Block YouTube App

[Tomsauy]

Hi all

I am currently trying to test Sensei with some guys inside a kind of association 😊
For our test we are trying to block YouTube using OPNSense + Sensei free edition (many of us want to manage streaming consumption at home... and YouTube is a good example for us)

Under App Control we have disable anything related to YouTube ! And it works great when we want to access YouTube inside Chrome or Firefox 👍
But when I launch YouTube app inside Android mobile phone I am able to start video and play contents... 😞
Did we miss something ?

Can someone try to test and tell us the results ?

Thanks for your help !! 😊

[bunchofreeds]

How are you selecting your devices to be managed.
The reason I ask is that Android devices randomised their MAC address so will likely get a new IP regularly.
This may put them outside of your policy.

[sy]

Hi @Tomsauy,

Yes, please check if it matches correct policy from Reports - Connection - Live Session Explorer.

[Tomsauy]

Hi

I am using the free edition of Sensei so the policy apply for all devices on the network there is no rule for specific device

[sy]

Hi @Tomsauy,

Can you share a screenshot of session detail of the android device after you used Youtube App.

[sy]

Hi @Tomsauy,

I can not reproduce the same issue in the lab. It seems that there is a specific situation. I got experienced that when the modem's DHCP is also opened, some services use IPv6 which leased from the modem. So please check that if this matches your issue as well. Otherwise, I would like to look into it. Please send a bug report and let's dive into it.

[Tomsauy]

Hi @Sy

please find attached the screenshot of Sensei Live Session & nTopNG Flows both for ip 10.222.1.219

What do you mean by "modem's DHCP is also opened" ?
I have double check my DHCP config there is no IPv6 available.

Thanks for your help

[sy]

Hi Tomsauy,

It seems all sessions blocked. I mean when modem DHCP service is also on and it has a direct connection with client devices, Client devices can lease IPv6 from it and some services works on IPv6. Especially Google services goes on IPv6 if it is exist. If you are sure that it isn't exist in your issue, please send a bug report and I'm going to look into the logs.

[Tomsauy]

Thanks for those precisions, but all devices go through OPNSense router.
I have submitted a ticket, hope you can find what is wrong with my configuration.
Thanks

[ittk]

Thanks for those precisions, but all devices go through OPNSense router.
I have submitted a ticket, hope you can find what is wrong with my configuration.
Thanks

Good, as it's no issue from your or my side. If have all setup correctly. Result: only the webpage (access) youtube.com is getting properly blocked, but not when using the real youtube APP using e. g. Andoid smartphones. So App control seems to lack APP awareness at last for youtube... maybe many other APPs are also affected.

[sy]

Hi,

Unfortunately I tested with both mobile and tablet and Youtube is always blocking. In my configuration only Youtube app is selected to block. And I tried on PC with Firefox, Chrome
On Android Tablet with Youtube Application
On Android Mobile Phone with Youtube Application
On IPhone with Youtube Application.

On mobile devices Application opens but no video is playing. Sometimes only advertisements are playing and then just tries to load videos and nothing can load it.

[ittk]

Hi,

Unfortunately I tested with both mobile and tablet and Youtube is always blocking. In my configuration only Youtube app is selected to block. And I tried on PC with Firefox, Chrome
On Android Tablet with Youtube Application
On Android Mobile Phone with Youtube Application
On IPhone with Youtube Application.

On mobile devices Application opens but no video is playing. Sometimes only advertisements are playing and then just tries to load videos and nothing can load it.

Hi,

will maybe have time tomorrow to test again and also get gback to your requested info.

But for your unterstanding i have just 1 single NIC-Port Firewall:

WAN is VLAN2 (static IPv4 only)
LAN is VLAN3 (static IPv4 only)
und OPT is untagged / no VLAN active (static Ipv4 only)

Sensei free is only active on em0_vlan3 interface and NOT on em0.

Configuration:

I have all youtube cateogries within app control on block
AND also in web control (webfilter) the pre-defined restrictive profile active.

Mabye you can reproduce the issue which given info.

And can you give me the more in depth technical insight, how you detect the youtube APP / video streams= hope not just only with just DNS-Namespace for youtube or based on just IP-Networkadresses.

Real Layer7-Detection must operate on L7 and detect the application content based information on upper layer 5 to 7 protocols.

Thanks

[mb]

Hi @ittk, @Tomsauy,

It seems Google has been experimenting to avoid ad-blocking mechanisms for some time now - because of ad revenue concerns.

Can you try adding Streaming/QUIC application to your list of blocked applications (from App Controls) and see if this changes anything?

[athurdent]

Yeah, seems Youtube has been rolling out changes lately? Last week we had to turn off Ad Tracker (in App Controls) to get YouTube on Safari working on my son's iPad again. Interestingly, an iPhone also using Safari was working fine at the same time the iPad was not.
Now, looking at the reports, YouTube is no longer recognized properly. There is mainly Quic UDP Connecction listed now, for the iPad mostly streaming YouTube.

[Tomsauy]

Hi mb,

Even if I add "Quick UDP Streaming" in block app the result is the same I can continue to watch video on my android phone with YouTube app

I can see QUIC UDP flow open in ntopng and Sensei seems not be able to block it... [emoji20]