MikroTik

Is there any way to block YouTube and work the Google Earth, Gmail, the Google Search Engine?
Sorry for my English, I speak Spanish
Thank you
Mario

No, not when https is used to access those web pages.

Wouldn't an action=reject reject-with=tcp-reset tls-host=youtube.com be a way?

No. I was never able to really make this reliably working, and there is reason behind this.
I noticed that for example anonymous mode of Google Chrome will always start with http/2 (which is TCP) and only after that, it will switch to http/2+quic. After support for QUIC is cached, it will always start with it. TCP is required for TLS host, but QUIC is UDP. In non-anonymous mode, Chrome remembers it since first visit (unless cache is cleared)

As this is cached probably in every client (unless it is brand new and never visited youtube) you can't reliably use it. Chrome (both desktop and android) and youtube app (android) will pass it without issue. I tested these personally. I believe Opera and maybe some other browsers today have support for QUIC, but I have not tested it.

I've known about QUIC, but didn't know its availability at server side was cached by the browsers. Thank you for pointing that out.

I didn't know either, until I tried to do this few month ago, failed and started looking why the hell...
If you ever find some workaround, I believe many people would be very glad for that (including myself)

edit: i couldn't help myself so I started digging and found that despite QUIC support being stored in cache of browser, sometime, new QUIC - Client Hello (CHLO) packet is sent when reaching youtube. This packet (according to wireshark) has easily visible SNI in plain-text. This is good enough to be filtered but not quite sure if as fast as native TSL-Host feature.

I noticed this CHLO packet is sent after some unspecified timeout. Therefore if you just visited youtube, any request (even newly opened tab or after browser restart) will not send CHLO but continue straight with already encrypted QUIC session... So we are back on begining - not reliable...
(just sharing my thoughts - maybe it is useful for someone)

edit2: While reading more about QUIC, I realized that CHLO is required everytime UDP connection needs to be (re)opened - which simply must happen every time after user joins the network. That effectively means we can consider QUIC-CHLO packet as reliable source of communication start. However, I have no idea how to use this knowledge to filter it...

For now, I was able to filter youtube by following: Not reliable, not neat, probably some side-effects ... but it is the best I can do for now. (And I believe it is better than hand-written list of many IP addresses which I saw in some other topics)

I just don't allow UDP 80,443 to escape to the internet. I do this by blocking that traffic in RAW with any port.

You can block youtube using layer7 protocol.

No you can't and it was described many times, again and again. Layer7 filtering does not work if website use HTTPS. Only result will be slow router and CPU on 100% because every connection will be checked again and again... please watch following: https://youtu.be/XkKj9rj4quQ?t=25m43s It explains why you cant use Layer7
Unfortunately even suggested method (tls-host) is not working properly because youtube now use QUIC (if supported by browser or app), which is not TCP but UDP, therefore TLS-host rules will not match it...

There are ways to do it but not with Mikrotik.

In our office, we do block many sites.
We do use "Enabling SSL decryption"
Find out more here:
https://www.websense.com/content/suppor ... nable.aspx

But there are many catches with that.
Some sites does not work
Some sites should not be inspected (bank/political)++
Some software that uses HTTPS sites needs to be white listed to work.
+++

"To implement SSL decryption for your end users, you need a root certificate on each client machine that acts as a Certificate Authority for SSL requests to the cloud proxy."

So - you have to manually set up each client to support this, otherwise you will see famous "your connection is not secure" message. Some apps which simply rely on https and do not allow modification of SSL (because they have hard-coded certificate to avoid tampering) will not work. Some sites as you say may also not work.


That is not solution, merely terrible band-aid approach causing compromised security and many other issues. If you have to do such thing, fine, but please - never ever promote it or suggest to people, who are unaware of consequences.

Those solutions are at the end of their lifetime anyway now that more and more initiatives are made
to actually check the certificate authority for certificates (DANE etc). The browser will alarm the user
when accessing e.g. youtube but the certificate is not the one that youtube indicates.

The browser will alarm the user
when accessing e.g. youtube but the certificate is not the one that youtube indicates.

Do you know when this would be implemented?
I do not see any message like this.
PS I do not like this way of implementation that my work has done, cannot do anything about it.

The browser will alarm the user
when accessing e.g. youtube but the certificate is not the one that youtube indicates.

Do you know when this would be implemented?
I do not see any message like this.

Google Chrome does this already for some of Google's own sites.
It is only a matter of time until this is extended to other sites and other browsers.

Can you give me a site to try from my work PC.
It would be interesting to se if it is detected.

No you can't and it was described many times, again and again. Layer7 filtering does not work if website use HTTPS. Only result will be slow router and CPU on 100% because every connection will be checked again and again... please watch following: https://youtu.be/XkKj9rj4quQ?t=25m43s It explains why you cant use Layer7
Unfortunately even suggested method (tls-host) is not working properly because youtube now use QUIC (if supported by browser or app), which is not TCP but UDP, therefore TLS-host rules will not match it...

Today you CAN block Youtube using Layer7. It works with HTTP and HTTPS!
Try it!
Regards.

Today you CAN block Youtube using Layer7. It works with HTTP and HTTPS!
Try it!

... but now Google/Youtube has moved on to QUIC, read above!

According to wikipedia QUIC is an experimenta protocol.

Since our work do inspect HTTPS using Forecepoint to intercept HTTPS, Quic should give problem with blocking HTTPS.
As far as I can see HTTPS/Youtube and HTTPS/Google are logged and tracked by Forepoint.
Can also be blocked.
I do not see any error inn Chrome (v68) that there are anything wrong with those site.
So you as far as I can see, you can block HTTPS sites, but not with Mikrotik.

Could this not be done with DNS?

Simple hosts file or on the DNS server?

Could this not be done with DNS?

Simple hosts file or on the DNS server?

You can make it, but it will affect every DNS user. Unless Mikrotik can redirect only chosen ones to another dns server (but i guess it is impossible).

@vacernik87 I've tested TLS host and Layer 7 solution. It works for me after browser restart, i will do more test anyway..

My simple solution work for me.
Block only youtube.com without google maps, gmail etc.
#router is dns server, all dns request to my dns server :
/ip firewall filter
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
# block
add action=drop chain=forward comment=youtube dst-address-list=youtube protocol=tcp
/ip firewall address-list
add address=216.58.21x.xxx list=youtube
add address=216.58.20x.xxx list=youtube
add address=172.217.16x.xxx list=youtube
add address=172.217.16x.xxx list=youtube
add address=216.58.20x.xxx list=youtube
add address=172.217.1x.xxx list=youtube
add address=172.217.1x.xxx list=youtube
add address=216.239.3x.xxx list=youtube
add address=216.58.21x.xxx list=youtube

addresses may depends of your country and ISP.

You can find it try :
nslookup www.youtube.com
Server: 192.168.88.1
Address: 192.168.88.1#53

Answer : XXXXXXXXX

M
/ip firewall address-list
add address=216.58.21x.xxx list=youtube
add address=216.58.20x.xxx list=youtube
add address=172.217.16x.xxx list=youtube
add address=172.217.16x.xxx list=youtube
add address=216.58.20x.xxx list=youtube
add address=172.217.1x.xxx list=youtube
add address=172.217.1x.xxx list=youtube
add address=216.239.3x.xxx list=youtube
add address=216.58.21x.xxx list=youtube

You may get problem with other web site hosted on same server as Youtube. It's common than many sites share same ip/platform