Facebook videos not loading after blocking all web access except facebook



  • Dear all,

    please help me to come out from this problem:

    I am new to PFsense and using PFsense latest version.

    I just want to allow only facebook and block all other web access on my LAN.

    Well for this in my firewall rules page in LAN interface
    I edit the default LAN allow rule to block rule
    then i created an alias for facebook i.e www.facebook.com
    and then create another rule to allow this allias. source is Lan & destination is 'allias' (www.facebook.com)
    also create two more rules to allow my LAN to google DNS. 8.8.8.8 & 8.8.4.4

    Well my task is completed. All web access is blocked except facebook.

    but when i open the facebook page, the videos in facebook trying to load but finally do not load at all, showing a running circle continuously.

    and this problem is in all browsers i have (4 browsers tested)

    but when i revert my changes to default allow rule. every thing is fine again with total web access (which i do not want)

    This same problem I had faced in ISA due to which i switched to PFsense.

    please help to fix this problem.

    Note: After installation of PFsense i deleted default IPV6 Rule which i think was in WAN interface.



  • Doesn't facebook have more addresses than just the www.facebook.com one? You would need them all to get everything from facebook in this case.



  • ...and hundreds of external resources referenced, including geographically balanced and cloudflared resources.

    Your best hope is Snort/AppID -> Facebook but for externally linked resources (like a yt video in the stream) is not going to be displayed then.

    The road to hell is paved with good intentions.



  • but i have heard, facebook have its own video server... is not it. if it is the case what is the address of it so i can add this server as well to get my desired result...



  • I guess your understanding of how to build a network like this is ...somewhat lacking. There is no "one server" even as a concept here. The video was just an example of one of hundreds of things that will fail.

    But good luck, you're going to need it.

    This is an unverified list that is 6mths old. It was surely not complete and has surely changed and will surely change and I can assure you, FB is not posting updatest on how they change and update their infra. And most of it is a dynamic content delivery network based on load anyway.

    So have fun. Oh, the ip's are not resolved here so I leave for you as an excercise to create a script for that if needed.

    https://qz.com/1234502/how-to-block-facebook-all-the-urls-you-need-to-block-to-actually-stop-using-facebook/

    (The list as it stands here has 895 domain-names for those of you who don't want to open it).


  • Netgate Administrator

    You could also try creating an alias using their AS number as shown here:
    https://www.netgate.com/docs/pfsense/firewall/blocking-websites.html#blocking-facebook

    You can use pfBlocker to automatically update as AS alias in recent versions.

    It still probably won't include everything though.

    Steve



  • @stephenw10

    cqn you tell me the protocol used by FB& youtube & what ports need to be open to watch fB or youtube Videos.



  • @mudassar said in Facebook videos not loading after blocking all web access except facebook:

    @stephenw10

    cqn you tell me the protocol used by FB& youtube & what ports need to be open to watch fB or youtube Videos.

    @mudassar
    The protocol and ports used are not your real issue. You are trying to fight what is basically a losing battle. Social media sites and places like Netflix and YouTube have thousands of servers scattered around the world to send content to users. There is no single IP address you can open up (or block) for Facebook or any other such social media site. In fact, if you do a manual DNS lookup on something like www.facebook.com, you will potentially get multiple IP addresses returned, and if you do that many days in a row, and several times each day, you will see that list of IP addresses forever changing. You just need to wait long enough for any DNS caching to have been flushed out on your end. These sites all use Content Distribution Networks (CDNs) that consist of those thousands of servers I mentioned scattered around the world on a multitude of different IP networks.

    Your problem with the video not working is that a given Facebook page's HTML text content might come from one of those thousands of servers while the video content might come from another or even several other servers on totally different IP subnets. This is why blocking Facebook is so hard; and as you are seeing, it makes it hard to even whitelist Facebook. You don't know all the required IP addresses, and they change frequently anyway. So trying to craft firewall rules for this is pointless (or at the very least an exercise fraught with extreme frustration).

    Edit: I also have to ask -- why do you want to allow just Facebook and block everything else? Most network admins actually want to do the opposite of that...😉 .



  • He doesn't want to hear the facts nor listen to the guidance we are trying to put forward. He does not want an answer to a complex question. He wants an answer to a simple question.

    The answer to the latter is: https and 443.