Mikrotik

Restricts and Limiting Video Streaming with Mikrotik

If you have a proxy server, you can restrict video streaming access using access control list or using contents filtering program such as squidGuard, DansGuardian, etc. But there are many websites with embedded video that has not been filtered yet. Mikrotik can help you overcome this problem and restrict access to embedded streaming video with ease.

  • Restrict bandwidth usage for embedded video streaming

You can use the following script to limit bandwidth usage for sites that embedding video streaming such YouTube, Metacafe, Tube8, etc. I’m personally already tested this script and works fine.

The scenario is using mikrotik built-in Layer7 Protocol to detects embedded video streaming on any websites, marking the data packets, then defining bandwidth limit using Simple Queue rule.

First, add a video content filter at Layer7 protocol:

/ip firewall layer7-protocol add name=http-video regexp="http/(0.9|1.0|1.1)[x09-x0d ][1-5][0-9][0-9][x09-x0d -~]*(content-type: video)"

Second, marking data packets using firewall mangle:

/ip firewall mangle add action=mark-packet chain=prerouting comment="http-video mark-packet" disabled=no layer7-protocol=http-video new-packet-mark=http-video passthrough=no

Then finally, add new rule in simple queue to limit bandwidth usage for http-video packets (in this example, download for embedded video streaming was capped at 64kbps, you can define this to suite your needs).

/queue simple add max-limit=0/64000 name=http-video packet-marks=http-video
  •  Blocking embedded video streaming with mikrotik

We previously able to apply bandwidth restrictions for embedded streaming video, how about block any embedded streaming videos so clients will not able to play embedded video streaming. In this scenario, any websites that is embedding streaming video can still be accessed and browsed as usual, but when playing streaming video, it will not be in loaded at all.

This useful when implemented at the office environment, where users can browse internet, but cannot watch video streaming at all :)

The scenario is similar as above, but with a little adjustment : all embedded video streaming packets will be dropped.

First, add a video content filter at Layer7 protocol:

/ip firewall layer7-protocol add name=http-video regexp="http/(0.9|1.0|1.1)[x09-x0d ][1-5][0-9][0-9][x09-x0d -~]*(content-type: video)"

Second, marking data packets using firewall mangle:

/ip firewall mangle add action=mark-packet chain=prerouting comment="http-video mark-packet" disabled=no layer7-protocol=http-video new-packet-mark=http-video passthrough=no

Finally, drop all http-video packets :)

/ip firewall filter add action=drop chain=forward comment="http-video blocking" packet-mark=http-video

 Just give a try : open any video on Youtube, and see what happens. All videos should not able to loaded properly since the data packets is dropped at mikrotik firewall.


Related Posts

21 Comments

  1. InguX

    15 Januari 2013 at 01:59

    Doesnt work at alll

  2. emmy smith

    3 Mei 2013 at 06:33

    pls am new here . can any body help me. am running a hotspot internet access, and my users need alert time left whiles browsing, but i got this script on internet, but it does not prompt users but after they have logout . pls see if any thing is wrong with the code, and correct me.

    thank u.
    this is the code

    <!–
    function calculateSecondsLeft(timeLeft) {
    regex = /^(\d+d)?(\d+h)?(\d+m)?(\d+s)?$/;
    result = regex.exec(timeLeft);
    secondsLeft = 0;
    for(index = 1; index <= 4; index++) {
    if(result[index]) {
    regex = /^(\d+)[dhms]$/;
    parts = regex.exec(result[index]);
    numericPart = parts[1];
    switch(index) {
    case 1:
    secondsLeft += numericPart * 86400;
    break;
    case 2:
    secondsLeft += numericPart * 3600;
    break;
    case 3:
    secondsLeft += numericPart * 60;
    break;
    case 4:
    secondsLeft += numericPart * 1;
    }
    }
    }
    if(secondsLeft

    Time left: $(session-timeout)

  3. marcelo

    27 Mei 2013 at 09:25

    hi, i try use this script, but not working. This script work with nat mascarade?

    1. fazar

      27 Mei 2013 at 09:56

      some blog visitors reported this method sometimes not work, especially for hd video.
      try to add this l7 rules :

      /ip firewall layer7-protocol add name=http-video regexp="http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: video)"
      /ip firewall layer7-protocol add name=http-video regexp="www.youtube.com"

      it should works for nat too. goodluck! :)

  4. ilonggo

    30 Agustus 2013 at 12:21

    Hi, I’m using rb1100AH x2 I want to block IM video streaming and call. like yahoo messenger video streaming and skype video streaming the user can used that application but purely messaging only.

    1. fazar

      30 Agustus 2013 at 13:39

      you might try to implement connection filtering using layer 7.
      http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7

      skype videos is harder to handle, since its encrypted. :(

  5. phillip

    15 November 2013 at 16:30

    i dont how to block facebook on my mikrotik router or radio
    -Anybody please help.

  6. Raditya

    4 Desember 2013 at 14:16

    How about audio streaming? Such as radio streaming. :)

    1. fazar

      4 Desember 2013 at 15:14

      try this one …

      http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: audio)

  7. Suili

    10 September 2014 at 18:27

    this limited only for Http videos? how about https video?
    cause it’s different port

    1. fazar

      11 September 2014 at 08:22

      not working with https, since my L7 rule only filtering http.
      regexp="http/(0.9|1.0|1.1)[x09-x0d ][1-5][0-9][0-9][x09-x0d -~]*(content-type: video)"
      you might change it to https, and do some test.. :)

      1. D

        8 Januari 2015 at 19:54

        All packets travelling through https are ciphered, aren’t they? Then it is impossible for a layer 7 to apply any regexp comparison ‘cause it sees “garbage” when inspecting the packet

        1. D

          8 Januari 2015 at 20:00

          and the layer7 rules are used to inspect all packets, label them if matches and after, the mangle uses this label to mark. Then your comment

          “not working with https, since my L7 rule only filtering http.”

          is false, ‘cause the packet is inspected first by L7 and after in the firewall is where you tell “if protocol is http AND the packet is labeled by L7 as video, then mark connection/packet”

          1. fazar

            9 Januari 2015 at 08:25

            since all traffic is encrypted, there is no way for L7 to filter its packets.

        2. fazar

          9 Januari 2015 at 08:24

          yes, indeed. all packets through https encrypted/ciphered. as far as I know, when user using https, meaning that L7 will not be able to much this traffic. Only unencrypted HTTP can be matched.

  8. Corne

    11 September 2014 at 20:42

    None of the methods work for me. Maybe its because I have connection and routing marks that pushes traffic over certain gateways?

  9. P.A

    17 Agustus 2015 at 22:13

    Dear Fazar. Did You tried regexps on recent ROS 6 +. Unfortunately I did not get any hits to the rules. By the way rule try to add this l7 rules : is not working, syntaxis in regexp is not valid through command line. When You enter it in Winbox where will be additional slashes.

    1. fazar

      18 Agustus 2015 at 14:58

      most of youtube videos now use https, and it is not possible to filter this kind of trafik using L7 rules. for the latest L7 rules (youtube), you can see it on mikrotik wiki. http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7#Youtube_Matcher

      also see L7 filter lists here : http://l7-filter.sourceforge.net/protocols

  10. vini

    1 April 2016 at 12:54

    i am internet service provider …
    mere network me whtasapp se image video text sand nahi ho rahe hai
    netwall server use kar raha hu or 750g mikrotik router

Leave a Reply