This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

restrict.youtube.com Not Working for Specific Interface

Hello,

 

I want to restrict my kids from watching inappropriate videos on youtube and came across restrict.youtube.com.  I followed part 1 of the following article.  My problem is, when I assign the host definition only to the interface I want (only kids devices), my whole network is restricted, not just the interface I select.  Any help would be appreciated.  Thanks!!

https://community.sophos.com/kb/en-us/124329

 



This thread was automatically locked due to age.
  • The interface selection doesn't work the way you're trying to use it, it's just telling UTM where that host exists (ie, inside or outside your network). I believe you need to use a NAT rule to accomplish blocking Youtube only on the kid's VLAN.

  • Hello.

     

    Can you show me your firewall rule ? .

     

     

    thank you

  • Hi PJ and welcome to the UTM Community!

    Dlabun is right, binding those definitions to an interface is your problem.  See #3 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the responses!! I understand now that I can't assign a host to a specific interface.  How then would I go about using restrict.youtube.com?  I don't want to block them completely, I just want to make sure they don't get to inappropriate videos.  These are the levels of restrictions:

    • Strict restriction: 216.239.38.120
    • Moderate restriction: 216.239.38.119

    Would I create host definitions and then assign them to DNS Forwarders?  I currently have an availability group with Family DNS host definitions in it

  • When Dlabun and I saw your interface binding, we really didn't read the rest of your post.  To put the kids on strict restrictions but leave yours as no restriction, you can't use the technique suggested in the KB article.  Delete those Host objects.

    If you're using Web Filtering in Transparent mode, you can try a NAT rule like 'DNAT :  Kids (Network) -> Any -> {Group of five DNS Group objects for the FQDNs} : to 216.239.38.120'.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob.  I am using Web filtering with transparent mode turned on and decrypt and scan turned on so I can use google safe search.

    I tried as you suggested but got the error in the attached screenshot so I ended up creating DNS Host Objects instead of groups.  I created 5 different DNAT rules for each domain going to a DNS host for restrict.youtube.com = 216.239.38.120.  I see my device using the Nat rule I created but it isn't taking action and pointing it to restrict.youtube.com.  Here's teh firewall log

    3:07:26 NAT rule #4 TCP  
    x.x.x.x   37004
    216.58.195.74 : 443
     
    [SYN] len=60 ttl=64 tos=0x00 srcmac=x.x.x.x.x.x dstmac=x.x.x.x.x.x
    23:07:28 NAT rule #4 TCP  
    x.x.x.x : 37005
    216.58.195.74 : 443
     
    [SYN] len=60 ttl=64 tos=0x00 srcmac=x.x.x.x.x.x dstmac=x.x.x.x.x.x

     

  • It works for me, PJ, when I use a Network Group containing DNS Group objects:

    If you don't use DNS Group instead of DNS Host objects, many of the kids' requests will not be directed to the restricted site as these FQDNs have multiple associated IPs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob! 

    It worked but only when I turned off web filtering.  It looks like web filtering takes precedence over my DNAT rule.  Is there any way to force the DNAT first?

     

    and Thanks for all your help on this!  I feel like we're almost there.

  • Well, that's confusing as the DNAT should apply before the web proxy sees the traffic (see #2 in Rulz).  What do you see when Web Filtering is enabled - what does "not working" mean?  When it's "not working," what relevant line appears in the Web Filtering log?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yeah I agree, the DNAT should happen first.  See my screenshots from yesterday.  The time stamps are the same from the web filter log and the firewall log....the same call.  I made an inappropriate search (blurred).  It passed on the Web log and then when you match timestamps on the firewall log, the same call uses NAT Rule 1 (See screenshot).  Am I missing something?