banIP to block youtube.com domain on ipv4 and ipv6 for certain client

Well, a set that gets dynamically updated rather than set-and-forget set. Basically the issue with trying to map a domain name to a static set is that DNS is a moving target, especially DNS for large-scale internet services such as youtube.

1 Like

dhcp

config ipset
        list name 'youtube'
        list domain 'youtube.com'

firewall

config ipset
        option name 'youtube'
        option family 'ipv4'
        list match 'dest_ip'

Done. Not sure that requires a whole lot of learning on the UCI side of things...

3 Likes

I'm far from an expert on UCI capabilities. Let's see if this works for the OP.

Which is fine, but let's not start telling other users that the functionality doesn't exist. Alongside the two uci snippets I posted above I created a rule to block traffic using that ipset which worked as expected. I suspect if the OP is having problems then either they need to ensure they're on the latest versions of OpenWRT or their rules are wrong.

1 Like

You are right, I had incorrect assumptions.

is this application to ipv6 too?

BTW,
this is my latest settings

![image|690x319](upload://5GPl9b0u4smlleeKVinwxoWosbR

root@OpenWrt:~# nft list ruleset
table inet fw4 {
        set youtube {
                type ipv4_addr
                flags interval
                auto-merge
                elements = { 172.217.25.206 }
        }

        set youtube6 {
                type ipv6_addr
                flags interval
                auto-merge
                elements = { 2404:6800:4001:80b::200e }
        }
chain forward_lan {
                iifname "br-lan" ether saddr 08:28:02:bf:6e:e4 counter packets 298 bytes 214646 jump reject_to_wan comment "!fw4: TV"
                meta l4proto tcp ether saddr 08:28:02:bf:6e:e4 ip saddr @youtube counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: Block Youtube For TV"
                meta l4proto udp ether saddr 08:28:02:bf:6e:e4 ip saddr @youtube counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: Block Youtube For TV"
                meta l4proto tcp ip6 saddr @youtube6 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: Block Youtube For TV6"
                meta l4proto udp ip6 saddr @youtube6 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: Block Youtube For TV6"
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump accept_to_lan
        }

Please don't post screenshots when trying to provide config details.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C6 v2 (US) / A6 v2 (US/TW)",
        "board_name": "tplink,archer-c6-v2-us",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
root@OpenWrt:~# cat /etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd1:aa05:4357::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.621'
        option proto 'pppoe'
        option username 'hidden@public.maxis.com.my'
        option password 'hidden'
        option ipv6 'auto'
        option peerdns '0'
        list dns '45.90.28.149'
        list dns '45.90.30.149'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 1t'
        option vid '621'
        option description 'Maxis Fibre PPPoE'

      

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0.2'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'
        option peerdns '0'
        list dns '2a07:a8c0::31:e387'
        list dns '2a07:a8c1::31:e387'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'MY'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '9M2PJU'
        option encryption 'psk2'
        option key 'hidden'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '13'
        option band '2g'
        option htmode 'HT40'
        option cell_density '0'
        option country 'MY'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'virus.exe'
        option encryption 'psk2'
        option key 'hidden'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option sequential_ip '1'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra 'hybrid'
        option dhcpv6 'hybrid'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option ra 'relay'
        option dhcpv6 'relay'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option ip '192.168.0.100'
        option leasetime '12h'
        option name 'raspi-100'
        list mac 'B8:27:EB:04:94:83'
        option duid '000100012d014e5ab827eb049483'

config host
        option ip '192.168.0.200'
        option leasetime '12h'
        option name 'raspi-200'
        list mac 'B8:27:EB:18:B0:9F'
        option duid '000100012d014e9cb827eb18b09f'

config host
        option name 'OutdoorCCTV'
        option ip '192.168.0.104'
        list mac '90:B5:7F:5B:84:52'
        option leasetime '12h'

config host
        option name 'IndoorCCTV'
        option ip '192.168.0.151'
        list mac 'E0:51:D8:3F:44:9C'
        option leasetime '12h'

config host
        option name 'Laptop-Hajar'
        option ip '192.168.0.175'
        option leasetime '12h'
        list mac '64:6C:80:0C:62:25'
        option duid '0001000128f35be0646c800c6225'

config host
        option ip '192.168.0.202'
        option name 'TV'
        list mac '08:28:02:BF:6E:E4'
        option leasetime '12h'

config host
        option name 'Mikrotik-hAP-mini'
        option ip '192.168.0.101'
        list mac 'B8:69:F4:92:9E:5B'
        option leasetime '12h'

config dhcp 'wan6'
        option interface 'wan6'

config host
        option name 'MacWin'
        option ip '192.168.0.213'
        list mac '88:00:A6:9C:22:23'

config ipset
        list name 'youtube'
        list domain 'youtube.com'
        option table_family 'inet'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'DX Spider'
        option src 'wan'
        option src_dport '7300'
        option dest_ip '192.168.0.100'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTP'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.0.100'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTPS'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.0.100'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Public SSH to 100'
        option src 'wan'
        option src_dport '4444'
        option dest_ip '192.168.0.100'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '8888'
        option dest_ip '10.0.0.1'
        option dest_port '8888'

config rule
        option name 'TV'
        option src 'lan'
        list src_mac '08:28:02:BF:6E:E4'
        option dest 'wan'
        option target 'REJECT'
        option direction 'in'
        option device 'br-lan'
        option enabled '0'
        list proto 'all'

config rule
        option name 'Laptop Hajar'
        list src_mac '64:6C:80:0C:62:25'
        option dest 'wan'
        option target 'REJECT'
        option src 'lan'
        option direction 'in'
        option device 'br-lan'
        option enabled '0'
        list proto 'all'

config ipset
        option name 'youtube'
        option family 'ipv4'
        list match 'dest_ip'

config ipset
        option name 'youtube6'
        option family 'ipv6'
        list match 'dest_ip'

config rule
        option name 'Block Youtube For TV'
        option src 'lan'
        option ipset 'youtube'
        option dest 'wan'
        option target 'REJECT'
        list src_mac '08:28:02:BF:6E:E4'


root@OpenWrt:~#

with ipset setting on luci firewall, my router cannot connect to the ISP after reboot.

I just ran into this issue of blocking not work for a similar use case. Though actually i'm attempting to block both directions to an ipset.

I created an ipset under Firewall in LUCI, created a Traffic Rule to use it (as @9M2PJU did) and then ran into problems.

Digging into the terminal, It seems LUCI is not doing things right. My initial problem was that it wasn't matching the rule as it insisted on creating an nft rule that would only match saddr whereas the ipset is intended to be the daddr. No combination of options in LUCI would change this. Unfortunately, as i was trying those configuration changes... somehow things got out of whack in the background and the changes were transparently failing to apply as I found out the firewall was refusing to restart...

Moral of the story is. LUCI is broken here. skip it and use nft directly.

I'd be more willing to believe this if you'd posted details of what changes you actually made in LuCi, what you got in the config files, and what you expected to get. As it currently stands it's just as likely that the issues you saw were entirely down to user error.

and if you really want to ban IPs, there's the banip package.

thanks,
can you guide me step by step on commands?

actually i want to block youtube.com domain for selected client.