I am attempting to get my MR47 to work with the content filtering. I have setup a Layer 7 F/W rule that DENY's all "video and music", however, I am having an issue getting to to work correctly.
on my devices, with the DENY rule in place, i no longer have access to sites like Netflix or Spotify (so behaviour is as expected). BUT I can still access YouTube. both in the YouTube app and through the browser. something I have discovered though, is that I CAN NOT access YouTube on these devices if I use INCOGNITO mode. it seems that the firewalling works when the browser is in incognito, but not when its in normal browsing mode. I have tested this across multiple computers, and multiple devices as well, and the result is the same on them all.
I have even created another separate explicit DENY rule for "youtube.com" and that still does not work.
is there something that I have missed? as it all seems to be working other than this specific issue. I have attached a picture to show what I'm seeing.
I will also add a note that looking through the information i can find on the Meraki dashboard, I cant find ANY mention of quantitative YouTube traffic. I have left a stream running for about 1 hour now, to get the data transferred up, so that I can use that to determine the IP, or URL or something. but I get nothing.
I used my device to watch Netflix, and then activated the rule mid stream, and within 5 min it was cut off, same for Spotify. and the traffic to those locations shows up, but I can not get you tube to show up at all.
yes, this was my first thought. but still not resolved.
I have been at this for a couple of days now. The thing I don't understand, is how I can access YouTube from chrome in normal mode, but not in Incognito mode. It appears to be working as it should if I browse in Incognito.
>The thing I don't understand, is how I can access YouTube from chrome in normal mode, but not in Incognito mode.
My guess is the Meraki block is acting on something your Chrome session has already cached. In Incognito mode the browser has to request it again, and it gets blocked.
This I could understand, however, I am able to start a new different stream every time I go to YouTube. That's not something that would be cached. so my understanding is that it should block it at that level because it will have to make another call out to get the content, and this should then be blocked.
you could also try creating a layer 3 rule and block all traffic to the youtube IP's below.
Longer and messier, but just another way
Thanks for that mate, that idea led me down an investigative path that worked.
Although for the cost of the service, I feel that this isn't something that I should need to implement, especially if they have it (YouTube) specifically listed in their list of sites that can be blocked.
However, none of those addresses ranges worked for me. But after some more investigation, I found that I was constantly getting another IP address range back so I just created a L3 rule to stop it, and so far in my testing, it seems to have worked.
current working L3 rule to block YouTube is as follows
DENY ALL 188.8.131.52/15 YouTube
but for future reference, if anyone needs the other listed above, with appropriate CIDR references, they are as follows.
Issue resolved / Case Closed