Layer7 - Shaping youtube videos.



  • Hi everybody.
    I think I got youtube videos shaped.  Youtube uses swf to deliver videos.  From this I created a filter (/usr/local/share/protocols/swf.pat) with the following content:

    
    swf
    swf\x21\x1a\x07
    
    

    I then created a Limiter called "limited":

    I then added a Layer 7 Container called utube:

    I then created a floating rule (for everything) and put the "utube" Layer7 option in.

    This seems to limit youtube videos.

    IS THE ABOVE CORRECT???

    cyber7-out





  • I think it will limit bandwidth on all websites, where SWF are used.
    Unless You choose this role for specific hosts only, for example: youtube.com
    But it has multiple IP addressess.
    Use http://www.kloth.net/services/dig.php to locate them - record A.



  • Hi TooMeek
    Thank you for the answer, BUT google bought youtube, which means when you block youtube, you in effect block google!

    Test: Do a dig on youtube.com, use the (any of them) IPs in your browser and you get to… GOOGLE!!!  ->  This is such a f-up!!!  No effective way of shaping youtube without having an effect on google...

    <very p!ssed-off!="">cyber7-out</very>



  • @TooMeeK:

    I think it will limit bandwidth on all websites, where SWF are used.
    Unless You choose this role for specific hosts only, for example: youtube.com
    But it has multiple IP addressess.
    Use http://www.kloth.net/services/dig.php to locate them - record A.

    Also keep in mind that some ISPs cache video content called CDN (content devlivery network) but credit to you cyber7 well done!  :P

    http://support.google.com/youtube/bin/answer.py?hl=en&answer=1722171



  • The only alternative i can think of to shape youtube videos effectively would be with a combination of Squid and setting ToS on the matching traffic. Then use that in a matching FW rule (untested).



  • According to squid reports, videos from youtube are streamed from hosts named *.c.youtube.com.  Is it possible to create a wildcard alias, which then traps all these hostnames, and then can be used to create a firewall rule to redirect to a L7 limiter?

    Or another way to do this?



  • This is futile for many reasons. YouTube already streams only at the required bit rate and no longer buffers the whole video.



  • @KurianOfBorg:

    This is futile for many reasons. YouTube already streams only at the required bit rate and no longer buffers the whole video.

    So is there no way to limit such video streams at all in pfsense, short of blocking the stream completely?



  • There is no way to properly tag which connections are YouTube streams in pfSense. Only ISP grade stuff like Sandvine can do this. They use a multitude of analysis methods including DNS, reverse DNS, protocol inspection, pre-probing SSL connections to identify the end point, etc. All of them work together to classify traffic for the firewall.

    This level of integration is simply not present in non-commercial products.


  • Banned

    As for the originally posted method… Ever heard of http://www.youtube.com/html5?  :P



  • I thought pfsense's L7 filter could recognise/tag streaming_video, then I'd "just" have to overlay with something to distinguish between youtube and other sources (or alternatively, explicitly whitelist authorised sources, and non-authorised fall into a thottled rule).

    But both of you (KurianofBorg and doctornotor) don't believe this can be done in pfsense?  Then the alternative/only solution, to use ISP grade equipment, is like… super expensive!



  • It can be done (inefficiently) but you're wasting your time with methods that are fundamentally flawed. There are so many things to consider such as what happens when a user seeks in a video, changes resolution etc. Different resolutions use different formats. The older low resolution videos may match an SWF filter but the newer ones wont; They're WebM and MP4. Then they're all transferred over HTTP and even HTTPS for some YouTube SSL videos.

    It's better to just use an HFSC queue and allow all connections 10 or 20 second bursts at full speed and then throttle.



  • I understand about the HFSC queue and the traffic shaper, but this means it'll be quite a blunt instrument (i.e. will affect all traffic falling into that queue, with no way to specify that I just want youtube videos to fall into that queue, rather than video from some online training site)  :(



  • Guys I found this link with a good pattern for youtube:

    http://svn.dd-wrt.com/ticket/2801#no1

    I tested on PFsense 2.1 and it works on HTTP, I am posting hoping to get any help to filter HTTPS connections as wel.

    youtube-2012.txt



  • thanks
    How can i add youtube pattern to pfsense?