Captive portal logins for granting access to Youtube

[Sunnyb0y]

Hi , there
I'm Jeremy
%u0E2A%u0E39%u0E15%u0E23%u0E41%u0E17%u0E07%u0E1A%u0E2D%u0E25%u0E23%u0E2D%u0E07

Let me ask if Captive portal/logins could be used with granting more access rights to forbidden content, such as Youtube?
I would like to use this in local lan environment (not in guest network) where users do not login normally. But when user needs to access restricted parts of the network, such as Youtube, user could login with voucher on Captive portal and be granted for 30 minutes of YT access.
%u0E41%u0E17%u0E07%u0E1A%u0E2D%u0E25%u0E2A%u0E14UFABET


Typical scenario is in schools (and nowadays home schooling) where kids would spend all their energy with YT and therefore need to restrict during school hours. But in other hand, in some classes, YT is used in teaching. A voucher scheme for approving such temporary accesses would be nice.

Is this possible, or is it just me wondering something that makes no sense? Or is there even better and easier ways to solve this?

All the tips how solve this are highly appreciated!

thanks for help , stay safe!

[Amr]

Sadly captive portal doesn't have this functionality.

is there even better and easier ways to solve this?

There's a couple of solutions (in the context of opnsense) better but not easier:

1-DNS overrides (unbound): to do "user-based" filtering you can use Vlans or make aliases (NoYoutube, yYoutube for example) and force the NoYoutube to use unbound DNS server by redirecting all queries to unbound (NAT port forwarding) while allowing the others to use Google DNS servers or any other DNS server, drawbacks is that VPN can bypass the DNS server.

2-The recommended solution: Filtering proxy (transparent preferred) with this you can do user-based filtering, time-based filtering, category-based filtering ...etc, squid is powerful given you can invest the time to learn how to deploy it and write custom ACLs, VPN can't get through it if you enable SSL inspection but its drawbacks is that if you'll need to configure each client to accept the certificate of the proxy or adding the sites you don't want to inspect in the "SSL no bump sites", if you don't use SSL inspection it'll be easier to deploy but VPN can get through.