You can capture all YouTube and Facebook IPs on any Mikrotik router, store them in two destination address lists to be used for any kind of filtering, be it packet, route or connection filtering. The destination address list can also be used for traffic prioritization in quality of service (Qos).
Because there are many blocks of subnets used by YouTube and Facebook, and the subnets are constantly changing, we must find a means to automate a process that will constantly notify our router about these changes. To achieve this, two simple scripts are required to capture all YouTube and Facebook IPs. These scripts can be modified to capture all IPs associated with any other website. Each script will be assigned a system scheduler that will run at intervals to ensure that the destination address list containing the IPs associated with a particular website is kept up to date.
For the solution to work as intended, users must be forced to use the IP address on the LAN interface of the Mikrotik router as their preferred DNS address. To achieve this, the Mikrotik router must be assigned a DNS address with allow remote request enabled. After that, a firewall destination NAT rule must also be configured to force all DNS requests from the LAN to the Mikrotik router. See how to redirect dns requests fron the LAN to the mikrotik router.
Scripts to capture YouTube and Facebook IPs
Script for Youtube IPs
This script will capture all IPs associated with Youtube. See script below.
# Script to add Youtube IP addresses into address list
# Tested with Mikrotik 6.42.7
:local LISTNAME “youtube”
# Name of website to be added to address list
:local TARGET1 “youtube.com”
:local TARGET2 “googlevideo.com”
# when site is visited for the first time add ip of site to address list if not listed
:if ( [/ip firewall address-list find where list=$LISTNAME] = “”) do={
:log warning “No address list for $TARGET1 and $TARGET2 found ! creating and adding resolved entry for 1st time usage … gate”
:resolve $TARGET1
:resolve $TARGET2
/ip firewall address-list add list=$LISTNAME
} else={
:log warning “Previous List for $LISTNAME found ! moving forward and checking if DNS entries can be added in it …”
}
# Check DNS entries for names matching websites
:foreach i in=[/ip dns cache all find where (name~”$TARGET1″ || name~”$TARGET2″) && (type=”A”) ] do={
# Get IP Address from the names for hold in temporary buffer
:local Buffer [/ip dns cache get $i address];
delay delay-time=10ms
# Check if entry already exists in address list, otherwise add
:if ( [/ip firewall address-list find where address=$Buffer] = “”) do={
# Fetch DNS names for the entries
:local sitednsname [/ip dns cache get $i name] ;
# Print name in LOG window
:log info (“added entry: $sitednsname $Buffer”);
# Add IP addresses and sitename names to the address list
/ip firewall address-list add address=$Buffer list=$LISTNAME comment=$sitednsname;
}
}
Script for Facebook IPs
This script will capture all IPs associated with Facebook. See script below.
# Script to add Facebook IP addresses into address list
# Tested with Mikrotik 6.42.7
:local LISTNAME “facebook”
# Name of website to be added to address list
:local TARGET1 “facebook.com”
:local TARGET2 “fbcd.net”
# when site is visited for the first time add ip of site to address list if not listed
:if ( [/ip firewall address-list find where list=$LISTNAME] = “”) do={
:log warning “No address list for $TARGET1 and $TARGET2 found ! creating and adding resolved entry for 1st time usage … gate”
:resolve $TARGET1
:resolve $TARGET2
/ip firewall address-list add list=$LISTNAME
} else={
:log warning “Previous List for $LISTNAME found ! moving forward and checking if DNS entries can be added in it …”
}
# Check DNS entries for names matching websites
:foreach i in=[/ip dns cache all find where (name~”$TARGET1″ || name~”$TARGET2″) && (type=”A”) ] do={
# Get IP Address from the names for hold in temporary buffer
:local Buffer [/ip dns cache get $i address];
delay delay-time=10ms
# Check if entry already exists in address list, otherwise add
:if ( [/ip firewall address-list find where address=$Buffer] = “”) do={
# Fetch DNS names for the entries
:local sitednsname [/ip dns cache get $i name] ;
# Print name in LOG window
:log info (“added entry: $sitednsname $Buffer”);
# Add IP addresses and sitename names to the address list
/ip firewall address-list add address=$Buffer list=$LISTNAME comment=$sitednsname;
}
}
Configuring system schedulers
The next step is to configure system schedulers to run the scripts at interval; say every 30 seconds. See commands below.
/sys scheduler add
name=facebook on-event=facebook interval=30s start-date=sep/09/2018 start-time=startup
name=youtube on-event=youtube interval=30s start-date=sep/09/2018 start-time=startup
Verification
To verify this, I will have check the DNS cache on the Mikrotik router, to see if it is resolving. Then I will check if my destination address lists for YouTube and Facebook contain any IPs. First, see the DNS cache below.
DNS Cache
Address-lists
At this point, we can simply configure firewall filter rules using the destination address lists. I can decide to route packets destined to these address lists through a separate ISP, give them higher priorities or simply drop the packets if I choose to deny users access to these sites.
If you enjoyed this tutorial, please subscribe to this blog to receive my posts via email. Also subscribe to my YouTube channel, like my Facebook page and follow me on Twitter
Not Working With latest Version 6.47.1
What’s up everyone, it’s my first go to see at this site, and article is
genuinely fruitful in favor of me, keep up posting these types of articles or reviews.
its not working with mikrotik ver 6.48.3