How to block Youtube on your Mikrotik router
1. Introduction
In an increasingly connected world, Internet access has become a key component of business operations. However, this continuous connection presents significant challenges for companies that must balance the need to provide effective business tools with the need to maintain productivity and cybersecurity. Among the many online platforms available, YouTube represents a resource that is as useful as it is potentially problematic.
YouTube, with its vast array of video content, can be an invaluable source of information and training for employees. However, unlimited access to YouTube can lead to significant distractions, reducing worker productivity. In addition, unsupervised videos can pose a security threat by carrying malware or inappropriate content. Finally, streaming video consumes a large amount of bandwidth, which can slow down the entire corporate network.
Faced with these challenges, many companies decide to implement measures to deploy a Youtube block within their network. This practical guide will explore the various motivations behind this choice and provide a detailed overview of the methods available to implement a YouTube block effectively while ensuring a balance between security, productivity, and employee well-being.
>> FlashStart protects you from a wide array of threats and blocks access to malicious sites. Try it now: working with the internet has never been so secure!
2. Productivity
Unrestricted access to YouTube within a company can negatively affect employee productivity. While some video content may be useful for work, most videos on YouTube are designed to entertain and can easily distract workers. A short break to watch a video can quickly turn into minutes or hours of lost time. Studies have shown that procrastination related to Internet use is a common problem in many workplaces, leading to an overall reduction in productivity. By implementing a YouTube block, companies can help employees focus better on their tasks, improving efficiency and work results.
>> FlashStart protects you from a wide range of threats and blocks access to malicious sites → Try it now
3. Security
In addition to lost productivity, access to YouTube can pose a significant risk to corporate IT security. YouTube hosts a huge amount of user-generated content, much of which is not verified or monitored for threats. Some videos may contain links to malicious websites or encourage the download of malicious software. In addition, advertisements on YouTube can sometimes carry malware. By implementing a YouTube blocker, companies can reduce the risk of malware infections and other security threats, thereby protecting sensitive information and the integrity of the corporate network.
4. Bandwidth management
Streaming video requires a significant amount of bandwidth. In a business setting, where many essential activities depend on a fast and stable Internet connection, heavy use of YouTube can congest the network, slowing down critical operations. This is especially problematic during peak hours, when many employees may be trying to access video content at the same time. With a YouTube block, companies can ensure that available bandwidth is used efficiently to support important work tasks, thereby improving overall network performance.
Blocking YouTube within the corporate network is not just a matter of control, but a strategic measure to improve productivity, ensure IT security, and optimize bandwidth use. Each company should carefully assess its specific needs and consider the potential benefits of such a decision, while also taking into account the possible need for YouTube access for legitimate business purposes.
5. How can I implement a Youtube block on Mikrotik?
Content filtering on MikroTik allows you to block or restrict access to specific websites or content types on your network. This can be especially useful in corporate or educational environments to prevent access to inappropriate or distracting sites. We will useYoutube as an example of content to filter.
5.1. Step 1: Access MikroTik via Winbox
Start Winbox and connect to your MikroTik device by entering your IP or MAC address, username and password.
We will use an address list to group the domains we want to block.
Go to IP > Firewall and select the Address Lists tab.
Click on + to add a new entry.
In the window that opens, enter a name for the list, such as blocklist, in the List field
5.2. Step 2: Create an Address List.
In the Address field, enter the IP address of Youtube. Finding the exact IP address of a site like Youtube can be complex because they use several IP addresses. For this example, you can use a known IP address of Youtube, but for a more effective block you may need to add more entries.
You can automate this search using the “content” function within the advanced tab of the firewall rules as shown.Click OK to save the entry.
5.3. Step 3: Create a Firewall Rule
Now that we have a list of addresses with sites to block, we can create a firewall rule to actually block the traffic.
Still in IP > Firewall, go to the Filter Rules tab.
Click on + to add a new rule.
On the General tab, select forward from the Chain drop-down menu.
Switch to the Advanced tab and click on the button … next to Src. Address List. Select the blocklist you created earlier.
On the Action tab, select drop from the Action drop-down menu. This will effectively block traffic to the specified addresses.
Click OK to save the rule.
IMPORTANT: Remember that the rule that “feeds” the block list must be placed above the block list.
5.4. Step 4: Testing Filtering
After setting the rule, test the filtering by trying to access Youtube from a device in your network. If you did everything correctly, you should not reach the popular social network.
Additional Considerations.
Address List Update: Youtube and other large websites change IP addresses frequently; therefore, you may need to update your address list regularly.
Performance: Keeping track of and filtering network traffic can impact the performance of your MikroTik device, especially on networks with many users or high traffic.
And consider another factor: you will have to replicate these rules for whatever site or platform you want to block or restrict.
It is actually an impractical undertaking to do content filtering on Mikrotik using only its internal resources.
6. This is why I recommend that you “marry” Mikrotik with the Flashstart service
FlashStart analyzes DNS (Domain Name System) requests made by devices on your network and matches them against a large database of URLs and domains classified by category (e.g., adult sites, gambling, malware, etc.). If a request matches a site in the blocked categories, FlashStart prevents access to that site. The service offers flexible configuration, allowing administrators to choose which categories of content to block.
Understand that compared to the previous paragraph here we are dealing with a completely different world: here a virtual “brain” manages the lists of content to be blocked, dispensing with any maintenance to the content filtering rules.
Moreover (something not to be underestimated) Flashstart completely relieves the Mikrotik’s CPU of any burden.
7. How to Set Up FlashStart on MikroTik
To use FlashStart with a MikroTik device, you need to configure your router to use FlashStart’s DNS servers. Here’s how to do it:
7.1 Step 1: Register for FlashStart
Visit the FlashStart website and choose the plan that best suits your needs.
If you are reading this you have a coupon available to try it out for free for one month, I suggest you start with that!
Complete the registration and configuration process, during which you will receive information about the FlashStart DNS servers to use.
7.2 Step 2: Configure MikroTik to Use FlashStart
Access MikroTik via Winbox: Start Winbox and connect to your MikroTik router.
Set up FlashStart’s DNS Servers (I won’t go into the book because I want you to access them only after you create the account…it’s two IP addresses)
Go to IP > DNS in the list of options.
In the Servers field, enter the IP addresses of the DNS servers provided by FlashStart.
Make sure the Allow Remote Requests option is disabled to prevent unauthorized DNS requests through your router.
Apply Changes: Click Apply and then OK to save the changes.
7.3 Step 3: Additional Configuration and Monitoring
Configuration on FlashStart: Access the FlashStart dashboard to further configure filtering policies, such as selecting categories of sites to block, creating custom whitelists or blacklists, and setting filtering schedules.
Monitoring and Reporting: Use the FlashStart dashboard to monitor browsing activity and receive reports on attempted access to blocked sites or security events.
7.4 Step 4: Prevent DNS Bypass
At this point, for the average person, bypassing Flashstart’s DNS filters is still simple.
It will be sufficient to replace the DNS delivered by DHCP with others (such as Google’s) to bypass the protection.
However, if you set the following NAT rules, you will prevent this problem.
Go to IP->FIREWALL->NAT.
Create a new rule with the + key
Set CHAIN DST-NAT, protocol TCP, dst-port 53 and in action set dst-nat action.
In the to addresses field set the IP address of one of the DNS provided by Flashstart and in the to ports field the value 53.
Now replicate this identical rule (you can also use the COPY key) but changing the protocol to UDP.
In this way you have created rules that collect all DNS requests from the Mikrotik and, regardless of the original destination, send them back to Flashstart.
At this point, from the Flashstart interface, you can decide to block with simple flags everything you want including, precisely, Youtube. Moreover, you will be able to block both web and mobile app access, thus going to intervene on mobile devices as well.
Consider that this speech I made about Youtube can be extended to any platform or website, so you understand how extensively you can customize access to the content of each of your customers, even working on groups of users.
The “fusion” between Mikrotik and Flashstart thus represents one of the most powerful content filtering tools you can find on the market.
You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.