How to block YouTube in PFSense



  • Hi,

    I'd like to ask some help from you guys on how to block youtube using pfsense. I tried to use Alias and put in all the IPs of youtube i think more or less 20 IPs then created a rule on LAN pointing to my Block youtube alias but it didn't work. Any suggestion pls. Thanks in advance.



  • Maybe you want a Web Filter app as SquidGuard together with Squid.
    Check: https://doc.pfsense.org/index.php/SquidGuard_package

    Another solution is to use OpenDNS DNS, register for a free account, update your IP via DNSOMATIC, use their Web Content Filtering feature.
    Check: http://www.opendns.com/home-internet-security/

    Depends on your needs. For a basic home user the second one is preferred.



  • @jonfil0130:

    Hi,

    I'd like to ask some help from you guys on how to block youtube using pfsense. I tried to use Alias and put in all the IPs of youtube i think more or less 20 IPs then created a rule on LAN pointing to my Block youtube alias but it didn't work. Any suggestion pls. Thanks in advance.

    If you setup the rule correctly, that should work…

    Another option is to put a DNS override in (on the DNS page)... just resolve youtube.com to some bogus address.



  • Hi All,

    If I block youtube, google page also not locading. So please help me. How to block block  YouTube and Facebook.

    Thanks,
    Giridhar


  • Banned

    No, you do not block YT with firewall rules. Not without causing loads of collateral damage.



  • How to block block  YouTube and Facebook

    With an URL filter like Squid/squidGuard, or DansGuardian, or the upcoming E2Guardian.



  • Except YouTube access is https and it is a little hard to block with Squid…

    Facebook you can block in firewall - pfblocker:

    http://bgp.he.net/search?search[search]=facebook&commit=Search
    


  • Except YouTube access is https and it is a little hard to block with Squid…

    Since when?  Squid has no problem with HTTPS if you configure it properly eg. in explicit mode with WPAD instead of transparent mode.



  • @jonfil0130:

    Hi,

    I'd like to ask some help from you guys on how to block youtube using pfsense. I tried to use Alias and put in all the IPs of youtube i think more or less 20 IPs then created a rule on LAN pointing to my Block youtube alias but it didn't work. Any suggestion pls. Thanks in advance.

    Hi!

    I'm able to block youtube with pfsense and OpenDNS help.. so if it's okay for you to use openDns alongside your pfsense…your problem is solved.

    I can share here the link of the guide if needed



  • I can share here the link of the guide if needed

    Would be nice to here from you.



  • here https://www.youtube.com/watch?v=lZ6sEWRmvz4 If you guys have a better solution, you can share it too… Thanks



  • Hi,

    Is there any option to block YouTube and Facebook (HTTPs sites) without OpenDNS and third party applications, only pf sense device?

    We are not suppose to use third party application…

    Also is there option keyword blocking?

    Thanks,
    Giridhar Daida.


  • Banned

    @giridhar.daida: Helps to read the thread before posting.



  • Block external DNS and set DNS to resolve youtube.com to 127.0.0.1

    Keyword blocking, can't be done without a proxy, PFSense is not a proxy so you need 3rd-party software.



  • @Harvy66:

    … resolve youtube.com to 127.0.0.1

    Then users start using yt.ca  .fr  .de  .co.uk  … you get the picture.



  • you can block any site using blacklist in proxy server.

    Path :- Services- Proxy server- ACLs- blacklist

    Enter Website name in Blacklist then no one will have access to particular site



  • @jahonix:

    @Harvy66:

    … resolve youtube.com to 127.0.0.1

    Then users start using yt.ca  .fr  .de  .co.uk  … you get the picture.

    If I go to any of those, it redirects me to youtube.com

    This is the .de version's URL
    https://www.youtube.com/?hl=de&gl=DE



  • Here is another method, using new features in pfsense's dns resolver unbound

    https://forum.pfsense.org/index.php?topic=131833.msg725378#msg725378



  • First of all thank to pFsense!
    It's just perfect. Right now we have pFsense box hand dhcp to 15 UniFi router for our company! We just block Facebook & Youtube (Android App + iOS App)!
    I use pFsense 2.2.6-RELEASE (amd64) (I am not sure about other newer version).

    1 - Firewall > Rules > (Interface You wanna block)

    2 - Create Rule to allow the interface can talk to DNS:
        (for Whom don't know how to create:
                  action = pass
                  TCP/IP Version = IPv4 _Protocol = tcp/udp
                  Source = Staff net {My interface name: Staff, you have your own}
                  Destination = Staff Address
                  Destination port = DNS 53
                  Check => Log packets that are handled by this rule)

    3 - Create Rule for Managers going to any where:
        (for Whom don't know how to do:
            => Firewall > Aliases > add new Aliase:
                  Name = Managers
                  Hosts > Add new entry > 10.11.11.253              <= My Staff net = 10.11.11.0/24, and not surprisingly IP 253 is mine
            => Firewall > Rule:
                  action = pass
                  TCP/IP Version = IPv4
                  Protocol = tcp/udp
                  Source = Alias:Managers
                  Destination = Any
                  Destination port = Any
                  Check => Log packets that are handled by this rule)

    4 - Create Rule for blocking Facebook:
            => Firewall > Aliases > add new Aliase:
                  Name = facebookApp
                  Hosts > Bulk import from Aliases list > facebookApp.txt                    <= File in the attachment
            => Firewall > Rule:
                  action = block
                  TCP/IP Version = IPv4
                  Protocol = tcp/udp
                  Source = Staff net
                  Destination = Aliases: facebookApp
                  Destination port = Any
                  Check => Log packets that are handled by this rule)

    5 - Create Rule for Staffs accessing allowed Website

    6 - Create Rule for Managers accessing Google:                          <= this is how youtube app got block

    • My company not allowed Google Search for users, that why Managers group is the target.
              => Firewall > Traffic Shaper > Layer7 > Create new l7 rules group
                    Check = Enable/Disable layer7 Container
                    Name = youtubeBlock
                    Add entry = httpvideo > action = block
              => Firewall > Aliases > add new Aliase:
                    Name = googleApp
                    Hosts > Bulk import from Aliases list > googleApp.txt                    <= File in the attachment
              => Firewall > Rule:
                    action = block
                    TCP/IP Version = IPv4
                    Protocol = tcp/udp
                    Source =  Aliases: Managers
                    Destination = Aliases: googleApp
                    Destination port = Any
                    Check => Log packets that are handled by this rule)
                    Advanced features = Layer7: youtubeBlock

    7 - Create Rule to deny anything:
            => Firewall > Rule:
                  action = block
                  TCP/IP Version = IPv4
                  Protocol = tcp/udp
                  Source = any
                  Destination = any
                  Destination port = Any
                  Check => Log packets that are handled by this rule)

    8 - Test it on android and iOS

    Good luck blocking youtube app @@

    facebookApp.txt
    googleApp.txt_



  • Blocking "youtube" - or any other big organization, just watch http://www.wikihow.com/Access-YouTube-at-School to see the start of what might be an answer.

    Blocking DNS requests won't stand long, as any user can list up in his own host file all the "yahoo" domaine names.

    edit : I didn't try what @ajchhai proposed - I saw his reply after posting …



  • I am going the DNS route. For now, the kids won't be able to change the dns server on their device… yet.

    Thanks for the suggestions though.