Skip to main content

How to Block Youtube on OPNsense?

Over the last decade, networking technologies have steadily improved, allowing organizations and even individuals to have high-speed Internet access on their corporate or home networks. Furthermore, billions of people have mobile devices that use 4G and 5G technology to connect to the Internet wherever they go. As a result, there is a growing demand for media streaming applications for entertainment and education.

YouTube, founded in mid-2005, has grown to become one of the most popular platforms on the internet. YouTube is a very useful and enormous resource that improves people's knowledge, provides a free source of information, and teaches them new skills. However, it can also impair their productivity and cause their mind to wander. It offers not only informative and entertaining videos but also some harmful and inappropriate videos, especially for children. And, it may be the most addictive website on the internet causing people to waste a significant amount of their time. More importantly, according to the researchers, individuals who use it for entertainment are more likely to engage in addictive behavior. The impacts of bandwidth abuse, decrease in employee productivity are also the main reasons to block Youtube in your company.

Therefore, Google released several digital wellbeing tools in 2018, including break reminders, counters, and additional notification management. However, none of those tools are secure enough to keep addicted users away from YouTube.

Nowadays, every business and parent is looking for ways to protect their employees and children from the negative aspects of media streaming platforms, particularly YouTube. One of the most effective and simple methods is to block or restrict media streaming applications.

In this article, we will cover Youtube Blocking Methods on OPNsense Firewall and discuss why people and organizations need to block Youtube. We will also explain how to block Youtube service on your OPNsense node configuring Zenarmor next-generation firewall plugin in different real-world scenarios, such as device/user awareness and time scheduling.

Youtube Blocking Methods on OPNsense?

OPNsense has a variety of features and some of them can help you block or restrict your users to access Youtube or other video streaming services. Depending on your requirements and technical knowledge, you can use one of the following solutions to block Youtube videos on your OPNsense firewall:

  1. Web content filtering and application control with Zenarmor next-generation firewall extension.
  2. Web filtering with Transparent Web Proxy, such as Squid.
  3. Blocking media streaming with the Intrusion Prevention System(IPS), such as Suricata.
  4. Bandwidth limiting with Traffic Shaper.
  5. DNS blocking with Unbound DNS.
Best Practice

The best and easiest way to block or restrict Youtube videos is Zenarmor that is one of the most popular and useful OPNsense plugins. While all of the other solutions listed above have their drawbacks, such as the fact that a cunning user can circumvent DNS blocking in some way or that they are not flexible and easy to manage, Zenarmor provides you with the most effective, flexible, and manageable solution for securing the network traffic with its lightweight and powerful packet inspection technology.

Some of the capabilities are layer-7 application/user aware blocking, granular filtering policies, commercial-grade web filtering utilizing cloud-delivered AI-based Threat Intelligence, parental controls, and the industry's best network analytics and reporting.

Zenarmor Free Edition is available at no cost for all OPNsense users.

info

You may find information on limiting Internet bandwidth with traffic shaper on OPNsense firewall in Captive Portal Configuration tutorial written by Sunny Valley Networks.

How to Block Youtube With Zenarmor?

In this tutorial, we'll explain to you how to prevent or limit media streaming traffic, such as Youtube videos, on your OPNsense firewall using the Zenarmor plugin.

Zenarmor allows you to forbid the following Youtube services entirely:

  • Youtube Video
  • Youtube TV
  • Youtube Kids
  • Youtube Comment
  • Youtube Video Share
  • Youtube Video Upload

You can also filter these Youtube services for the following criteria depending on your needs with your OPNsense firewall powered by Zenarmor:

  • IP based filtering
  • Device (MAC Address) based filtering
  • User-based filtering with Active Directory and Captive Portal integrations
  • Time-based filtering

We assume that you have already installed Zenarmor on your OPNsense firewall. If you don't have it, you can easily install and configure for free by following the instructions on the official documentation.

You can follow this tutorial by logging in to your OPNsense firewall web UI with a root account.

How to Block Youtube for an Entire Network?

To block the Youtube services for the entire network behind the protected interface(s) by Zenarmor on the OPNsense firewall, you may follow the steps given below.

  1. Navigate to the ZenarmorPolicies on OPNsense Web UI.

Managing Zenarmor Policies

Figure 1. Managing Zenarmor Policies

  1. Click the Default policy name, to edit the policy.
  2. Click on the App Control tab.

Editing App Controls for the Default policy

Figure 2. Editing App Controls for the Default policy

  1. Type Youtube in the search bar. This will automatically list the applications containing youtube words.

Searching for Youtube services

Figure 3. Searching for Youtube services

  1. Click on the listed application names to block Youtube services. Be aware that clicking on the category names, such as Media Streaming or Social Network will block not only Youtube applications but also all applications under the category.

 Blocking Youtube services

Figure 4. Blocking Youtube services

  1. Click on the Save Changes to activate the changes and start to block Youtube services.

Now, you have blocked all Youtube services for your entire network. None of the clients behind the OPNsense firewall with Zenarmor can't connect to Youtube anymore.

Verifying the Configuration

If you wish to verify the configuration and see whether Zenarmor blocks Youtube traffic successfully or not, you can accomplish this in two ways:

  • Viewing Live Sessions Explorer Report
  • Viewing Live Blocked Sessions Explorer Report
tip

These reports are also helpful for finding the clients who are trying to access the Youtube services on your network.

Viewing Live Sessions Explorer Report

To view the client requests for Youtube on your network via Live Sessions Explorer Report, you may follow the next steps given below:

  1. Navigate to the ZenarmorReports on OPNsense Web UI. This will open the Connections report view.

Accessing the Connections report view on Zenarmor

Figure 5. Accessing the Connections report view on Zenarmor

  1. Click on the Live Sessions Explorer. This will display the details of the live session.
  2. Select the Application on the Filter by drop-down menu.
  3. Type youtube in the search bar for filtering the live sessions.
  4. Click the Search button. This will display all live Youtube connections on your network. You should see that all Youtube connections are blocked like in figure 6.

Live Connections Report Filtered by Application youtube

Figure 6. Live Connections Report Filtered by Application youtube

tip

Src IP column shows the IP address of the clients who are trying to access the Youtube services on your network.

  1. You may click on the info button with the i icon in the Actions column to view the details of a connection.

Live Session Details for Youtube traffic

Figure 7. Live Session Details for Youtube traffic

Viewing Live Blocked Sessions Explorer Report

To view the blocked Youtube requests on your network, you may follow the next steps given below:

  1. Navigate to the ZenarmorReports on OPNsense Web UI.
  2. Click on the Blocks tab. You may view the blocked Youtube connections on the charts.

Accessing the `Blocks` report view on Zenarmor

Figure 8. Accessing the Blocks report view on Zenarmor

  1. Click on the Live Blocked Sessions Explorer. This will display the details of the live session.
  2. Select the Block Signature on the Filter by drop-down menu.
  3. Type youtube in the search bar for filtering the sessions.
  4. Click the Search button. This will display all blocked Youtube connections on your network. You should see that all Youtube connections are blocked like in figure 9.

 Viewing Blocked Connections Report Filtered by Block Signature youtube

Figure 9. Viewing Blocked Connections Report Filtered by Block Signature youtube

How to Block Media Streaming for an Entire Network?

Sometimes you may need to block not only Youtube videos but also all media streaming services including audio. Zenarmor allows you to filter a large number of media streaming platforms, such as AOL, Amazon, Apple, BBC, CNN, CTV, Dailymotion, Disney, ESPN, FOX, Google Play, MTV, Netflix, Twitch, VLC, Windows Media, Xiami, etc.

To view media streaming applications that can be blocked by Zenarmor, you may follow the next steps listed below:

  1. Navigate to the ZenarmorPolicies on OPNsense Web UI.
  2. Click the Default policy name, to edit the policy.
  3. Click on the App Control tab.
  4. Click on the orange folder icon next to the Media Streaming category. This will expand the application list.

Viewing Media Streaming applications on Zenarmor

Figure 10. Viewing Media Streaming applications on Zenarmor

To prevent your clients from accessing all media streaming services on the Internet, you may follow the next steps listed below:

  1. Navigate to the ZenarmorPoliciesDefaultApp Control on OPNsense Web UI.
  2. Click on the Media Streaming category name. This will disable the category and change the green enabled icon to the red disabled icon next to the category name.

Blocking Media Streaming application category on Zenarmor

Figure 11. Blocking Media Streaming application category on Zenarmor

  1. Click on the Save Changes button at the right bottom corner of the page to activate the Zenarmor policy rule.

Now, you have blocked all media streaming services for your entire network. None of the clients behind the OPNsense firewall with Zenarmor can't connect to any media streaming sites on the Internet anymore.

Verifying the Configuration

If you wish to verify the configuration and see whether Zenarmor blocks all media streaming traffic successfully or not, you can accomplish this via Zenarmor Sessions Explorer Reports as described in the previous section. You may follow the instructions given below for verification:

  1. Try to connect to www.56.com which is one of the largest video sharing platforms on the Internet with your browser. You shouldn't connect to the website.
  2. Navigate to the ZenarmorReports on OPNsense Web UI. This will open the Connections report view.
  3. Click on the Live Sessions Explorer. This will display the details of the live session.
  4. Select the Application Category on the Filter by drop-down menu.
  5. Type streaming in the search bar for filtering the live sessions.
  6. Click the Search button. This will display all live media streaming connections on your network. You should see that all www.56.com requests are blocked like in figure 12.
  7. Try to access other Youtube videos. You shouldn't watch any Youtube videos except Youtube Kids. You can view the blocked Youtube connections as described in the previous section.

 Blocked www.56.com on  Live Connections Report

Figure 12. Blocked www.56.com on Live Connections Report

How to Block Youtube for a Specific IP or Subnet?

Zenarmor allows you to define a policy for a specific IP address or Subnet. But, you need a paid edition to accomplish this. Because you can not add a new policy in Zenarmor Free Edition. You may find more information on Zenarmor Plans and Pricing

After activating your license key on Zenarmor, you can create new policies depending on your requirements.

note

In this scenario, we assume that Youtube services are allowed for your entire network in your Default policy and you will block them for your kids' tablet with IP address 10.10.10.12.

To block Youtube services for a specific IP address or Subnet, you may follow the steps below:

  1. Create a new policy, such as My Kids above your Default policy on the Zenarmor Policies page to block Youtube for the IP address of your kids' device. You can find more information about adding a new policy on Zenormor official documentation.
  2. Navigate to the ZenarmorPoliciesMy KidsPolicy Configuration on OPNsense Web UI.
  3. Type the IP address of your kids' device, such as 10.10.10.12 in the IP/Network Address field. You can also enter many IP addresses by specifying their subnet masks. CIDR format is accepted ( i.e 10.10.10.0/24).
  4. You can also specify a description for the entries in the description field so that you can remember why you've added them later on, such as Boy Tablet.
  5. Click on the + Add button to add the IP address.

Defining a policy for a specific IP address on Zenarmor

Figure 13. Defining a policy for a specific IP address on Zenarmor

  1. Click Save Policy at the bottom of the page.
  2. Click on the App Controls tab.
  3. Disable Youtube services as described in the How to Block Youtube For Entire Network section.

Blocking Youtube services for a specific IP address

Figure 14. Blocking Youtube services for a specific IP address

Now, you have blocked Youtube services for an IP address. While all other devices on your network can connect to Youtube services, the device with this IP address can not connect.

Verifying the Configuration

If you want to verify this configuration and see whether Zenarmor blocks all Youtube services for a specific IP address, such as 10.10.10.12, successfully or not, you may use Zenarmor Sessions Explorer Reports as described in the previous section and follow the instructions given below.

  1. Try to access the Youtube from your kids' device behind the Zenarmor. You should not be able to watch Youtube videos.
  2. Navigate to the ZenarmorReports on OPNsense Web UI. This will open the Connections report view.
  3. Click on the Live Sessions Explorer. This will display the details of the live session.
  4. Select the Application on the Filter by drop-down menu.
  5. Type youtube in the search bar for filtering the live sessions.
  6. Click the Search button. This will display all live Youtube connections on your network. You should see that all Youtube connections are blocked like in figure 15. You can see that Youtube application requests sent by Src IP(10.10.10.12) are blocked according to the My Kids policy in the report.

 Youtube services for 10.10.10.12 is blocked by My Kids policy

Figure 15. Youtube services for 10.10.10.12 is blocked by the My Kids policy

How to Block Youtube for a Specific Device?

In some cases, a policy must be defined for a specific device. For example, your brilliant son may figure out how to change his restricted IP address to an unrestricted one to circumvent your policies. On Zenarmor, you can now define a policy to block Youtube services based on his mobile device's MAC (Hardware) address.

In this scenario, we assume that Youtube services are allowed for your entire network in your Default policy and you will block them for your son' tablet with MAC address 8C:16:45:6D:76:28.

note

To add a policy on your Zenarmor, you need to have a paid edition. Please, refer to the Zenarmor Plans and Pricing for more information.

To block Youtube services for a specific MAC address, you may follow the steps below:

  1. Create a new policy, such as My Kids above your Default policy on the Zenarmor Policies page. You can find more information about adding a new policy on Zenormor official documentation.
  2. Navigate to the ZenarmorPoliciesMy KidsPolicy Configuration on OPNsense Web UI.
  3. Type the MAC address of your son's device, such as 8C:16:45:6D:76:28 in the MAC Address field.
caution

If you already have created the My Kids policy in the previous section, you must remove the IP address first. Because all of the criteria entered in the policy configuration are matched with the AND logical operator. For a flow to match your configured policy, all of these criteria need to be matching the flow information.

In other words, if you specify multiple criteria for a policy, the policy is only applied to network packets that meet all of the criteria specified in the policy.

For example, if you have an IP address, such as 10.10.10.12, and a MAC Address, such as in your policy with a name My Kids then the policy will only match if a device with MAC address 8C:16:45:6D:76:28 is assigned the 10.10.10.12 IP address. When this device connects to the network using a different IP address, the My Kids policy is not applied to its network packets.

  1. You can also specify a description in the description field so that you can remember whom the device belongs to later on, such as Boy Tablet.
  2. Click on the + Add button to add the MAC address.

Defining a policy for a specific MAC address on Zenarmor

Figure 16. Defining a policy for a specific MAC address on Zenarmor

  1. Click Save Policy at the bottom of the page.
  2. Click on the App Controls tab.
  3. Disable Youtube services as described in the How to Block Youtube For Entire Network section.

Blocking Youtube services for a specific IP address

Figure 17. Blocking Youtube services for a specific MAC address

You have now disabled Youtube services for a MAC address. While all other devices on your network can access YouTube services, the device with this MAC address cannot, regardless of its IP address.

Verifying the Configuration

If you want to verify this configuration and see whether Zenarmor blocks all Youtube services for a specific MAC address, such as 8C:16:45:6D:76:28, successfully or not, you may use Zenarmor Sessions Explorer Reports as described in the previous sections and follow the instructions given below.

  1. Try to access the Youtube from your son's device behind the Zenarmor. You should not be able to watch Youtube videos.
  2. Navigate to the ZenarmorReports on OPNsense Web UI. This will open the Connections report view.
  3. Click on the Live Sessions Explorer. This will display the details of the live session.
  4. Select the Application on the Filter by drop-down menu.
  5. Type youtube in the search bar for filtering the live sessions.
  6. Click the Search button. This will display all live Youtube connections on your network. You should see that all Youtube connections are blocked like in figure 19. You can see that Youtube application requests sent by Src MAC (8C:16:45:6D:76:28) are blocked according to the My Kids policy in the report.

Youtube services for MAC address 8C:16:45:6D:76:28 is blocked by the `My Kids` policy

Figure 18. Youtube services for MAC address 8C:16:45:6D:76:28 is blocked by the My Kids policy

tip

If you don't have the Src MAC column in your report, you can view it by following the steps below:

  1. Click on the Show Columns button at the top of the report.
  2. Select Src Mac from the drop-down list.

This will automatically update your report view.

How to Block Youtube for a Specific Time Interval (Time Scheduling)?

In some cases, you may need to apply a policy for a specific time interval in your network. Let's assume that your hardworking son completes his homework on time and is a successful student. So, you don't want to bother him too much with your Youtube policy. You've decided to let him watch YouTube videos over the weekend. Zenarmor provides you with a time scheduling mechanism for your policies.

In this scenario, we assume that Youtube services are enabled for your entire network in your Default policy and you've already created a policy, such as My Kids to block Youtube videos for your son' tablet with MAC address 8C:16:45:6D:76:28 as described in the previous part. Now, you need to define a schedule for this policy for it to be activated during weekdays.

You may create a new schedule for your policy, My Kids, by following the next steps:

  1. Edit the Policy Configuration of the My Kids policy on Zenarmor.

Time Schedule pane in a Zenarmor policy configuration

Figure 19. Time Schedule pane in a Zenarmor policy configuration

  1. Scroll down until you reach the Time Schedule pane.
  2. Click the +Add button shown on Give a name for that schedule. Specifying a definitive name with a time frame and Policy name will be useful to manage it later (For example; Block_Youtube _For_Son_Weekdays)
  3. Select the weekdays to be applied
  4. Leave the Starting & Stopping hours of policy as default.

Creating a time schedule for a Zenarmor policy

Figure 20. Creating a schedule for a Zenarmor policy

  1. Click the Create & Add to Policy button to create the schedule.

Created time schedules for a Zenarmor policy

Figure 21. Created time schedules for Zenarmor policies

  1. Click Save Policy.

Now, your son can watch Youtube videos on the weekends but not during the weekdays.

How to Block Youtube for a Specific User?

Zenarmor allows you to define user-based filtering. It supports both Microsoft Active Directory and OPNsense Captive Portal integration.

For additional information on how to integrate your Active Directory with Zenarmor, visit the Active Directory Integration Guide.

Also, Zenarmor can get username information from your OPNsense Captive portal if it's up and running. You can find more information about Captive Portal configuration on the How to Configure Captive Portal on OPNsense tutorial written by Sunny Valley Networks.

As a result, you can define a policy to block Youtube services for a specific Active Directory and Captive Portal group/user on your Zenarmor. Our User-based Filtering Using OPNsense Captive Portal Guide may help you to forbid Youtube videos for your captive portal users.

note

You must upgrade to one of the premium editions to take advantage of user-based filtering. If you want AD integration, you'll need the Business Edition.

Why Do You Block Youtube?

The main reasons that force you to block or restrict Youtube or other media streaming platforms are explained below:

  • Productivity: Accessing media streaming platforms, like Youtube, may cause productivity problems. They are a kind of digital distraction that is robbing workers of important hours of productivity and focus. Some employees may not keep themselves far from watching videos for several hours during office hours wasting both their time and the company's money. To increase productivity at your company, you may need to provide your users with a distraction-free Internet and eliminate online addictions. So that your employees can concentrate on their jobs.
  • Bandwidth Efficiency: Allowing media streaming also decreases bandwidth efficiency. It exhausts internet bandwidth resources causing critical applications to fail to function effectively, especially in business networks.
  • Keeping Kids Safe: If you are a responsible IT administrator at a school or a concerned parent, you may want to block media streaming sites, such as Youtube, in your school or home network for keeping the children safe against harmful content. Also, although your kids are good and don't watch inappropriate videos on Youtube, they may waste their time in front of a screen by watching gaming videos while their homework is waiting for them on their desks. Furthermore, they may have an internet dependency problem which causes losing physical, psychological, or social well-being because of Youtube videos. According to studies, obsessive internet use and sadness are becoming increasingly common among today's teenagers. Watching Youtube is a method for them to stay socially relevant among their peers, and it's also a way for them to disconnect from their daily lives. In such circumstances, you may need to ban media streaming completely or restrict watching videos by allowing for limited time intervals, such as half an hour on school days or 1 hour at weekends.

Hands on Video

Here is a video that will guide you through the steps of the Zenarmor® configuration to block Youtube videos on OPNsense: