Youtube Blocking in pfblocker via IP
-
@SteveITS
I need to block website with specific device only. I can't used domain overrides because its blocking all devices.
-
@antgalla I have excellent news for you. :) In DNS Resolver settings try:
-
@SteveITS
Niceee, I will try it later! Can I put alias instead of IP? -
@antgalla said in Youtube Blocking in pfblocker via IP:
@SteveITS
Niceee, I will try it later! Can I put alias instead of IP?Itβs raw unbound config so I doubt it knows about pfSense aliases.
-
@antgalla said in Youtube Blocking in pfblocker via IP:
Can I put alias instead of IP?
Alias ?
Recall : aliases can't be used by firewall rule, they have to be resolved first. Aliases are by default re resolved every 5 minutes.
You still have to put in the host overrides in the DNS config, what @SteveITS showed is a good method, so it points to a non usable IP like 127.0.0.2.
If you don't put the host overrides in place, you'll get back the 'real' IPs - the ones that can change every 300 seconds.
300 seconds ? yes : check for yourself :that list change all the time !
More details :[25.03-BETA][root@pfSense.bhf.tld]/root: dig www.youtube.com ..... ;; QUESTION SECTION: ;www.youtube.com. IN A ;; ANSWER SECTION: www.youtube.com. 237 IN CNAME youtube-ui.l.google.com. youtube-ui.l.google.com. 237 IN A 172.217.20.206 youtube-ui.l.google.com. 237 IN A 216.58.215.46 youtube-ui.l.google.com. 237 IN A 216.58.213.78 youtube-ui.l.google.com. 237 IN A 142.250.179.78 youtube-ui.l.google.com. 237 IN A 142.250.179.110 youtube-ui.l.google.com. 237 IN A 142.250.178.142 youtube-ui.l.google.com. 237 IN A 142.250.201.174 youtube-ui.l.google.com. 237 IN A 172.217.18.206 youtube-ui.l.google.com. 237 IN A 216.58.214.78 youtube-ui.l.google.com. 237 IN A 142.250.74.238 youtube-ui.l.google.com. 237 IN A 142.250.75.238 youtube-ui.l.google.com. 237 IN A 216.58.214.174 youtube-ui.l.google.com. 237 IN A 172.217.20.174 ....so 237 seconds left before the list changes ...
So chances exist that the firewall, your rule, blocks IPs that aren't used anymore, and new will pop up, the one you don't block (yet) .... to be take in account 300 seconds later, (and around we go) .... etc ...
Anyway, try things out for yourself.
-
@SteveITS
Appreciate your response on this matter.
But the main problem here is still included our ISP when Im blocking the youtube or netflix via Pfblocker IP.I do your suggestion to edit the /var/db/aliastables/Netflix or YT comment out the ISP, it works but when I reload the pfblockerNg IP the problem returns.
-
@antgalla said in Youtube Blocking in pfblocker via IP:
But the main problem here is still included our ISP when Im blocking the youtube or netflix via Pfblocker IP.
I do your suggestion to edit the /var/db/aliastables/Netflix or YT comment out the ISP, it works but when I reload the pfblockerNg IP the problem returns.
pfBlockerng creates these files with the info you (?)'ve entered in the pfBlockerng GUI.
Can you show with image how you've set up these 'YT' and 'Netflix' IP lists so I can reproduce this ? -
@antgalla said in Youtube Blocking in pfblocker via IP:
But the main problem here is still included our ISP when Im blocking the youtube or netflix
You can easily white list particular IP address such as a range within that used by your ISP. Create alias containing the white list and add a rule to allow these addresses which is evaluated prior to the pfblocker rule.
If your ISP sources netflix/youtube data you will need to ensure the white list does not include the addresses your ISP uses for that.
@Gertjan said in Youtube Blocking in pfblocker via IP:
he 'real' IPs - the ones that can change every 300 seconds.
I agree data scraping by the very big USA companies is annoying.
For devices using pfsense DNS, adding host over-rides / DNS blocking is an excellent idea.Where that does not achieve the desired results IP blocking could still be used however doing so requires an IP alias which support persistence (old IP addresses kept in the alias for a configurable time). Doing so exploits the fact google/facebook/amazon can change where new lookups will go, but they have to keep all old addresses active till all normal user applications stop using them (otherwise their application randomly stops working for normal users). By far the majority of relevant transmissions would then be caught as pfsense could then be configured to update the alias more often than most user devices DNS updates.
Unfortunately pfsense has not yet added this alias option. Doing so would require maintaining an IP list with last DNS lookup time, then deleting only those past the expiry time.
-
G Gertjan referenced this topic on Mar 6, 2025, 5:11 PM
-
@Gertjan
please see imgs below. As you can see in the second img there is no ISP IP(..113.67) included. -
Above, I though the YT (Youtube) list introduced your WAN IP.
Now it's the Netflix list ?Btw :
I'm not sure what this tells me : you get a list with IPv4 to block from netflix itself (
) (and as soon as it is blocked, how could pfBlocker resolve and access https://www.netflix.com/... to get an update of this list ?)I've an idea :
Knowing that pfBlockerng doesn't do anything when you've installed it.
Knowing that your WAN IP isn't part of any list that you've not created yourself,
I really presume you didn't add manually your WAN IP 'somewhere' in a file yourself to be used by pfSense.
Get a backup (export) of the config of pfSense, open it with a text editor (Notepad++) and look where your WAN IP is mentioned - in a pfBlockerng section. That will give you the place in what part of the GUI it has been set.