We have launched the new version of the DrayTek website, and this content is no longer being maintained.
You will find more information on our new site; however, we will keep this page for a few months.

[Vigor3900] How to block Youtube for some of LAN clients only?

In this note, it's going to show how to stop some LAN clients from watching Youtube, but still pass some other LAN clients. Since Google service(google maps, google drive…) and Youtube sometimes use the same IP address, using URL/Web Category Filter to block YouTube may block some of the Google services as well. However, we can use LAN DNS and IP Filter to block clients from YouTube, and make sure other Google services are still available.

(This article applies to Vigor300B, Vigor2960, and Vigor3900. For blocking YouTube on other models, please refer to the article here.)

1. Set up LAN DNS for LAN clients to use SafeSearch Virtual IP for Google services: Go to LAN >> LAN DNS, click Add to establish a profile:

  1. Check Status
  2. Enter "google.com" in Domain Name
  3. Enter "*google.com*" in Alias Domain Name and save it
  4. Enter SafeSearch Virtual IP in IP Address (Note: Google SafeSearch IP can be found by doing nslookup for "forcesafesearch.google.com”)
  5. Click Apply to finish the setting.
a screenshot of LAN DNS profile on Vigor3900    

2. Force LAN DNS Redirection: Go to LAN >> General Setup, click on the LAN profile in use and enable DNS Redirection.

a screenshot of LAN General Setup that has DNS Redirection enabled    

3. Add a IP Filter Group: Go to Firewall >> Filter Setup >> IP Filter, click Add:

  1. Check Enable
  2. Enter Group name
  3. Click Apply
a screenshot of adding a new IP Filter Group    

4. Create an IP Filter to pass all the traffic from a group of IP which is allowed to watch Youtube. Click on the group created in step 3, and click Add to add a rule:

  1. Enter Profile name
  2. Select “Accept” for Action
  3. Check Enable
  4. Click Add on the right of Source IP Object. Select Range as Address Type and set Start IP Address and End IP Address of the IP which is allowed to access Youtube
a screenshot of Firewall Rule configuration on Vigor3900    

5. Select the object after it was created, then click Apply to finish IP filter setting

a screenshot of Firewall rule that has a source IP object selected    

6. Create a IP Filter to pass all traffic destined to other Google service, similar to Step 4. Click Add to establish a rule:

  1. Enter profile name
  2. Select “Accept” for Action
  3. Check Enable
  4. Click Add on the right of Destination IP Object. Select Single as Address Type and enter Google SafeSearch IP at Start IP Address
  5. Select the Object created, then click Apply to finish IP filter setting
a screenshot of adding Google SafeSearch IP in Firewall Rule of Vigor3900    

7. Add another a IP filter rule to block DNS queries for Youtube:

  1. Enter Profile name
  2. Select “Block” for Action
  3. Check Enable
  4. Click Add on the right of Destination DNS Object. Add “youtube.com” in Member Table and click Save
  5. Select the object created, then click Apply to finish IP filter setting
a screenshot of adding destination DNS object in the firewall rule    

With the above configuration, clients with IP between 10.0.0.1~10.0.0.100 are able to access Youtube; but other clients are not, because the DNS queries for YouTube from them are being blocked. However all the clients are able to access other Google services by the SafeSearch IP.

 

Trouble-Shooting:

If YouTube is not being blocked as expected, please try:

  1. Clear Browser's history
  2. Clear DNS cache. For Windows users, this can be done by typing “ipconfig/flushdns” in command prompt.
  3. Make sure the client's default gateway is Vigor Router.
Was this article helpful?
193[Vigor3900] How to block Youtube for some of LAN clients only? has been viewed------ 193 ------times.