Restrict bandwidth for youtube

atul.chauhan

@Gertjan thanks but i am looking to block bandwidth for youtube specially, traffic shaping apply on whole interface. i want to block social media sites and youtube only.

stephenw10

Traffic shaping applies only to whatever traffic you are able to match with firewall rules. That can be anything.

Steve

atul.chauhan

@stephenw10 yes agreed but here is my question comes how can i ask firewall to find youtube and apply limiter/trafic shaping

NogBadTheBad

@stephenw10 said in Restrict bandwidth for youtube:

https://docs.netgate.com/pfsense/en/latest/firewall/blocking-websites.html#blocking-facebook

Use pfBlockerNG to create an alias on youtubes ASN number and then apply blocking / limiting with a firewall rule.

If you search the forums, its been mentioned many times.

https://www.ultratools.com/tools/asnInfoResult?domainName=Youtube&as_sfid=AAAAAAU-ordid-Ckpvv2VWoXwfjDl7OuMeLwfAhksHblT9g8JOs31Y3AztnEBDhqNKZw0RCvZte6K3_nG6-c7DC3Hg9rtvrMrOXVPirX5f3v5uV3lAEOzG6GItf-JHcbDAx8a4g%3D&as_fid=538b4dfd32cf14874a13c280dd3d17f23ab7c24d

Gertjan

@atul-chauhan said in Restrict bandwidth for youtube:

yes agreed but here is my question comes how can i ask firewall to find youtube and apply limiter/trafic shaping

You agree, and the you repeat the question that @stephenw10 already answered.
I guess you didn't understand that reply as an answer ?

To make things more clear : This is an AS. Google owns several AS's. These are the entire sets of IP (IPv4 and IPv6) they == Google use.
I don't know if you can 'isolate' Youtube as a service ("Youtube" as a site has hundred of IP's all over the word) - all these IP's are intermixed with Google (search engine) and all other Google services.

edit : thus this https://www.ultratools.com/tools/asnInfoResult?domainName=Youtube&as_sfid=AAAAAAU-ordid-Ckpvv2VWoXwfjDl7OuMeLwfAhksHblT9g8JOs31Y3AztnEBDhqNKZw0RCvZte6K3_nG6-c7DC3Hg9rtvrMrOXVPirX5f3v5uV3lAEOzG6GItf-JHcbDAx8a4g%3D&as_fid=538b4dfd32cf14874a13c280dd3d17f23ab7c24d might be the road to a possible solutions, but the two AS's mentioned could contain other Google services.

atul.chauhan

@Gertjan isn't there any way to restrict youtube by dns only instead of going with AS. like if any request trying to hit youtube.com only limiter will apply automatically. because as you said AS may contain other services which i don't want to get impacted.

Gertjan

@atul-chauhan said in Restrict bandwidth for youtube:

youtube by dns only instead

Replace Youtube with google.com, Facebook, Twitter, etc etc etc. and you question stays the same : thousands have asked for this already.

These guys do their best so that no one knows gets a hand on the list with the actual IP's they use.
These guys own thousands of IP"s, own big parts of the DNS structure, and they activate their services on IP's, to take them down again and bring them up on other IP's all the time. All this so they can control used bandwidth per region, per event, per accident, etc etc.

Simply throwing "youtube.com" in a DNS resolver will bring back some IP addresses, and several seconds later other IP address.

I'm not saying it can't be done. I'm just missing the "whole picture" so this - at first - simple question can be answered.
Be warned : the solution will be "won't be easy" and it will probably never have a "set it up and forget it" solution : it's a moving ground.

mcury

You could enable squid proxy and force users to use the proxy when the domain is youtube.com
In squid, you can setup bw usage limits.

Note that I didn't test this feature.

To set this up, in teory, you can distribute a PAC file like this:

function FindProxyForURL(url, host) {
if (isPlainHostName(host) ||
//match by regex
// shExpMatch(host, "*.anyregexyouwant.org") ||
//match by domain
// dnsDomainIs(host, "example1.org") ||
dnsDomainIs(host, "youtube.com"))
return "PROXY PROXY_IP:3128" ;
else
return "DIRECT";
}

And in squid, you only splice, do not bump anything, because if you do, you will need to worry about the certificates, and that is not what we want to archive here.

In traffic MGMT tab, you can try to tune the settings accordingly.
Remember, I didn't test this, and may don't work, also, disable QUIC in case you are using Chrome.

In case you try this, please let me know if it worked.

mcury

Hey, I just tested, and it works.
Do not set the proxy as transparent.
I have used exactly the PAC file example above, just changed the PROXY_IP value for my LAN interface.

And put in Overall Bandwidth Throttling inside Traffic MGMT tab, to 1.

With this, youtube is really slow and the others site are not.

The problem here, is that you need a good GPO in order to don't let users to remove the PAC file from their browsers.

I like this setup because you lock by domain, and you don't need to worry about network IP blocks to use in firewall rules.

stephenw10

Yeah, in general this will not be easy to achieve.

You can't use DNS to match and set bandwidth limits.

You can use Squid in splice mode but that adds significant overhead. Also when encrypted SNI becomes more prevalent that will be broken and you will only be able to use bump mode.

Steve

atul.chauhan

@mcury thanks let me try