Block certain sites in wifi zone using IPSET

kokokolores · January 12, 2021, 10:18pm

Hi everybody,
I am trying to get ipset running according to thencein's howto in Blocking websites on your router.
I replaced the dnsmsq package by dnsmsq-full and installed additional packages (ipset, ipset-dns, kmod-ipt-ipset, libipset13). The goal is to block a lot of websites on the wifi interface (in my configs it is called wlan with a firewall zone wlan_fw_kn).
Unfortunately it is still possible to reach the below example websites like youtube.com from the wifi zone.

My /etc/config/firewall

config ipset
        option name 'IP-Bereiche'
        option match 'dest_ip'
        option family 'ipv4'
        option storage 'hash'
        option enabled '1'


config rule
        option target 'REJECT'
        list proto 'all'
        option src 'wlan_fw_kn'
        option name 'Sammelregel'
        option ipset 'IP-Bereiche'
        option dest 'wan'

My /etc/config/dnsmasq only contains

cache-size=10000
min-cache-ttl=3600
max-cache-ttl=7200

This is my /etc/config/dhcp

config dnsmasq
        option domainneeded     1
        option boguspriv        1
        option localise_queries 1
        option local            '/lan/'
        option domain           'lan'
        option expandhosts      1
        option authoritative    1
        option readethers       1
        option leasefile        '/tmp/dhcp.leases'
        option resolvfile       '/tmp/resolv.conf.auto'
        option localservice     1
        option rebind_protection 0
#newly added:
        list ipset '/youtube.com/IP-Bereiche'
        list ipset '/googlevideo.com/IP-Bereiche'
        list ipset '/ytimg.com/IP-Bereiche'

config dhcp lan
        option interface lan
        option start     100
        option limit     150
        option leasetime 12h
        option dhcpv6    server
        option ra        server
        option ra_management 1

config dhcp wan
        option interface wan
        option ignore    1

config odhcpd odhcpd
        option maindhcp     0
        option leasefile    /tmp/hosts/odhcpd
        option leasetrigger /usr/sbin/odhcpd-update
        option loglevel     4

config dhcp WLAN
        option leasetime 12h
        option limit     150
        option interface WLAN
        option start     10

config host
        option mac '00:68:EB:68:F4:CC'
        option ip '192.168.200.181'

config dhcp LAN
        option start 100
        option leasetime 12h
        option limit 150
        option interface LAN

config host
        option mac '00:90:4C:C5:12:38'
        option ip '192.168.150.131'

config host
        option mac '16:82:52:E5:2A:33'
        option ip '192.168.150.38'

ipset list IP-Bereiche
gives me no entries an no members (!?):

Name: IP-Bereiche
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 56
References: 1
Number of entries: 0
Members:

The strange thing is when I do iptables -nvL zone_wlan_fw_kn_forward
it gives me

Chain zone_wlan_fw_kn_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    9   476 forwarding_wlan_fw_kn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wlan_fw_kn forwarding rule chain */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set IP-Bereiche dst /* **!fw3: Sammelregel** */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4444 /* !fw3: KN_SSH_lan2wlan */
    9   476 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone wlan_fw_kn to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wlan_fw_kn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Isn't it strange to habe the negation !fs3: Sammelregel in line 2 ?

Another thing related to this is that in LUCI there is no option to edit the ipsets as described in https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset

Navigate to LuCI → Network → Firewall → Traffic Rules → Filter-IPset-DNS-Forward to manage firewall rules.
Navigate to LuCI → Network → DHCP and DNS → General Settings → DNS forwardings to manage domains.

Anyhow, does anybody of you have an idea where the problem is or how I can investigate further?
THX a lot!

vgaetera · January 12, 2021, 10:37pm

The how-to on the wiki describes a few more steps:

Filter both IPv4 and IPv6
Preresolve domains
Utilize ipset-dns

Those are missing in your case.

kokokolores · January 14, 2021, 2:31pm

That was a good point, vgaetera!

ipv6 is not configured in my network, therefore I didnt configure it here neither
pre-resolve I didn't configure due to lack of understanding...
Regarding ipset-dns I added in my /etc/config/ipset-dns the following:
option ipset 'IP-Bereiche'
Then I reduced the number of blocked domains in /etc/config/dhcp to
list ipset '/youtube.com/IP-Bereiche'

Butipset list gives me

Name: IP-Bereiche
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 216
References: 1
Number of entries: 4
Members:
172.217.16.78
216.58.213.238
216.58.213.246
172.217.19.78

Those IPs are actually not pingable from within the wifi zone.

So I ask myself how OpenWRT is translating youtube.com (mentioned in my dhcp config) into all these IPs ?

When I do nslookup from within the wifi zone I get the following:

Nslookup youtube.com -> 172.217.16.78
Nslookup 172.217.16.78 -> ham11s01-in-f14.1e100.net

nslookup play.google.com -> 216.58.213.238
nslookuop 216.58.213.238 -> ham04s01-in-f238.1e100.net

Both IPs are in the above listed members of my ipset....

However, both youtube.com and play.google.com are pingable from the OpenWRT device.
Any idea?

thencein · January 14, 2021, 10:28pm

Does the youtube website load in your browser when connecting from a wifi device? I've never really paid attention to whether pings are successful or not as I was satisfied enough simply knowing the website and app were virtually broken/unusable thanks to the ipset firewall rules.

kokokolores · January 15, 2021, 5:39am

No, both youtube and play.google dont load in the browser from within the wifi zone.
All IPs from ipset list are not pingable from within the wifi zone.

kokokolores · January 15, 2021, 8:24am

Another observation:
after doing

/etc/init.d/firewall restart
/etc/init.d/ipset-dns restart
/etc/init.d/dnsmasq restart

due to a minimal change in the configs I get more members in my ipset

~#ipset list
Name: IP-Bereiche
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 256
References: 1
Number of entries: 5
Members:
172.217.16.78
216.58.213.238
216.58.213.246
172.217.19.78
216.58.213.206   <---this one is new

This is strange because I still one single line in my /etc/config/dhcp :
list ipset '/youtube.com/IP-Bereiche'

vgaetera · January 15, 2021, 6:48pm

The configured filtering rule only applies to transit traffic.

This also includes all subdomains resolved with dnsmasq.

Make sure to disable DoH in the client browser.

kokokolores · January 16, 2021, 6:21am

Yes DoH ist disabled in the client browser.

So blocking of domains is working but I have to live with the mechanism of dnsmasq which resolves these domains into IPs - maybe it is not dnsmasq "fault" that youtube.com includes the IP of play.google.com (which I didnt want to block).

Another related question: if I introduce

        option iprange '31.13.64.0/24'
        option iprange '31.13.64.0-31.13.127.255'

in my firewall config I get

~# /etc/init.d/firewall reload
Warning: Section @ipset[0] (IP-Bereiche) iprange ignored

Maybe the notation in the second line is not correct but the same warning comes with only the first option iprange, too.
Unfortunately I didn'T find out how to get iprange running.

reinerotto · January 16, 2021, 6:37am

Correct. This is the possible, negative side effect of blocking IPs. In case of google, there might even be other services concerned.

vgaetera · January 16, 2021, 6:59am

You can use CIDR notation.

It looks like the option iprange requires storage=hash:net.

bluewavenet · January 16, 2021, 10:31am

For reference/information, dnsmasq-full has, for some years now, had full ipset support built in, including the functionality of ipset-dns. (I think it was added around the time of Barrier Breaker .. not sure)

This means that installing ipset-dns is superfluous ie. it does nothing.
It should be deprecated as a package I think, and the various Wiki pages updated....

This should not exist and will not be used.
Perhaps you meant /etc/dnsmasq.conf. This is not used either.

The dnsmasq init.d script creates a dnsmasq.conf.cfgxxxxxx file in /tmp/etc/ at startup using the contents of /etc/config/dhcp

vgaetera · January 16, 2021, 10:47am

The ipset-dns package "provides" web interface to manage IP set domains, and I believe this is important for many users.
I'm happy to update the docs when the ipset dnsmasq option has web interface support.

bluewavenet · January 16, 2021, 11:15am

Interesting. Do you have any details? Does it use uhttpd or something like libmicrohttpd?

reinerotto · January 16, 2021, 12:04pm

This is not correct. It is used, but usually contains no special options. Unless you modify it.

bluewavenet · January 16, 2021, 12:56pm

I got myself a coffee and looked it up

ipset-dns code was merged into dnsmasq in 2013
see:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=13d86c7372e01392d1e3af7c90312b49e2a5c15d

bluewavenet · January 16, 2021, 1:02pm

If you look at the detail of /etc/init.d/dnsmasq it looks like dnsmasq is started using only the generated config file in /tmp/etc
I have done a few quick tests here and anything in /etc/dnsmasq.conf seems to be ignored.
If it does read /etc/dnsmasq.conf, it must be hard coded somewhere and a quick look at the source code did not show it up.
Which special options have you set there?

reinerotto · January 16, 2021, 3:24pm

In my system (without ipset), 'ps' shows:

2327 dnsmasq 1464 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
2329 root 1460 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid

And, when checking:
root@...~# cat /var/etc/dnsmasq.conf.cfg01411c
Comment: auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
....
My (customized) /etc/dnsmasq.contains few special config options, i.e.
no-resolv
no-poll
cache-size=1000
.....

Which are effective.

kokokolores · January 20, 2021, 8:39am

I closed this topic as my initial problem was solved.
Thank you everybody!

bluewavenet · January 25, 2021, 1:50pm

Ah! You mean ipset-dns is supported by Luci! This all seems to be a bit of an unfinished and then forgotten work in progress. I wonder if there are any conflicts between dnsmasq-full and ipset-dns?
I might do a few tests....

system · February 4, 2021, 1:50pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.