DNS Filtering on Guest Network

[dvaz]

I am trying to push OpenDNS filtering on to the guest network for when my kids friends come over, i found a post from a couple years ago that detailed how it was done, however i can't get it to work with the latest release of merlin:

http://www.snbforums.com/threads/guest-network-with-dns-filtering.17740/

firewall script that detaches wl0.1 from br0, creates br1 and adds it to it:

#!/bin/sh
exec 1>>/tmp/firewall-start.log 2>&1
date
set -x
WANIP=$(/sbin/ifconfig eth0|grep 'inet addr'|cut -d':' -f2|awk '{print $1}')
brctl delif br0 wl0.1
brctl addbr br1
brctl addif br1 wl0.1
ifconfig br1 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport bootps --sport bootpc -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport domain -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport domain -j ACCEPT
#Force all guests to use filtered DNS (Norton Children)
iptables -t nat -I PREROUTING -i br1 -p tcp --dport domain -j DNAT --to 199.85.126.30
iptables -t nat -I PREROUTING -i br1 -p udp --dport domain -j DNAT --to 199.85.126.30

dnsmasq.conf.add

interface=br1
dhcp-range=br1,192.168.3.2,192.168.3.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.3.1

I can run the firewall script and created the dnsmasq.conf.add file but i can't connect to the guest SSID. When i try to connect it just says "connecting" on my phone then it fails.

Any ideas?

 

[Gill]

It would certainly help if you could name what router are you using. In new routers like AC87u and in old one like AC66u there is a setting called DNS filter. Its under AiProtection in 87U and under parental controls in AC66u. It should do the job for you. You can select Global filter to router mode to force everyone to use the routers dns whether its fetched from ISP or u manually specified under WAN page. And then you can also force hosts on guest network to use particular custom DNS ip. The only issue with this setup is that you have to manually enter the devices like I did and select the OPENDNS for them. You can also force every device including the ones on Guest network to use OpenDNS by selecting Global Filter Mode = OpenDNS Family and then specify ur devices manually to use other servers if you want, that way all devices except yours will be forced to use OPENDNS even if they configure static DNS. For example:

 

[dvaz]

It would certainly help if you could name what router are you using. In new routers like AC87u and in old one like AC66u there is a setting called DNS filter. Its under AiProtection in 87U and under parental controls in AC66u. It should do the job for you. You can select Global filter to router mode to force everyone to use the routers dns whether its fetched from ISP or u manually specified under WAN page. And then you can also force hosts on guest network to use particular custom DNS ip. The only issue with this setup is that you have to manually enter the devices like I did and select the OPENDNS for them. You can also force every device including the ones on Guest network to use OpenDNS by selecting Global Filter Mode = OpenDNS Family and then specify ur devices manually to use other servers if you want, that way all devices except yours will be forced to use OPENDNS even if they configure static DNS. For example:

It is the N66U. I ended up using a spare Linksys E2000 with DD WRT as guest WAP, it was easy enough enough to setup + it puts them on a separate subnet from my main LAN.

The option you mention looks good tho, so manual DNS entries take precedence over the global setting huh? That could work too, put everyone on OpenDNS except my main computer.

 

[Gill]

Yeah. Not sure if N66U has that option in its firmware. In case it doesnt then I guess you can only use iptables. For that you can use this script.

log into the router with putty
cd /jffs/scripts
vi firewall-start
and then paste this script

#!/bin/sh

#block DNS
iptables -I FORWARD 7 -p udp -o eth0 -d 208.67.222.123 --dport 53 -j ACCEPT
iptables -I FORWARD 8 -p udp -o eth0 -d 8.8.8.8 --dport 53 -j ACCEPT
iptables -I FORWARD 9 -p udp -o eth0 --dport 53 -j DROP

hit <Esc Key>
:wq
chmod a+rx /jffs/scripts/firewall-start

restart

Specify 208.67.222.123 manually as DNS server on your WAN port but don't specify 8.8.8.8 anywhere. Then your router will give out OPENDNS IP <208.67.222.123>to every computer whether is GUEST or LAN and if they try to change it manually it will not work except for the DNS you will specify in 2nd line (8.8.8.8) which u can use on your main computer for unrestricted access. It will drop all packets on port 53(DNS) for all other IPs. You can use any IP on the 2nd line. First one is for OPENDNS.

You have to make sure JFFS is enabled. Under Administration > System Enable JFFS = yes and Enable JFFS custom scripts and configs = yes

http://www.snbforums.com/threads/ip-tables-help.24095/#post-179093

This thread may help ..I tried the same way it didn't work with script and I later figured that I had the wrong DNS configured on my test computer so it was actually working fine. GUI is much easier though, if you got that option.