Follow: Firewall rule to block a site
If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site. It is the quickest and most efficient way of blocking websites and is well supported even in the Webinterface. Assuming OpenWRT operates with a LAN and WAN zone a filter in the FORWARDING chain that rejects packets is enough. ASN lists could be used to block large numbers of IPs belonging to certain companies. A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly.
This method voids DNS lookups so, for example,
www.youtube.com does not generate the desired IP address.
Adblock can be used to blacklist certain domainnames and prevent the DNS server handing out the right IP.
Alternatively DNSMASQ can be configured to return a NXDOMAIN answer in case a blacklisted domainname is queried.
Another option is to use PiHole in the LAN and divert DNS requests to PiHole.
Follow: DNS-based firewall with IP sets
Since OpenWrt in a typical setup with a LAN and WAN zone does the name resolution and the firewall at the same time, all information is there to match domain names, their current IPs as they are handed out to the LAN-hosts and act accordingly in the firewall. This is essential if a single domain might resolve to several IPs. For instance websites that operate with a CDN can be blocked by their name instead of finding out each and every IP the CDN might be using.
Follow: Proxy Server Overview
A proxy server like SQUID can be used to block access to websites. It can check HTTP(S) specific details. The huge benefit of this option is to have the finest level of control. It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once.
Example: Block internet access for a certain MAC address / IP address on weekdays during 21:30-07:00.
Once the time is reached, the default rule order prevents closing already established connections. The rules should be reordered to resolve the issue.
First, make sure that your router has the right time and the right timezone.
More detailed explanations in French: step-by-step explanations with screenshots
NB: If your focus is on authorised timeslots, you can create a rule that always rejects, and add a few rules that accept for the authorised timeslots. Order the rules so as to bring Accept rules before the Reject rule.
NB: The stop time will stop kids from creating a new connection e.g. to browse one more page on Wikipedia. It will not kick out your kids if they have an existing connection e.g. in an Android game app. To enforce the stop time, you need something extra. Consider the script below, starting with cat.
NB: If you have e.g. a Guest network, this rule won't restrict your kid if/when they connect to the Guest network.
Add a new firewall rule. Edit the following example code block to suit your needs and then copy-paste it into the terminal. Check for errors the service restart output!
uci add firewall rule uci set firewall.@rule[-1].name="Kids weekdays" uci set firewall.@rule[-1].src="lan" uci set firewall.@rule[-1].src_mac="00:11:22:33:44:55" uci set firewall.@rule[-1].dest="wan" uci set firewall.@rule[-1].start_time="21:30:00" uci set firewall.@rule[-1].stop_time="07:00:00" uci set firewall.@rule[-1].weekdays="Mon Tue Wed Thu Fri" uci set firewall.@rule[-1].target="REJECT" uci commit firewall /etc/init.d/firewall restart
This section describes how to restrict access to your WLAN by MAC address.
The primary motivation for this capability is a family member gives out the SSID and passphrase to a friend while in your home. Later you no longer want to allow the person to use your WLAN.
There are several solutions to this problem with decreasing labor and effectiveness.
This section will focus on option 4 using a wireless interface mac-filter property to deny access for a list of MACs. This is a simple solution that can be invalidated by a smart hacker changing the MAC address of their device.
# Use deny-type filter uci set wireless.@wifi-iface.macfilter="deny" # Append the MAC address to the list uci add_list wireless.@wifi-iface.maclist="00:11:22:33:44:55" # Check settings uci show wireless.@wifi-iface # Save and apply uci commit wireless wifi reload
You need to do this for all wireless interfaces accessible by the user, such as typically: