Youtube Blocking in pfblocker via IP

antgalla · Mar 5, 2025, 3:02 AM

Hi everyone,

Im using pfBlockerNG/IP/IPv4 to block websites and add the website IP to IPv4 Custom_List to block website.

But when im blocking youtube, the rule I created. The pfsense automatically include our ISP(please see attach img), so if the rule is active we can't use our internet.

Any suggestion? appreciate your help.

login-to-view

Gertjan · Mar 5, 2025, 7:34 AM

@antgalla

The file used, 'pfB_Blocked_YT_v4', can be found (afaik) here /var/db/aliastables/
Does that file include your WAN IP ?

Not a real solution, more a workaround : what about a pass rule you create and place just above this pfB block rule so that it your WAN IP ?

Btw : Youtube uses 2000+ IPv4's. So, this week, the set you've listed is activate, it will change (all the time) in a couple of days/weeks/months. Blocking the big players is (Microsoft, facebook, apple, google, etc) is close to mission impossible as they have hired all the greatest network administrators to make your live harder. Worse, block those sites and your network guests will just leave your network (and start dealing with SIM cards ^^).
What will work is blocking all IPs that alphabet owns = block their ASN and then nothing will work anymore. Including www.google.com etc.

SteveITS · Mar 5, 2025, 8:10 AM

@antgalla We tried blocking YouTube for my son via ASN but could not get it to consistently block. We ended up using a View in unbound. To block for everyone you could set a domain override to nowhere. Remember to block DoH/DoT to force devices to use pfSense for DNS.

antgalla · Mar 6, 2025, 3:05 AM

@Gertjan
The file used, 'pfB_Blocked_YT_v4', can be found (afaik) here /var/db/aliastables/ - its working after I edit the file via vi!
But when I reload the pfblockerNG/IP the problem returns

antgalla · Mar 6, 2025, 3:13 AM

@SteveITS
I need to block website with specific device only. I can't used domain overrides because its blocking all devices.

SteveITS · Mar 6, 2025, 5:40 AM

@antgalla I have excellent news for you. :) In DNS Resolver settings try:

login-to-view

antgalla · Mar 6, 2025, 5:47 AM

@SteveITS
Niceee, I will try it later! Can I put alias instead of IP?

SteveITS · Mar 6, 2025, 5:56 AM

@antgalla said in Youtube Blocking in pfblocker via IP:

@SteveITS
Niceee, I will try it later! Can I put alias instead of IP?

It’s raw unbound config so I doubt it knows about pfSense aliases.

Gertjan · Mar 6, 2025, 7:38 AM

@antgalla said in Youtube Blocking in pfblocker via IP:

Can I put alias instead of IP?

Alias ?
Recall : aliases can't be used by firewall rule, they have to be resolved first. Aliases are by default re resolved every 5 minutes.
You still have to put in the host overrides in the DNS config, what @SteveITS showed is a good method, so it points to a non usable IP like 127.0.0.2.
If you don't put the host overrides in place, you'll get back the 'real' IPs - the ones that can change every 300 seconds.
300 seconds ? yes : check for yourself :

login-to-view

that list change all the time !
More details :

[25.03-BETA][root@pfSense.bhf.tld]/root: dig www.youtube.com
.....
;; QUESTION SECTION:
;www.youtube.com.               IN      A

;; ANSWER SECTION:
www.youtube.com.        237     IN      CNAME   youtube-ui.l.google.com.
youtube-ui.l.google.com. 237    IN      A       172.217.20.206
youtube-ui.l.google.com. 237    IN      A       216.58.215.46
youtube-ui.l.google.com. 237    IN      A       216.58.213.78
youtube-ui.l.google.com. 237    IN      A       142.250.179.78
youtube-ui.l.google.com. 237    IN      A       142.250.179.110
youtube-ui.l.google.com. 237    IN      A       142.250.178.142
youtube-ui.l.google.com. 237    IN      A       142.250.201.174
youtube-ui.l.google.com. 237    IN      A       172.217.18.206
youtube-ui.l.google.com. 237    IN      A       216.58.214.78
youtube-ui.l.google.com. 237    IN      A       142.250.74.238
youtube-ui.l.google.com. 237    IN      A       142.250.75.238
youtube-ui.l.google.com. 237    IN      A       216.58.214.174
youtube-ui.l.google.com. 237    IN      A       172.217.20.174
....

so 237 seconds left before the list changes ...

So chances exist that the firewall, your rule, blocks IPs that aren't used anymore, and new will pop up, the one you don't block (yet) .... to be take in account 300 seconds later, (and around we go) .... etc ...

Anyway, try things out for yourself.

antgalla · Mar 6, 2025, 8:13 AM

@SteveITS
Appreciate your response on this matter.
But the main problem here is still included our ISP when Im blocking the youtube or netflix via Pfblocker IP.

I do your suggestion to edit the /var/db/aliastables/Netflix or YT comment out the ISP, it works but when I reload the pfblockerNg IP the problem returns.

Gertjan · Mar 6, 2025, 8:37 AM

@antgalla said in Youtube Blocking in pfblocker via IP:

But the main problem here is still included our ISP when Im blocking the youtube or netflix via Pfblocker IP.

I do your suggestion to edit the /var/db/aliastables/Netflix or YT comment out the ISP, it works but when I reload the pfblockerNg IP the problem returns.

pfBlockerng creates these files with the info you (?)'ve entered in the pfBlockerng GUI.
Can you show with image how you've set up these 'YT' and 'Netflix' IP lists so I can reproduce this ?

Patch · Mar 6, 2025, 10:04 AM

@antgalla said in Youtube Blocking in pfblocker via IP:

But the main problem here is still included our ISP when Im blocking the youtube or netflix

You can easily white list particular IP address such as a range within that used by your ISP. Create alias containing the white list and add a rule to allow these addresses which is evaluated prior to the pfblocker rule.

If your ISP sources netflix/youtube data you will need to ensure the white list does not include the addresses your ISP uses for that.

@Gertjan said in Youtube Blocking in pfblocker via IP:

he 'real' IPs - the ones that can change every 300 seconds.

I agree data scraping by the very big USA companies is annoying.
For devices using pfsense DNS, adding host over-rides / DNS blocking is an excellent idea.

Where that does not achieve the desired results IP blocking could still be used however doing so requires an IP alias which support persistence (old IP addresses kept in the alias for a configurable time). Doing so exploits the fact google/facebook/amazon can change where new lookups will go, but they have to keep all old addresses active till all normal user applications stop using them (otherwise their application randomly stops working for normal users). By far the majority of relevant transmissions would then be caught as pfsense could then be configured to update the alias more often than most user devices DNS updates.

Unfortunately pfsense has not yet added this alias option. Doing so would require maintaining an IP list with last DNS lookup time, then deleting only those past the expiry time.

antgalla · Mar 7, 2025, 6:37 AM

@Gertjan
please see imgs below. As you can see in the second img there is no ISP IP(..113.67) included.

login-to-view

Gertjan · Mar 7, 2025, 6:37 AM

@antgalla

Above, I though the YT (Youtube) list introduced your WAN IP.
Now it's the Netflix list ?

Btw :

login-to-view

I'm not sure what this tells me : you get a list with IPv4 to block from netflix itself ( ) (and as soon as it is blocked, how could pfBlocker resolve and access https://www.netflix.com/... to get an update of this list ?)

I've an idea :
Knowing that pfBlockerng doesn't do anything when you've installed it.
Knowing that your WAN IP isn't part of any list that you've not created yourself,
I really presume you didn't add manually your WAN IP 'somewhere' in a file yourself to be used by pfSense.
Get a backup (export) of the config of pfSense, open it with a text editor (Notepad++) and look where your WAN IP is mentioned - in a pfBlockerng section. That will give you the place in what part of the GUI it has been set.