things that reduce productivity. You can use multiple hijacking techniques and force use of a web proxy server (you can actually run squid, squidguard and clamav on a ubiquiti edgerouter which i do) but it may not work on apps. I do know that the facebook app uses web code so it is actually a web browser only pointing to facebook (it explains their high resource usage and battery draining).
If you are a parent and just wanting to stop your kids from wasting time with these things than blocking these things entirely doesnt help, rather you should just block the unhelpful facebook features and perhaps put them on the lowest priority in QoS (or put some bandwidth limitations to slow it down to encourage them to do other things).
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Apr 12, 2016 8:10 am
by scampbell
Mikrotik offer a scripted method of blocking sites here :-
http://wiki.mikrotik.com/wiki/Manual:Sc ... c_websites
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Apr 12, 2016 8:12 am
by SystemErrorMessage
Catching DNS requests and redirecting them is called hijacking.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Apr 12, 2016 11:52 pm
by aih007
thank you for your replay
my setup firewall for block Facebook and YouTube from PC and laptop
- from L7 create Regexp ^.+(facebook.com).*$
- create Filter Rule chain: forward Src.Address=192.168.1.2/24 layer 7 protocol= facebbok Action=Drop
i need some one did block Facebook app from mobile
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Wed Apr 13, 2016 8:56 am
by ShayanFiroozi
thank you for your replay
my setup firewall for block Facebook and YouTube from PC and laptop
- from L7 create Regexp ^.+(facebook.com).*$
- create Filter Rule chain: forward Src.Address=192.168.1.2/24 layer 7 protocol= facebbok Action=Drop
i need some one did block Facebook app from mobile
If App is using encryption connection you can not catch it with L7 , it's seems you have to find all facebook IP's !!
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Mon Aug 15, 2016 4:18 pm
by maherhaddad
I used this regular expression and worked to stop youtube app on phones, tablets as well as on computer browsers.
Regular Expression to copy:
^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.com|s.ytimg.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|googlevideo.com|youtu.be).*$
I have also recorded a video showing how to make the config if you like to watch it:
https://www.youtube.com/watch?v=6oAiUGAsfEY
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Mon Aug 15, 2016 6:58 pm
by ZeroByte
You should start using the dns-based IP address list feature available in ROSv6.36
block
www.youtube.com, youtube.com, m.youtube.com, etc.
That will block them from any sort of communication, not just http/https.
Furthermore, it will block even SSL communications.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Aug 16, 2016 1:00 am
by R1CH
If this is for a corporate network, you should be installing a transparent HTTPS proxy with a custom root certificate on the clients so you can inspect actual HTTP traffic and apply internet access policy there. There are many such appliances you can get for this, messing around blocking DNS and IP ranges is not a very reliable solution.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Aug 16, 2016 8:13 pm
by hgonzale
Yes, for them is a solution, for us is a problem.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Aug 16, 2016 11:53 pm
by doneware
lets consider we do regular HTTPS over TCP. [chrome and android uses QUIC to get data securely, which is google proprietary technology and bases on UDP]
although HTTPS as itself is not to be intercepted with layer-7 filters, you can disrupt the connection before SSL is fully negotiated.
certificate exchange takes place "in cleartext", so you can use layer7 to match the certificate common name or serial, then do your stuff mark/drop/reject
on the matched connection. this is not as "surgical" as it would be with URL matching, as multiple sites/services can use the same cert. and if you block it,
you will block connection to all of them.
theoretically.
"L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection and searches for the pattern in the collected data."
don't know how to interpret this, but in my case (see screenshot) the certificate is sent in packets 6,7,8,9 which would fit in there, but the 2k limit
is not enough. it this case you can match the certificate serial number and the common name.
alternatively you could match on the TLS client hello msg (packet #5), where the server name is sent as cleartext and block it.
now i am trying to put it together, but had no success so far.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Sat Sep 17, 2016 1:10 pm
by matiaszon
It finally did the job for me!
The goal was to block youtube on my son's iPad. After running that script it blocked youtube site (even on https) but still, the app on iPad was working fine. I changed the line:
:if (([:find $cacheName "rapidshare"] != 0) || ([:find $cacheName "youtube"] != 0)) do={
to:
:if ([:find $cacheName "ytimg"] != 0) do={
and that did the job!
If you want to block the specific device, you only have to remember to point the proper source address or source MAC.
Thank you for your help.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Sat Sep 17, 2016 8:11 pm
by matiaszon
Unfortunately my happines didn't last too long... The script works, but once it's started, the CPU usage is 100%... Can anybody see and say something clever?
:foreach i in=[/ip dns cache find] do={
:local bNew "true";
:local cacheName [/ip dns cache all get $i name] ;
# :put $cacheName;
:if ([:find $cacheName "ytimg"] != 0) do={
:local tmpAddress [/ip dns cache get $i address] ;
# :put $tmpAddress;
# if address list is empty do not check
:if ( [/ip firewall address-list find list="restricted" ] = "") do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=restricted comment=$cacheName;
} else={
:foreach j in=[/ip firewall address-list find list="restricted"] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew "false";
}
}
:if ( $bNew = "true" ) do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=restricted comment=$cacheName;
}
}
}
}
EDIT
I have eraseed lines started with "#" and it helped...
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Sat Sep 17, 2016 10:16 pm
by stoser
You should start using the dns-based IP address list feature available in ROSv6.36
block
http://www.youtube.com, youtube.com, m.youtube.com, etc.
That will block them from any sort of communication, not just http/https.
Furthermore, it will block even SSL communications.
ZeroByte: Just wanted to thank you for pointing this out. I hadn't realized that adress lists in 6.36 supported dns based IP. It is really going to simplify my design. Hopefully address lists will support regular expressions on a future release. FYI to the other members, adding a CNAME to the addess list seems to add dynamic entries for all associated A record IP addresses.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Mon Sep 19, 2016 6:29 pm
by ZeroByte
Hopefully address lists will support regular expressions on a future release. FYI to the other members, adding a CNAME to the addess list seems to add dynamic entries for all associated A record IP addresses.
It doesn't seem likely that there will ever be regex support in this feature because of how it works.
Whenever you define a hostname in an address list, the router immediately performs a DNS lookup on the name you specified, and all IP addresses returned by the DNS server are added as dynamic IP entries in the list, with timeouts set the same as the TTL returned by DNS. In other words, the IPs cannot live in the list for any longer than DNS....
Ok, so far so good, but why can't you use regex here?
It has been best practice for at least as long as I have been in the industry (since the 90s) to deny anyone having access to read your entire zone - in other words, DNS is like that children's card game "go fish" - clients may ask any name they like, and the DNS server will give the answer if it has one, or else say "not found" (i.e. 'go fish'). You can't just say "give me all of your cards."
So you can't say to a DNS server - give me every possible name you have that ends in google.com
So when you specify a regex, that's essentially what you're doing....
Another complication is that reverse DNS doesn't necessarily match forward DNS. Since the packet filter table is dealing in packets and IP addresses (not names), it doesn't know what name may or may not map to a certain IP address. Take the famous 8.8.8.8 public DNS server at Google.... I could go into my own DNS server, and set a host name "silly.dns.server.example.com" and resolve that to 8.8.8.8 How would the firewall know that I had typed "ping silly.dns.server.example.com" to generate ICMP echo requests to 8.8.8.8?
One thing that could be done is to snoop DNS and if any DNS replies contain hostnames which match your definition, then the IP addresses contained in those DNS responses could be added to the address list.... This could be worked around by clever clients though - if they know which hostnames are going to be used and a valid IP to go with them, they could just place these hostnames into their local hosts file and bypass the DNS snooping. Or they could use DNScrypt, or VPN.....
In the end, blocking outgoing user activity is a never-ending battle. Like Princess Leah told Governer Tarkin: "The more you tighten your grip, the more star systems will slip through your fingers."
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Fri Sep 23, 2016 7:14 pm
by migueloty
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Oct 04, 2016 11:00 pm
by aih007
Thank you migueloty. Is work with me also
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Fri May 12, 2017 8:25 pm
by mikronsultiK
lets consider we do regular HTTPS over TCP. [chrome and android uses QUIC to get data securely, which is google proprietary technology and bases on UDP]
although HTTPS as itself is not to be intercepted with layer-7 filters, you can disrupt the connection before SSL is fully negotiated.
certificate exchange takes place "in cleartext", so you can use layer7 to match the certificate common name or serial, then do your stuff mark/drop/reject
on the matched connection. this is not as "surgical" as it would be with URL matching, as multiple sites/services can use the same cert. and if you block it,
you will block connection to all of them.
theoretically.
"L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection and searches for the pattern in the collected data."
don't know how to interpret this, but in my case (see screenshot) the certificate is sent in packets 6,7,8,9 which would fit in there, but the 2k limit
is not enough. it this case you can match the certificate serial number and the common name.
alternatively you could match on the TLS client hello msg (packet #5), where the server name is sent as cleartext and block it.
now i am trying to put it together, but had no success so far.
this post was very interesing on my side. thanks to take time to focus on the specific relevant aspects of the topic.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Sat May 13, 2017 10:12 am
by reinerotto
Instead of messing around with this one
>...you can disrupt the connection before SSL is fully negotiated.
certificate exchange takes place "in cleartext", <
on MT on low level, similar can be done in a clean way using squids https interception.
Which also allows to block facebook etc.
However, this needs squid to be setup, which is not possible on MT, AFAIK.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Mon May 15, 2017 12:35 pm
by tangram
Hi,
Drop any dns requests using l7 list.
;;; Drop Blacklist - DNS
chain=forward action=drop layer7-protocol=blacklist protocol=udp dst-port=53
If they don't use ip instead of name you're covered.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Sun Aug 20, 2017 10:46 pm
by tnrclkr
Calm down
As he mentioned before. Dropping layer7 and adding his pages to L7 list is enough. and woking... BEST SOLLUTION. Point is just finding all pages tried to be reached.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Aug 22, 2017 10:46 am
by aarango
It finally did the job for me!
The goal was to block youtube on my son's iPad. After running that script it blocked youtube site (even on https) but still, the app on iPad was working fine. I changed the line:
:if (([:find $cacheName "rapidshare"] != 0) || ([:find $cacheName "youtube"] != 0)) do={
to:
:if ([:find $cacheName "ytimg"] != 0) do={
and that did the job!
If you want to block the specific device, you only have to remember to point the proper source address or source MAC.
Thank you for your help.
Why didn't block you youtube in Ipad but yes it blocked when you used "ytimg"?
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Thu Aug 31, 2017 1:20 am
by matiaszon
It finally did the job for me!
The goal was to block youtube on my son's iPad. After running that script it blocked youtube site (even on https) but still, the app on iPad was working fine. I changed the line:
:if (([:find $cacheName "rapidshare"] != 0) || ([:find $cacheName "youtube"] != 0)) do={
to:
:if ([:find $cacheName "ytimg"] != 0) do={
and that did the job!
If you want to block the specific device, you only have to remember to point the proper source address or source MAC.
Thank you for your help.
Why didn't block you youtube in Ipad but yes it blocked when you used "ytimg"?
Because I want to learn a bit of MikroTik.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Sep 05, 2017 10:00 am
by SilverNodashi
Hi,
Can someone please tell me, do I add these rules to the bottom, or the top of the Firewall list? Or does it not matter?
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Tue Sep 05, 2017 12:50 pm
by msatter
Maybe time that the comes a sticky post on blocking. The DNS does now regex and became a good tool to block unwanted sites. You have then block also acces to external DNS servers. A user can still create a host file to bypass the Mikrotik filtering.
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Sat Dec 23, 2017 1:57 pm
by poizzon
I'm still wondering why you're not using an openDNS to block some sites ?
Of course you need static wan up address, but it is simple solution with some feedback .
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Sat Dec 23, 2017 2:03 pm
by sebastia
The recommended solution has been documented by Mikrotik support: have a look at the video at 3:30
https://www.youtube.com/watch?v=D80_a_O ... cqdP43-B13
Re: How to block Youtube and facebook Android App in router Mikrotik
Posted: Wed Oct 23, 2019 5:21 am
by djarole
maybe using mikrotik dns server, create static dns entry for all facebook dns names
i have tested 13k static entry's on dns and 7000 on adress-list on a rb951g and works ok
the problem is to obtain facebook hosts dns names
Would you share the code or how to configure that?