MikroTik

Hi Guys, just wondering if anyone has been able to 100% block streaming video sites like netflix etc., I have tried many times and i have not been successful. I have the proxy enabled and have the site blocked and all the known urls, however the ios apps and rokus still get through...

RB450g, rb2011uas

Any help would be extremely appreciated...

If you want to block those pages completely, setup a transparent dns first: This way, no matter what dns the customer configures, it will always get resolved by your local cache.
Then, just add static entries for the pages you want to block: You may need to restart the PC since it has its own dns cache, or just flush that local dns cache

This will stop the direct url people....but what about people using the apps (netflix, hulu) , and streaming devices...like roku, appletv etc...

I have been successful in blocking the direct url's....just not everything else...

bump^^^

Bump!!

Enviado desde mi Nexus 7 mediante Tapatalk

Disconnect ether1.

Sent from my EVO using Tapatalk

Just open up sites that you want.

Check out Greg Sowell's 2015 US MUM presentation for some guidance. It'll show you how to do some of them without L7.

Disconnect ether1.

LOL - I was going to say the same thing.

I know the thread is old, but just to reply to a point made earlier in the thread -

Apps can be blocked with DNS just as effectively as "direct URL" access because guess what - the apps have to use DNS also. They COULD have hard-wired IP addresses in their code, but this would be troublesome if the servers' IP addresses ever needed to be migrated, so I am pretty sure that it's quite rare to find an app with a hard-wired IP address in its code.
(hotspot detection is a notable exception to this - they have to know what IP address an un-tampered reply would give)

You need to use L7 stuff. But it changes so its difficult to track down the specific signatures. There are plenty of boxes out there that can ID the traffic with a multitude of definitions that if they match enough of them it'll be considered netflix and then you just decide what to do with it (ie drop / throttle)

You need to use L7 stuff. But it changes so its difficult to track down the specific signatures. There are plenty of boxes out there that can ID the traffic with a multitude of definitions that if they match enough of them it'll be considered netflix and then you just decide what to do with it (ie drop / throttle)

Yes they are UTM devices and that kind of aPP ID its a licensed service with a year payment, is not free.

I use opendns to take certain control of navigation its free bot has limited customization and depends of the scenario to be successful.

Don't forget that youtube is all SSL now, so layer7 won't work on YouTube.

The best thing to do would be to simply set up a queueing mechanism on all HTTP(S) traffic which allows a nice big healthy initial burst of a hundred megabytes or so, but after the burst is over, throttles it to something ridiculous like 256Kbps. General web surfing will work just like normal, and even downloads smaller than the burst size will be fast. Extended streaming will go over budget, and get severely throttled so as to make the stream stop working. It will just look like (and actually be the case that) your network performs too poorly for streaming.

This is better than blocking because if you just block traffic, savvy users are going to make it their mission in life to tunnel around your countermeasures, whereas if it's just slow, they're going to think you suck for video streaming and just not do streaming on your network.

Hello, sorry to intrude like this, but I was browsing for some ways to limit streaming videos using Mikrotik and came upon your suggestion of using queue. I am new at this but very interested in implementing your idea. Can you post a guide or point me to one about setting up a http(s) queue? Thanks.

Hello, sorry to intrude like this, but I was browsing for some ways to limit streaming videos using Mikrotik and came upon your suggestion of using queue. I am new at this but very interested in implementing your idea. Can you post a guide or point me to one about setting up a http(s) queue? Thanks.

wiki.mikrotik.com