i’m trying to setup a fw rule to block youtube all day exept from 20 to 22.
I’ve tryed the following rule but doesnt work…
Can someone give me a hint?
Whats wrong there?
Thanks in advance
config rule
option src 'lan'
option dest 'wan'
option name 'youtube'
option target 'REJECT'
option start_time '22:00:00'
option stop_time '20:00:00'
list dest_ip '142.251.33.174'
list dest_ip '142.250.81.110'
list dest_ip '142.251.32.78'
list dest_ip '142.251.41.78'
list dest_ip '172.217.165.14'
list dest_ip '142.251.33.164'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
list proto 'tcp'
list proto 'udp'
Thanks, btw I started to setup the reject without the timelimit to test the rule and doesnt work.. so i guess its just something i cant do easily on owrt
.. and you have ipv4-only internet, right?
and you don't have ipv6 GUA address that clients might (and likely will) prefer in a dual-stack environment when reaching YouTube domain?
Good chance, when blocking YT-IPs, that other google based services will not work any more. Anyway, you might experiment using dnsmasq-ip/nft set feature. Quite some info about it on the web; not much luck, though.
Yep, you are right. But CLI cmds like “echo ‘server=/googlevideo.com/’ >> /etc/dnsmasq.conf” then should do the job, finally. Has the advantage, to force NXDOMAIN, which is faster processed than 0.0.0.0 in /etc/hosts, anyway.
Or, simpler, to use “servers-file=/etc/yt_servers”, having the lines from above just in one separate file. Assuming, no servers-file already configured.
just as an idea:
it could be an option to install adblock in OpenWRT with Packages: adblock, luci-app-adblock
and then manifest the youtube urls that are about to be blocked, all other block list could be deleted.
After setting up adblock you could specify a cron system command (System -> Scheduled Tasks) over luci as for example
45 19 * * * service sysntpd restart #to have the correct time set, after powerout eg
* 20 * * * service adblock stop #stop adblock at 20:00 and as such allow YT
* 22 * * * service adblock start #start adblock at 22:00 and as such block YT
With this you could pause adblock within the wanted time frame to allow access to YT.
I like this idea, and very close to what I need. I may try that but I would have preferred a “vanilla” way, without installing anything, to do that, that’s why I was trying with firewall rules. And still its not clear to me why i cant block a number of ips and have the rule I described work. I mean i understand its complex to track all related ips of YT but I think that should be a way with FW rules
Using firewall-rules is sub-optimal, performancewise. Because redundant DNS needs to be done before. Quite a few comments hinting, why your rule is not working/sufficient. For a start: How about IPv6 IPs of YT ? How about a counter, to see, whether your rule is it, or not ? And you are shure, you cover all YT-IPs ?
Looks like you do not understand quite a few of the posts, trying to help you.
For example, using a crippled-down adblock, as mentioned, results in the same solution, I gave you before. Only having a lot of overhead.
I’m not sure at all that i’ve covered all yt ips, btw i’m looking for a solution i’m able to setup. I know ipv6 and all others.. but i had no detailed examples i can start with
Looks like your philosophy is “Hardest (solution) first”. OK, in case you are familar with nft rules, for very basic testing, you can disable firewall completely, and use a script instead, called from /etc/rc.local . Which, besides minimum basic rules like masquerade ALSO contains your nft rule(s) to block the YT-IPs. Makes testing much easier. And when you are happy with it, port it to standard firewall. Good excercise, BTW
