What's new

RT-N66U DNS Filter

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Drom

New Around Here
I run RT-N66U with the newest 3.68_2 firmware.

Since 3.68 I have had an issue with DNS-based Filtering.
I run my traffic through OpenDNS with the DNS-servers set to 208.67.220.220 and 208.67.222.222.
The Global Filter mode is set to "No Filtering", and I have selected "OpenDNS Home" for the devices I want to use the filter. All good so far, it works.

The problem is that all other devices get caught in the same filter. If I don't add these devices to the list, it filters them. And even if I add these devices to the list and select either "No filtering" or "Router", it doesn't matter. They all get caught in the OpenDNS-filter.

In the last couple of weeks it stopped filtering these devices a couple of times, but then just seemingly random jumped into filtering again.

I have tried to reboot and upgrade, at no luck.

Please advise me here.

Drom

dns.png
 
Very strange. Do you have any non-standard customisations to the router, user scripts, etc.? It will be quite hard to debug if it works sometimes and doesn't another time.
 
Thanks for replying!

No, no user scripts or non-standards. An yes, the filtering seems to happen in some random long intervals. It can work for a day or two, and then filter every device for weeks now.

I just can't seem to get past it, even though I let the "Router" setting be applied.
At the moment I'm still filtered, even though I turned DNS-based filtering OFF! (Browser cookies and cache are wiped clean.)

Is there such a thing as a router cache that needs to be wiped as well?
 
Is there such a thing as a router cache that needs to be wiped as well?
Not that would apply to DNS Filtering. The way it works is by intercepting the DNS requests at the packet level and redirecting them on-the-fly to the specified server.

How have you setup the DNS that the router uses itself, are you using your ISP's DNS servers? (WAN > Internet Connection > WAN DNS Setting)
 
Also double check your settings at LAN > DHCP Server > DNS and WINS Server Setting, which should be left at the defaults (DNS Server 1&2 both blank).
 
WAN DNS Setting
Connect to DNS Server automatically
Yes

LAN > DHCP Server > DNS and WINS Server Setting

DNS Server 1 Empty
DNS Server 2 Empty
Advertise router's IP in addition to user-specified DNS Yes
Forward local domain queries to upstream DNS No
Enable DNSSEC support No

When I check devices, they seem to get their manually assigned IP correctly.
Parental Control > DNSFiltering is still turned OFF, and I'm getting filtered on all devices.

Thanks again
 
The only thing I can suggest is that having enabled Telnet or SSH access to the router you log into it and issue the following from the command line. If you post the results here we might be able to see what's happening.

iptables-save
 
I have SSHed to the router and have generated two iptables rulesets.

This is when the filter is turned on.

Code:
# Generated by iptables-save v1.3.8 on Tue Sep 19 14:29:05 2017
*nat
:PREROUTING ACCEPT [92:6071]
:POSTROUTING ACCEPT [8:1180]
:OUTPUT ACCEPT [8:1180]
:DNSFILTER - [0:0]
:LOCALSRV - [0:0]
:PCREDIRECT - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d XXX.XX.XX.XXX -j VSERVER 
-A PREROUTING -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 53 -j DNSFILTER 
-A PREROUTING -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 53 -j DNSFILTER 
-A POSTROUTING -o eth0 -j PUPNP 
-A POSTROUTING -s ! XXX.XX.XX.XXX -o eth0 -j MASQUERADE 
-A POSTROUTING -m mark --mark 0x8000/0x8000 -j MASQUERADE 
-A DNSFILTER -m mac --mac-source A4:71:74:F5:F1:8C -j DNAT --to-destination 208.67.222.222 
-A DNSFILTER -m mac --mac-source 00:26:C6:B6:0A:72 -j RETURN 
-A DNSFILTER -m mac --mac-source 78:F8:82:9E:CD:DB -j RETURN 
-A VSERVER -p tcp -m tcp --dport 23222 -j DNAT --to-destination 192.168.1.50:23222 
-A VSERVER -p udp -m udp --dport 23222 -j DNAT --to-destination 192.168.1.50:23222
-A VSERVER -j VUPNP 
COMMIT
# Completed on Tue Sep 19 14:29:05 2017
# Generated by iptables-save v1.3.8 on Tue Sep 19 14:29:05 2017
*mangle
:PREROUTING ACCEPT [106642:10369996]
:INPUT ACCEPT [73791:7725031]
:FORWARD ACCEPT [32491:2593519]
:OUTPUT ACCEPT [70215:224669769]
:POSTROUTING ACCEPT [102735:227270943]
-A PREROUTING -d XXX.XX.XX.XXX -i ! eth0 -j MARK --set-mark 0x8000/0x8000 
-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MARK --set-mark 0x1/0x7 
COMMIT
# Completed on Tue Sep 19 14:29:05 2017
# Generated by iptables-save v1.3.8 on Tue Sep 19 14:29:05 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [438:808389]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:INPUT_ICMP - [0:0]
:NSFW - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop 
-A INPUT -m state --state RELATED,ESTABLISHED -j logaccept 
-A INPUT -m state --state INVALID -j logdrop 
-A INPUT -i ! br0 -j PTCSRVWAN 
-A INPUT -i br0 -j PTCSRVLAN 
-A INPUT -i br0 -m state --state NEW -j ACCEPT 
-A INPUT -i lo -m state --state NEW -j ACCEPT 
-A INPUT -p udp -m udp --sport 67 --dport 68 -j logaccept 
-A INPUT -p icmp -j INPUT_ICMP 
-A INPUT -j logdrop 
-A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept 
-A FORWARD -i ! br0 -o eth0 -j logdrop 
-A FORWARD -i eth0 -m state --state INVALID -j logdrop 
-A FORWARD -i br0 -o br0 -j logaccept 
-A FORWARD -i eth0 -j SECURITY 
-A FORWARD -j NSFW 
-A FORWARD -m conntrack --ctstate DNAT -j logaccept 
-A FORWARD -i br0 -j logaccept 
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN 
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN 
-A INPUT_ICMP -p icmp -j logaccept 
-A PControls -j logaccept 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop 
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN 
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop 
-A SECURITY -j RETURN 
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options 
-A logaccept -j ACCEPT 
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 
-A logdrop -j DROP 
COMMIT
# Completed on Tue Sep 19 14:29:05 2017

I see the MAC-addresses related. But all MACs are still filtered.

The below is from when the filter is turned Off completely. All devices still filtered at the moment.

Code:
# Generated by iptables-save v1.3.8 on Tue Sep 19 14:32:26 2017
*nat
:PREROUTING ACCEPT [68:4963]
:POSTROUTING ACCEPT [16:1807]
:OUTPUT ACCEPT [16:1807]
:DNSFILTER - [0:0]
:LOCALSRV - [0:0]
:PCREDIRECT - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d XXX.XX.XX.XXX -j VSERVER 
-A POSTROUTING -o eth0 -j PUPNP 
-A POSTROUTING -s ! XXX.XX.XX.XXX -o eth0 -j MASQUERADE 
-A POSTROUTING -m mark --mark 0x8000/0x8000 -j MASQUERADE 
-A VSERVER -p tcp -m tcp --dport 23222 -j DNAT --to-destination 192.168.1.50:23222 
-A VSERVER -p udp -m udp --dport 23222 -j DNAT --to-destination 192.168.1.50:23222
-A VSERVER -j VUPNP 
COMMIT
# Completed on Tue Sep 19 14:32:26 2017
# Generated by iptables-save v1.3.8 on Tue Sep 19 14:32:26 2017
*mangle
:PREROUTING ACCEPT [108334:10532803]
:INPUT ACCEPT [74852:7848696]
:FORWARD ACCEPT [33114:2631577]
:OUTPUT ACCEPT [71311:225710273]
:POSTROUTING ACCEPT [104454:228349505]
-A PREROUTING -d XXX.XX.XX.XXX -i ! eth0 -j MARK --set-mark 0x8000/0x8000 
-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MARK --set-mark 0x1/0x7 
COMMIT
# Completed on Tue Sep 19 14:32:26 2017
# Generated by iptables-save v1.3.8 on Tue Sep 19 14:32:26 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [551:842794]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:INPUT_ICMP - [0:0]
:NSFW - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop 
-A INPUT -m state --state RELATED,ESTABLISHED -j logaccept 
-A INPUT -m state --state INVALID -j logdrop 
-A INPUT -i ! br0 -j PTCSRVWAN 
-A INPUT -i br0 -j PTCSRVLAN 
-A INPUT -i br0 -m state --state NEW -j ACCEPT 
-A INPUT -i lo -m state --state NEW -j ACCEPT 
-A INPUT -p udp -m udp --sport 67 --dport 68 -j logaccept 
-A INPUT -p icmp -j INPUT_ICMP 
-A INPUT -j logdrop 
-A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept 
-A FORWARD -i ! br0 -o eth0 -j logdrop 
-A FORWARD -i eth0 -m state --state INVALID -j logdrop 
-A FORWARD -i br0 -o br0 -j logaccept 
-A FORWARD -i eth0 -j SECURITY 
-A FORWARD -j NSFW 
-A FORWARD -m conntrack --ctstate DNAT -j logaccept 
-A FORWARD -i br0 -j logaccept 
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN 
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN 
-A INPUT_ICMP -p icmp -j logaccept 
-A PControls -j logaccept 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop 
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN 
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop 
-A SECURITY -j RETURN 
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options 
-A logaccept -j ACCEPT 
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 
-A logdrop -j DROP 
COMMIT
# Completed on Tue Sep 19 14:32:26 2017

I'm lost here.
 
Check the DNS configuration on your devices themselves, make sure they are set to DHCP and not with a static DNS.
 
I have SSHed to the router and have generated two iptables rulesets.
I can't see anything wrong there. I see one device (A4:71:74:F5:F1:8C) directed to 208.67.222.222. And two devices (00:26:C6:B6:0A:72 & 78:F8:82:9E:CD DB) explicitly ignoring DNS Filter. All the other devices will default to ignoring the DNS Filter.

Check what RMerlin said.
 
Check the DNS configuration on your devices themselves, make sure they are set to DHCP and not with a static DNS.
But shouldn't DNS Filter intercept the DNS requests even if this was the case?

One very strange thing, in the first iptables-save that was posted with the filter active, the DNSFILTER chain got no hits (the count was [0:0] ). Are you sure you don't have another device on the network with an address conflict with the router?
 
But shouldn't DNS Filter intercept the DNS requests even if this was the case?
Usually, but not in this specific case where he's talking about devices set to "No Filtering", so they are not subject to any interception.
 
Usually, but not in this specific case where he's talking about devices set to "No Filtering", so they are not subject to any interception.
Ahh...yes of course :oops:

Then Merlins suggestion definitely goes along with my observation on the chain count.
 
I got occupied elsewhere (obviously), but I thought I would finish this thread for future references.

As Merlin adviced, I double checked for the devices configs, but there were no Static DNS settings, only DHCP.

And there are no devices with conflicting addresses, as suggested by john9527.

I could not find the problem, and I haven't changed any settings. But since updating to the new firmware, the error is gone. Haven't read the changelog to know that is the reason. But it works, and I try to not fix what isn't broken ;)

Thanks for all your input!
Drom
 
Nice settings, I do the same at home but I was thinking in the reverse mode of this, maybe selection only my devices to stay in the NO FILTERING list and leave all the rest of the devices or who connects to the router use the GLOBAL FILTERING mode ( NORTON SAFE )

I think is more easy to exclude us from the list than incluse each one of the clients that we want to pass for a dns filter, using the reverse mode will save a lot of time and effort because if someone new comes to your home and connect to your wifi router, the mac and ip will automatically goes into the DNS filter / norton and your devices will always be free of all, I hope merlim do something about it in the future
 
I don't understand what you are wanting Merlin to do. :confused: What you describe can already be done with DNS Filter.

Yah, but you have to add manually each one of the devices that you want to pass by the custom DNS filter, what I want to do is include my desk, laptop and cellphone in the DNS filter / NOTHING and leave the GLOBAL filtering options enable with the CUSTOM ONE / norton safe enable, using this way each one of the devices of my wifi will be passing into the DNS FILTER and my devices will stay out of it using the NO FILTERING option, got it? =]
 
Yah, but you have to add manually each one of the devices that you want to pass by the custom DNS filter, what I want to do is include my desk, laptop and cellphone in the DNS filter / NOTHING and leave the GLOBAL filtering options enable with the CUSTOM ONE / norton safe enable, using this way each one of the devices of my wifi will be passing into the DNS FILTER and my devices will stay out of it using the NO FILTERING option, got it? =]
No, sorry. I'm still not getting it.

You want every device to use Norton Safe, except your desktop, laptop and phone which you don't want any filtering.

So...

Global Filter Mode = Norton Safe
Client List has 3 entries for desktop, laptop and phone = No Filtering
 
No, sorry. I'm still not getting it.

You want every device to use Norton Safe, except your desktop, laptop and phone which you don't want any filtering.

So...

Global Filter Mode = Norton Safe
Client List has 3 entries for desktop, laptop and phone = No Filtering

Yes, that´s it :cool:
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top