RT-N66U filtering

[tigreseis]

Okay, am I right in assuming that you can not run Parental Controls and Network Services Filter at the same time?

That being the case, is there no way to block DNS circumvention through Parental Controls?

I know I can do it through NSF, but I have individual controls set for my kids (at different ages) through PC.

I am using stock firmware. If there is no way, would Tomato allow me to do what I want?

 

[ColinTaylor]

Merlin's firmware (and John's fork of Merlin) both have DNS Filtering that can be used together with NSF and/or parental control.

 

[tigreseis]

Yea, got that, but it is not DNS filtering that I am trying to do. I use OpenDNS and am trying to prevent clients from being able to change the DNS they use locally. I can use NSF to redirect port 53, but NSF doesn't work if Parental Controls is active.

Parental Controls is easy to setup and limit access by the hour. It is much more involved through NSF, but using NSF seems to be the only way to prevent DNS circumvention.

I can't block Youtube through the RT-N66U because it uses HTTPS. So, OpenDNS is the best way to block Youtube access. However, if a local client can change their DNS then it gets around the block.

 

[KevTech]

Perhaps Tomato would do what you are trying to do.

This emulator is older and may not show all options available in Tomato now but perhaps it will show what you are looking for.

http://victek.is-a-geek.com/virtual/tomatok26/status-index.html

 

[ColinTaylor]

Yea, got that, but it is not DNS filtering that I am trying to do. I use OpenDNS and am trying to prevent clients from being able to change the DNS they use locally.

That's exactly what the DNS Filter is designed to do.

I can use NSF to redirect port 53, but NSF doesn't work if Parental Controls is active.

There was a bug in previous releases which meant that NSF and Partental Controls didn't work at the same time. John has fixed this in 374.43_2-19E1j9527. I don't know whether Merlin fixed it in his firmware.

 

[tigreseis]

The DNS filter is designed to filter sites, not prevent someone from circumventing the router defined DNS by changing the DNS on a client device (i.e My router specifies 208.67.222.222 which is OpenDNS. But, I can change the DNS entry on my Macbook Pro to 8.8.8.8 and completely bypass OpenDNS)

I actually found the answer in another post. Parental Controls and NSF will work together, but if Parental Controls are enabled, the NSF entries only work for those devices specified under Parental Controls. So, I can prevent all devices under Parental Controls from circumventing the router specified DNS, but any device not listed there can still circumvent locally.

 

[ColinTaylor]

The DNS filter is designed to filter sites, not prevent someone from circumventing the router defined DNS by changing the DNS on a client device (i.e My router specifies 208.67.222.222 which is OpenDNS. But, I can change the DNS entry on my Macbook Pro to 8.8.8.8 and completely bypass OpenDNS)

You are mistaken, you might be confusing it with the Firewall/URL Filter.

https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Filter

Under Parental Control (or AiProtection on newer router models) there is a section called DNSFilter. On this page you can force the use of a specific nameserver (DNS) that provides security/parental filtering. This can be done globally, or on a per device basis. Each of them can have a nameserver enforced. For example, you can have your LAN use OpenDNS's server to provide basic filtering, but force your children's devices to use Yandex's family DNS server that filters out malicious and adult content.

 

[tigreseis]

There's the rub, and although I thank you for your suggestions, we are coming at it from 2 different directions. You are speaking from a Merlin perspective, but I said in my initial post that I am using stock firmware. Stock does not have that option.

I have used Merlin's in the past, but found it slower than stock for some reason and I seemed to drop connection every day between 3pm and 5. I never could find a reason. Switching back to stock(3.0.0.4.380_3831), I don't seem to have that problem.