Hello,
I want to block internet access of specific IoT clients.
This means clients can only access specific domains for firmware upgrade etc.
Can you please advise how to realise this request?
In the context of a DNS blocker this would be a whitelist for specific clients.
I have installed and enabled Adblock-fast already.
point them towards a fake DNS (or return 0.0.0.0 for all FQDNs), in dnsmasq, except for the one they use for updating.
Could you please precise what must be configured in dnsmasq?
try something like this
server=/the.FQDN.your.IoT.devices.need/8.8.8.8
server=0.0.0.0
One approach I use for my IOT network is:
config rule
option name 'allow-iot'
list proto 'all'
option src 'iot'
option ipset 'allow-iot'
option dest 'wan'
option target 'ACCEPT'
config ipset
option name 'allow-iot'
option family 'ipv4'
list match 'dest_ip'
config ipset
list name 'allow-iot'
option table_family 'inet'
list domain 'ipchicken.com'
list domain 'ipleak.net'
Thanks for sharing this info.
Although this makes sense, I see this issue in my setup:
IoT are devices like
SmartTV, Smart Power Plug, and also mobile devices.
This means there are actually 2 different device groups: restricted devices and unrestricted mobile devices.
You should really set up a guest/IoT network.
@cmonty14 That's the approach I'd take and you don't need any additional packages, just dnsmsaq.
did you manage to solve this problem?
maybe I'm doing it wrong, it doesn't work
set up a host network
/etc/config/firewall
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone 'guest'
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
list device 'phy0-ap0'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67-68'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-guest'
option src 'guest'
option ipset 'Allow-guest'
option dest 'wan'
option target 'ACCEPT'
list proto 'all'
config ipset
option name 'Allow-guest'
option family 'ipv4'
list match 'dest_ip'
/etc/config/dhcp
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '6h'
config ipset
list name 'Allow-guest'
list domain 'google.com'
list domain 'speedtest.net'
option table_family 'inet'
clients connect via wifi guest
don't go online
if - config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
ipset list doesn't work
shutdown
config rule 'guest_dhcp'
config rule 'guest_dns'
does not affect
it feels like I made the wrong firewall settings