Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking Youtube with firewall rules

    Firewalling
    2
    4
    159
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nbk333
      last edited by

      Hi Community Users,

      My children have Google Nest Hub 2 devices. I would like to block watching youtube videos with firewall rules, but so that youtube music works. I already have a pre-generated schedule and I would like to activate it for these time intervals. How can I do this? Does anyone have an idea? Unfortunately, I added the known web addresses to an alias and set a block, but for some reason they did not work. My old Asus router had an option to completely block streaming services, and it worked fine then.

      Thanks in advance for your help!

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        You really cannot do this because pfSense is not an application layer firewall. And you would still need to set up and configure MITM on all your devices to make it work correctly even it pfSense could reliably perform app layer filtering.

        YouTube, Facebook, and all the other social media sites use huge IP networks called CDNs (content delivery networks) with dozens if not even hundreds of IP addresses scattered around the world. Those addresses can also change quite often based on geographic conditions.

        And YouTube will use the same block of addresses for both videos and music, so even if you successfully blocked an IP address that might temporarily be used for video distribution to your geographic location, that same IP address would also be where your YouTube music would likely be coming from and so it would be blocked as well. Then 5 minutes later the CDN rearranges itself for your geograpic location and the IP subnet changes and suddenly nothing is being blocked because the IP addresses changed.

        It's a continual game of whack-a-mole because nearly all web traffic today occurs over encrypted connections on port 443 (the HTTPS port). Your firewall cannot tell what traffic is flowing over the port (443 in this case) because it is all encrypted. That means the firewall has no way to differentiate music from video from Office documents from malware. All it sees are random bits flowing across an interface with source and destination IP addresses and ports in the packets. It has no clue what the packets contain in terms of data.

        There are firewalls available for big money that can do this provided you implement their proprietary MITM (man-in-the-middle) solutions. Think Palo Alto, Cisco, and others. Also be prepared to spend thousands and even tens of thousands of dollars per year for the license and the privilege of using their technology. Don't expect that level of performance from free open source software, though.

        There are some third-party packages for pfSense that can help with filtering content at a higher level, but not down to the granular level you specified. For example, you can use pfBlockerNG with DNSBL to block all of the YouTube ASN IP ranges. Ditto for Facebook or porn sites, etc. But you can't block YouTube videos while simultaneously allowing YouTube music because those two services will come to you via the same ASN IP ranges.

        N 1 Reply Last reply Reply Quote 3
        • N
          nbk333 @bmeeks
          last edited by

          @bmeeks said in Blocking Youtube with firewall rules:

          pfBlockerNG

          First of all, thank you for this detailed explanation, it's completely understandable. I still have a question: if I don't deal with the separation, but only with the "youtube" blocking itself, is it possible to schedule the blocking somehow using pfBlockerNG? Do I block it during the week and allow it on the weekend? Or can this only be solved manually in pfBlockerNG?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @nbk333
            last edited by bmeeks

            @nbk333 said in Blocking Youtube with firewall rules:

            @bmeeks said in Blocking Youtube with firewall rules:

            pfBlockerNG

            First of all, thank you for this detailed explanation, it's completely understandable. I still have a question: if I don't deal with the separation, but only with the "youtube" blocking itself, is it possible to schedule the blocking somehow using pfBlockerNG? Do I block it during the week and allow it on the weekend? Or can this only be solved manually in pfBlockerNG?

            Yes, you can schedule when particular firewall rules are active. See the official documentation here: https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html.

            Where a tool such as pfBlockerNG comes in handy is that it can be configured to automatically populate and then keep updated firewall aliases containing the ASN IP ranges of chosen networks (controlled by the lists you download and enable within pfBlockerNG itself). You then create your own firewall rules using the alias or aliases you configured pfBlockerNG to maintain. Then after creating your rules containing the pfBlockerNG aliases, place the rules on a schedule.

            One last unsolicited piece of advice -- do not depend on technology to "be the parent" 🙂. There are simple and fail-safe ways to control device time for children that do not involve any technology at all.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.