its pretty easy with adblock or the firewall to block access to the entire internet or certain ports for some or all users with openwrt. you can block certain ips from the wan side to certain devices. but i just want something simple to block certain devices (childrens devices) from certain sites and not have it blocked for all users, not have to use an ip to do it, and not have it blocked for everybody. with the thousands of apps for openwrt i just cant seem to find one for this.
example: i want to block the xbox from youtube and no other site. no other device should be blocked. now if i just block the ip address youtube has other ip's right? wont it just go around. and using ip's is so much hassle. can i just block domain lookups for youtube? would that do it? its the youtube app though so when i block ports 80 and 443 (which would still block all web traffic anyway which isnt what i want) it still gets through. but when i block 79-65535 it cant get through. so its got to be one of those ports.
how can something so simple not have an app on openwrt. or at least have a simple way to do it. am i missing something. my old crap tplink router could do it im pretty sure
Dnsmasq in the dnsmasq-full package can be configured to add the IP addresses for *.youtube.com to IP sets using the following uci commands:
uci set firewall.youtube_ipset4=ipset
uci set firewall.youtube_ipset4.name='youtube_ipset4'
uci set firewall.youtube_ipset4.storage='hash'
uci set firewall.youtube_ipset4.family='ipv4'
uci set firewall.youtube_ipset4.match='dest_ip'
uci set firewall.youtube_ipset6=ipset
uci set firewall.youtube_ipset6.name='youtube_ipset6'
uci set firewall.youtube_ipset6.storage='hash'
uci set firewall.youtube_ipset6.family='ipv6'
uci set firewall.youtube_ipset6.match='dest_ip'
uci add_list dhcp.@dnsmasq.ipset='/youtube.com/youtube_ipset4,youtube_ipset6'
The IP sets can then be used in custom traffic rules in the firewall using -m set --match-set youtube_ipset4 dst or -m set --match-set youtube_ipset6 dst as Extra Arguments.
thanks for the response. i found this. does it look like it would work? its basically the same thing you are saying but they put a bit more time into explaining it (i know you are not here to babysit me). but can you have a look and see if it will work? there are so many threads about things like this and so many apps\scripts for luci. i hope somebody writes one some day.
i would be willing to donate if anybody could do that. it doesnt even have to be a luci app. a shell script that accepted inputs would work. i have putty set up and winscp but i hate going through config files because i always screw something up.
i will look more into dsnmasq-full. and if i can figure something out i might try to write a script or something. i know a little bit of python but im not very familiar with linux\unix shell scripts.
thanks for the help though. i think you are right. dnsmasq-full is the way to go. i hope it doesnt hurt router performance.
thanks. im going to look into what kind of scripts openwrt supports. im assuming bash but i dont know. as you can tell im a bit out of my league. and a shell script isnt exactly user friendly. but its not hard to download putty i guess. im going to try to make it where it asks you for a group of ips and a name for them. then it asks you for a a group of domain names to block. then have an option to enable or disable them. could be neat. but i have to work and itll take a lot of time for something pretty simple.
so the first step will actually be learning how to setup the config files. once i learn how that works i will know how to setup the script. once i get a chance to look into the configs i may contact you. thanks