Restricts and Limiting Video Streaming with Mikrotik

If you have a proxy server, you can restrict video streaming access using access control list or using contents filtering program such as squidGuard, DansGuardian, etc. But there are many websites with embedded video that has not been filtered yet. Mikrotik can help you overcome this problem and restrict access to embedded streaming video with ease.

  • Restrict bandwidth usage for embedded video streaming

You can use the following script to limit bandwidth usage for sites that embedding video streaming such YouTube, Metacafe, Tube8, etc. I’m personally already tested this script and works fine.

The scenario is using mikrotik built-in Layer7 Protocol to detects embedded video streaming on any websites, marking the data packets, then defining bandwidth limit using Simple Queue rule.

First, add a video content filter at Layer7 protocol:

/ip firewall layer7-protocol add name=http-video regexp="http/(0.9|1.0|1.1)[x09-x0d ][1-5][0-9][0-9][x09-x0d -~]*(content-type: video)"

Second, marking data packets using firewall mangle:

/ip firewall mangle add action=mark-packet chain=prerouting comment="http-video mark-packet" disabled=no layer7-protocol=http-video new-packet-mark=http-video passthrough=no

Then finally, add new rule in simple queue to limit bandwidth usage for http-video packets (in this example, download for embedded video streaming was capped at 64kbps, you can define this to suite your needs).

/queue simple add max-limit=0/64000 name=http-video packet-marks=http-video
  •  Blocking embedded video streaming with mikrotik

We previously able to apply bandwidth restrictions for embedded streaming video, how about block any embedded streaming videos so clients will not able to play embedded video streaming. In this scenario, any websites that is embedding streaming video can still be accessed and browsed as usual, but when playing streaming video, it will not be in loaded at all.

This useful when implemented at the office environment, where users can browse internet, but cannot watch video streaming at all :)

The scenario is similar as above, but with a little adjustment : all embedded video streaming packets will be dropped.

First, add a video content filter at Layer7 protocol:

/ip firewall layer7-protocol add name=http-video regexp="http/(0.9|1.0|1.1)[x09-x0d ][1-5][0-9][0-9][x09-x0d -~]*(content-type: video)"

Second, marking data packets using firewall mangle:

/ip firewall mangle add action=mark-packet chain=prerouting comment="http-video mark-packet" disabled=no layer7-protocol=http-video new-packet-mark=http-video passthrough=no

Finally, drop all http-video packets :)

/ip firewall filter add action=drop chain=forward comment="http-video blocking" packet-mark=http-video

 Just give a try : open any video on Youtube, and see what happens. All videos should not able to loaded properly since the data packets is dropped at mikrotik firewall.

About Fajar R. 297 Articles
Seseorang yang antusias terhadap dunia internet, IT, networking dan komputer. Tipikal introvert tapi suka berorganisasi dan adventuring ke tempat-tempat baru.

20 Komentar

  1. i am internet service provider …
    mere network me whtasapp se image video text sand nahi ho rahe hai
    netwall server use kar raha hu or 750g mikrotik router

  2. Dear Fazar. Did You tried regexps on recent ROS 6 +. Unfortunately I did not get any hits to the rules. By the way rule try to add this l7 rules : is not working, syntaxis in regexp is not valid through command line. When You enter it in Winbox where will be additional slashes.

    • not working with https, since my L7 rule only filtering http.
      regexp="http/(0.9|1.0|1.1)[x09-x0d ][1-5][0-9][0-9][x09-x0d -~]*(content-type: video)"
      you might change it to https, and do some test.. :)

      • All packets travelling through https are ciphered, aren’t they? Then it is impossible for a layer 7 to apply any regexp comparison ‘cause it sees “garbage” when inspecting the packet

        • and the layer7 rules are used to inspect all packets, label them if matches and after, the mangle uses this label to mark. Then your comment

          “not working with https, since my L7 rule only filtering http.”

          is false, ‘cause the packet is inspected first by L7 and after in the firewall is where you tell “if protocol is http AND the packet is labeled by L7 as video, then mark connection/packet”

        • yes, indeed. all packets through https encrypted/ciphered. as far as I know, when user using https, meaning that L7 will not be able to much this traffic. Only unencrypted HTTP can be matched.

  3. Hi, I’m using rb1100AH x2 I want to block IM video streaming and call. like yahoo messenger video streaming and skype video streaming the user can used that application but purely messaging only.

    • some blog visitors reported this method sometimes not work, especially for hd video.
      try to add this l7 rules :

      /ip firewall layer7-protocol add name=http-video regexp="http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: video)"
      /ip firewall layer7-protocol add name=http-video regexp="www.youtube.com"

      it should works for nat too. goodluck! :)

  4. pls am new here . can any body help me. am running a hotspot internet access, and my users need alert time left whiles browsing, but i got this script on internet, but it does not prompt users but after they have logout . pls see if any thing is wrong with the code, and correct me.

    thank u.
    this is the code

    <!–
    function calculateSecondsLeft(timeLeft) {
    regex = /^(\d+d)?(\d+h)?(\d+m)?(\d+s)?$/;
    result = regex.exec(timeLeft);
    secondsLeft = 0;
    for(index = 1; index <= 4; index++) {
    if(result[index]) {
    regex = /^(\d+)[dhms]$/;
    parts = regex.exec(result[index]);
    numericPart = parts[1];
    switch(index) {
    case 1:
    secondsLeft += numericPart * 86400;
    break;
    case 2:
    secondsLeft += numericPart * 3600;
    break;
    case 3:
    secondsLeft += numericPart * 60;
    break;
    case 4:
    secondsLeft += numericPart * 1;
    }
    }
    }
    if(secondsLeft

    Time left: $(session-timeout)

Leave a Reply

Alamat email Anda tidak akan dipublikasikan.


*