What's new

How to dynamically block/unblock access to a set of hosts?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

LMeek

New Around Here
Hello all,

I am looking to be able to do the following: At the touch of a button I would like to block clients on my LAN from accessing a set of external hosts and just as easily reverse this when needed. The use case is a teenaged son who is spending time on Snapchat and Instagram rather than doing homework. Ideally the solution would affect only his devices but this is not completely necessary as he is the only one in the house who uses the services to be blocked anyway.

I have an idea of how to do it but would like to hear from others if there may be an easier/better way, or a even just a better way to implement my idea.

BTW sorry in advance for the length of this post - I hope some of you stay to the end! :)

Just to get it out of the way: My router (ASUS RT-AC5300 running Asuswrt-Merlin 384.12) offers AiProtection parental controls, but they are too coarse grained for my needs. It isn't clear what "instant messaging" this tool blocks and I don't want to block all such services since he does ocassionally need to use un-hip ones like WhatsApp for getting homework details. So I really just want to block the worst offending ones I mentioned above.

Anyway, a sketch of my idea is as follows:
  1. Create two dnsmasq conf files, one containing my usual conf and a second containing my usual conf plus lines mapping all Instragram and Snapshat hostnames to 0.0.0.0 (say dnsmasq.conf.reg & dnsmasq.conf.noinstagram)
  2. Create a symbolic link /jffs/configs/dnsmasq.conf.add pointing by default to dnsmasq.conf.reg
  3. Implement a little REST API on a Raspberry Pi with one command to block the offending hosts and another to restore them. Under the hood the API will just send ssh commands to the router to switch the symbolic link and restart dnsmasq.
  4. On my Android phone I can use Macrodroid to build a simple "app" with two buttons that trigger the two API calls.
I believe this should do the job. It might sound overly complex but I've done all these steps before in some form or other and could have this up and running in no time. The reason for the REST API is that I want to be able to do it when not at home but don't want to open up ssh or anything on the router to WAN, so I have HTTP port forwarding to the Pi on a nonstandard port to be able to indirectly trigger the ssh commands from inside the LAN. I am not worried about security too much and will implement some minimum protection on the API (e.g. password & API key requirements, maybe even HTTPS with a LetsEncrypt certificate).

My biggest concern is that I want to avoid too many frequent writes to jffs to maximise the lifetime of the flash memory but am not sure how much of a hit switching the symbollic link will be. Is this something I should be concerned about or is this question not worth my time? Is there any filesystem trickery available that I could use to avoid any flash memory writes whatsoever?

Besides the question about flash memory, can anyone spot any other ways this idea could be improved or if there is simply an easier way that I don't know about? I am new to Asuswrt-Merlin (I've only had the router a few days and only flashed Asuswrt-Merlin yesterday) so I think it is entirely possilble that there is a better way that I just don't know about.

Thanks in advance and thanks for anyone who read to the end!

LMeek

P.S. You may think the easiest solution is just to take my son's devices away, but 99% of homework kids are given these days is computer-based, so unfortunately he needs his devices and the Internet to do the homework. My goal is to temporarily remove other temptations available to him on the device when he doesn't have the willpower to do it himself :).
 
Yes, overly complex and the concerns about the flash are misplaced too. There should not be any issues from writes on a modern router for the life of it. :)

There are easier solutions (with a little more hands on for you to turn it on or off), I'm sure.

I don't know how much help it is to have the willpower for him, in the long run. :)
 
I would do this using the Diversion script with minimal blocking by default, and use a fast switch alternate list with Snapchat blocked. There’s even an IOS shortcut you can switch quickly and easily.
 
How does the Fast switch operation function? I have been trying to figure this out for the longest time? @dave14305
Better to ask the experts in the Diversion thread. I’ve never used it in practice. But it lets you have 2 different block lists to switch between on demand. The idea being a regular one and a smaller less restrictive list when needed.
 
Better to ask the experts in the Diversion thread. I’ve never used it in practice. But it lets you have 2 different block lists to switch between on demand. The idea being a regular one and a smaller less restrictive list when needed.
does it auto switch? or do you manually trigger it?
 
That’s slightly different where 2 different lists can be active simultaneously with 2 dnsmasq instances. It leverages the fs list, but the fs list is independent of the alternative blocking file.
So I just set this up @dave14305 using the alternate blocking as well, this is awesome.

my next concern is if I use a client I have setup to use an alternate blocking list, If i connect to the router over vpn server with that same device, does the DNS filter know to send that alternate blocking list to the device or would i be forced to use FS .
 
Yes, overly complex and the concerns about the flash are misplaced too. There should not be any issues from writes on a modern router for the life of it. :)

There are easier solutions (with a little more hands on for you to turn it on or off), I'm sure.

I don't know how much help it is to have the willpower for him, in the long run. :)

Thanks for the reply. Good to know I shouldn't worry too much about flash memory life with something like this; that was my biggest concern after reading some of the JFFS wiki.

Although it is complex (well mostly complex to describe actually, its pretty straight forwards when it comes to doing it) I'll use it as my starting point until better solutions come along.

I agree there are definitely easier hands-on solutions, but as-hands-off-as-possible was a key goal since it will need to be used by other people with no technical ability. Besides, there is something satisying about changing my router in this way at the touch of a button. :)

Anyway, I've got it prototyped and it works perfectly well though it may take a while to learn all the domain name variants I need to block.

Thanks again for taking the time to read my original (long) post and to reply!

Best Regards,
LMeek
 
I would do this using the Diversion script with minimal blocking by default, and use a fast switch alternate list with Snapchat blocked. There’s even an IOS shortcut you can switch quickly and easily.

Hey thanks for the suggestion! I'll start reading up on Diversion and see what it can do for me. It definitely sounds promising.

Thanks again,
LMeek
 
I'm not sure what it can offer, but the Asus router app may be of help too, somehow? (I'm thinking of blocking the phone but letting the laptop connect to the internet)?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top