How to block youtube on MikroTik

Overview

There are many ways to block or filter contents on MikroTik such as routing, DNS, Web Proxy and Firewall. But which method is correct to use, It base on what type of content you want to filter.

How about youtube, can you block base on IP address? Maybe not a good choice for you. If you block base on IP, it will effect to other google's services. Some people they use layer 7 and do filtering on firewall filter. But the problem is that all connection, the router try to check the layer 7 parttern. So it will consume alot of resource on your router.



Solution

I will block base on DNS query, so other packet beside DNS query will not check. And I mark the connection and use the connection mark to mark the packet. The result this rule will consume less CPU resource. Here is the rule that I created.

Mark the connection that match protocol UDP and destination port 53 with content=youtube.

/ip firewall mangle 
add action="mark-connection" chain="prerouting" protocol=udp dst-port=53 connection-mark=no-mark content=youtube new-connection-mark=YOUTUBE_CONN passthrough=yes

Then use the connection mark to mark packet

add action=mark-packet chain="prerouting" connection-mark=YOUTUBE_CONN new-packet-mark=YOUTUBE_PACKET

Finally we start block the youtube packet via firewall filter

/ip firewall filter 
add action=drop chain=forward packet-mark=YOUTUBE_PACKET
add action=drop chain=input packet-mark=YOUTUBE_PACKET

After done, you will not able to open youtube anymore. In case you still able to open youtube, you can try to clear history in your browser.


27 thoughts on “How to block youtube on MikroTik

  • May 6, 2017 at 11:35 pm
    Permalink

    you know, dns will be cached by computer, so this method will not work always

    Reply
    • May 8, 2017 at 11:43 pm
      Permalink

      Thanks for your concern, But DNS cache will remove after TTL expire or PC reboot. So after that our rull will effect and no DNS cache for youtube anymore.

      Reply
  • May 26, 2017 at 12:04 am
    Permalink

    I try this sulotion but it is not working. users still access youtube. even after reboot they still can access the youtube 

    Reply
    • June 6, 2017 at 9:15 pm
      Permalink

      If you are window user, you can try to use this command "ipconfig /flushdns".  It maybe problem if you have DNS cache on the same network.

       

       

      Reply
  • July 3, 2017 at 8:48 am
    Permalink

    make layer7 protocol with this regexp with name : Layer7-youtube

    ^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.com|s.ytimg.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|googlevideo.com|youtu.be).*$

     

    and put in terminal 

    /ip firewall filter add action=drop chain=forward comment=Layer7-youtube layer7-protocol=Layer7-youtube

    Reply
  • July 10, 2017 at 10:59 pm
    Permalink

    Hi,

    As I understanding, with layer 7 it consum alot of resource because it extract every packet and try to match the pattern that go through the router. One more thing if the connection is encrypted like https, it maybe not working well.

     

    Thanks

    Reply
  • September 25, 2017 at 4:54 pm
    Permalink

    Hi. I try open news.google.com and this not work. But if disabled the rule block youtube, it´s work. Why??

    Reply
    • September 25, 2017 at 8:33 pm
      Permalink

      Can you paste your rule here, I'll help to verify.  
      Anyway I'll try to testing with current config too.

      Reply
  • January 12, 2018 at 4:16 am
    Permalink

    Can this rule be used to block youtube via mobile apps.

    Reply
  • May 21, 2018 at 2:47 pm
    Permalink

    It worked…Tripple thumbs up to you

    Thanks a bunch

    Reply
  • June 29, 2018 at 1:29 am
    Permalink

    Have this rule in the layer 7, when I enable it the clients fail to access some of the gmail products like google sheets, documents

    ^..+\.(facebook.com|facebook.net|fbcdn.com|fbsbx.com|fbcdn.net|youtube.com|fb.com|tfbnw.net).*$

    Reply
  • September 3, 2018 at 5:50 am
    Permalink

    Hello,

    Thank you for this great topic, it worked for me perfectly, now how can i allow a specific IP to access youtube?

     

    Thank you

    Reply
  • September 18, 2018 at 10:58 pm
    Permalink

    Hi, thank you for your solution to block youtube.

    but how about user access youtube via proxy or ssh tunnel?

    Reply
  • October 20, 2018 at 1:37 pm
    Permalink

    Hi, 

    Is it possible ta apply this rule only on some simple queues? Suppose I have a building with 8 levels that i devided into 8 simple queues to seperate the internet traffic. What if I want to apply only on "simple queue 01" and let the traffic unfiltered to other levels. Thanks in advance

    Reply
  • October 25, 2018 at 1:46 pm
    Permalink

    The layer7 didn't work for me.

    The DNS solution worked but I was unable to allow specific range to traffic without marking the connection.

    Any tip? This is being hard to solve.

    thanks

    Reply
  • November 17, 2018 at 5:33 am
    Permalink

    HI 

    Thanks for the guide line, I have successfully blocked youtube, 

    But I want to know how doI allows specific users, to access youtube. after implementing the above

     

     

    Reply
    • October 12, 2019 at 4:06 am
      Permalink

      You can add rule accept in firewall filter above the rule drop youtube.

      Reply
  • February 8, 2019 at 12:43 am
    Permalink

    its working thnx 

    Reply
  • April 17, 2019 at 2:39 pm
    Permalink

    Hi, guys, I try this but with Opera browser with VPN turned ON in the settings. And Youtube works without problem. How to block the Opera VPN?

    Reply
    • October 12, 2019 at 4:03 am
      Permalink

      Thanks, I’ll test about it

      Reply
  • May 10, 2019 at 2:39 am
    Permalink

    Can you please give a solution like this for blocking facebook. I have used Layer 7 protocol method for blocking facebook, but that one have some drawbacks. ~ Thanks in Advance!

    Reply
  • August 2, 2019 at 3:49 am
    Permalink

    It’s working. thanks brother

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *