1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to dynamically block/unblock access to a set of hosts?

Discussion in 'Asuswrt-Merlin' started by LMeek, Jun 24, 2019.

  1. LMeek

    LMeek New Around Here

    Joined:
    Jun 24, 2019
    Messages:
    3
    Hello all,

    I am looking to be able to do the following: At the touch of a button I would like to block clients on my LAN from accessing a set of external hosts and just as easily reverse this when needed. The use case is a teenaged son who is spending time on Snapchat and Instagram rather than doing homework. Ideally the solution would affect only his devices but this is not completely necessary as he is the only one in the house who uses the services to be blocked anyway.

    I have an idea of how to do it but would like to hear from others if there may be an easier/better way, or a even just a better way to implement my idea.

    BTW sorry in advance for the length of this post - I hope some of you stay to the end! :)

    Just to get it out of the way: My router (ASUS RT-AC5300 running Asuswrt-Merlin 384.12) offers AiProtection parental controls, but they are too coarse grained for my needs. It isn't clear what "instant messaging" this tool blocks and I don't want to block all such services since he does ocassionally need to use un-hip ones like WhatsApp for getting homework details. So I really just want to block the worst offending ones I mentioned above.

    Anyway, a sketch of my idea is as follows:
    1. Create two dnsmasq conf files, one containing my usual conf and a second containing my usual conf plus lines mapping all Instragram and Snapshat hostnames to 0.0.0.0 (say dnsmasq.conf.reg & dnsmasq.conf.noinstagram)
    2. Create a symbolic link /jffs/configs/dnsmasq.conf.add pointing by default to dnsmasq.conf.reg
    3. Implement a little REST API on a Raspberry Pi with one command to block the offending hosts and another to restore them. Under the hood the API will just send ssh commands to the router to switch the symbolic link and restart dnsmasq.
    4. On my Android phone I can use Macrodroid to build a simple "app" with two buttons that trigger the two API calls.
    I believe this should do the job. It might sound overly complex but I've done all these steps before in some form or other and could have this up and running in no time. The reason for the REST API is that I want to be able to do it when not at home but don't want to open up ssh or anything on the router to WAN, so I have HTTP port forwarding to the Pi on a nonstandard port to be able to indirectly trigger the ssh commands from inside the LAN. I am not worried about security too much and will implement some minimum protection on the API (e.g. password & API key requirements, maybe even HTTPS with a LetsEncrypt certificate).

    My biggest concern is that I want to avoid too many frequent writes to jffs to maximise the lifetime of the flash memory but am not sure how much of a hit switching the symbollic link will be. Is this something I should be concerned about or is this question not worth my time? Is there any filesystem trickery available that I could use to avoid any flash memory writes whatsoever?

    Besides the question about flash memory, can anyone spot any other ways this idea could be improved or if there is simply an easier way that I don't know about? I am new to Asuswrt-Merlin (I've only had the router a few days and only flashed Asuswrt-Merlin yesterday) so I think it is entirely possilble that there is a better way that I just don't know about.

    Thanks in advance and thanks for anyone who read to the end!

    LMeek

    P.S. You may think the easiest solution is just to take my son's devices away, but 99% of homework kids are given these days is computer-based, so unfortunately he needs his devices and the Internet to do the homework. My goal is to temporarily remove other temptations available to him on the device when he doesn't have the willpower to do it himself :).
     
  2. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,592
    Yes, overly complex and the concerns about the flash are misplaced too. There should not be any issues from writes on a modern router for the life of it. :)

    There are easier solutions (with a little more hands on for you to turn it on or off), I'm sure.

    I don't know how much help it is to have the willpower for him, in the long run. :)
     
  3. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    872
    I would do this using the Diversion script with minimal blocking by default, and use a fast switch alternate list with Snapchat blocked. There’s even an IOS shortcut you can switch quickly and easily.
     
  4. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Regular Contributor

    Joined:
    Jun 4, 2019
    Messages:
    107
    How does the Fast switch operation function? I have been trying to figure this out for the longest time? @dave14305
     
  5. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    872
    Better to ask the experts in the Diversion thread. I’ve never used it in practice. But it lets you have 2 different block lists to switch between on demand. The idea being a regular one and a smaller less restrictive list when needed.
     
  6. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Regular Contributor

    Joined:
    Jun 4, 2019
    Messages:
    107
    does it auto switch? or do you manually trigger it?
     
  7. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    872
    Manual with the fs menu in Diversion. Or via the iOS shortcut.
     
  8. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Regular Contributor

    Joined:
    Jun 4, 2019
    Messages:
    107
  9. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    872
    That’s slightly different where 2 different lists can be active simultaneously with 2 dnsmasq instances. It leverages the fs list, but the fs list is independent of the alternative blocking file.
     
  10. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Regular Contributor

    Joined:
    Jun 4, 2019
    Messages:
    107
    So I just set this up @dave14305 using the alternate blocking as well, this is awesome.

    my next concern is if I use a client I have setup to use an alternate blocking list, If i connect to the router over vpn server with that same device, does the DNS filter know to send that alternate blocking list to the device or would i be forced to use FS .
     
  11. LMeek

    LMeek New Around Here

    Joined:
    Jun 24, 2019
    Messages:
    3
    Thanks for the reply. Good to know I shouldn't worry too much about flash memory life with something like this; that was my biggest concern after reading some of the JFFS wiki.

    Although it is complex (well mostly complex to describe actually, its pretty straight forwards when it comes to doing it) I'll use it as my starting point until better solutions come along.

    I agree there are definitely easier hands-on solutions, but as-hands-off-as-possible was a key goal since it will need to be used by other people with no technical ability. Besides, there is something satisying about changing my router in this way at the touch of a button. :)

    Anyway, I've got it prototyped and it works perfectly well though it may take a while to learn all the domain name variants I need to block.

    Thanks again for taking the time to read my original (long) post and to reply!

    Best Regards,
    LMeek
     
    L&LD likes this.
  12. LMeek

    LMeek New Around Here

    Joined:
    Jun 24, 2019
    Messages:
    3
    Hey thanks for the suggestion! I'll start reading up on Diversion and see what it can do for me. It definitely sounds promising.

    Thanks again,
    LMeek
     
    L&LD likes this.
  13. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,592
    I'm not sure what it can offer, but the Asus router app may be of help too, somehow? (I'm thinking of blocking the phone but letting the laptop connect to the internet)?