Stop binging on Netflix, using Mikrotik firewall

October 2, 2022

It’s easy to get sucked into a great plot on Netflix and lose track of time entirely. I had a play with the firewall on my Mikrotik router; I’ve set it up to help limit the amount of streaming our household can consume in one sitting. We’ve called it ‘anti-binge’.

We use Roku streaming devices. My firewall rules detect new streaming activity from a Roku device and permit it for an hour. The device is then blocked for a further three hours. It helps us consume TV more mindfully.

Plus, it was fun to set up. Here’s how.

Identify streaming devices

The Roku devices needed to be in the same IP range. I run VLANs and so did consider a separate subnet but this would have complicated casting.

Instead, I simply gave them all static IPs:

/ip/dhcp-server/lease
add address=10.2.3.122 comment="Living Room Roku" mac-address=20:EF:BD:EE:00:AA server=home-dhcp
add address=10.2.3.123 comment="Upstairs Roku" mac-address=20:EF:BD:EE:00:33 server=home-dhcp

I then added these IP addresses to a new address list (binge_detect_list):

/ip/firewall/address-list
add address=10.2.3.121-10.2.3.124 comment="Anti-Binge TV devices " list=binge_detect_list

Detect streaming

Now I add two firewall filter rules on the forward chain. These rules work as follows:

detect a new connection:
- for a device on the binge_detect_list;
- which is being forwarded to/from one of my wans [I have an interface list for wans; if you run a single wan then you could simply use the interface instead]
if that new connection exceeds 10MB then:
- add the triggering IP address to a list called binge_restricted_list, for four hours
- add the triggering IP address to a list called binge_permitted_list, for one hour

/ip firewall filter
add action=add-src-to-address-list address-list=binge_restricted_list address-list-timeout=4h chain=forward comment=\\
    "ANTI_BINGE Match in Binge Device transfers more than X mb in a single connection, add to Binge Restricted Device for 4 hours" connection-bytes=10000000-0 disabled=no \\
    log=yes log-prefix=anti_binge out-interface-list=wans src-address-list=binge_detect_list place-before=0
add action=add-src-to-address-list address-list=binge_permitted_list address-list-timeout=57m chain=forward comment=\\
    "ANTI_BINGE Match in Binge Device transfers more than X mb in a single connection, add to Binge Permitted Devices for 1 hour" connection-bytes=10000000-0 \\
    connection-mark=!antibinge_permitted disabled=no log=yes log-prefix=anti_binge out-interface-list=wans src-address-list=binge_detect_list place-before=0

Permit and block streaming

The final piece of the puzzle is to permit or block streaming.

The rules above mean that triggering device is added to both the binge_permitted_list and the binge_restrict_list at the same time. The difference is how long the device stays on each list.

The logic is to reject traffic to IP addresses on the binge_restricted_list (on the list for four hours) unless that device is also on the binge_permitted_list (only on the list for one hour).