Hello we bought a cheap router and we installed it with openwrt 20.01. we are a small company but several departaments.
I would like to block certains pc (by MAC Address ) to youtube and facebook and others have acess.
I am lost! I a am a newbie with openwrt is there a tutorial or a step by step I can use?
youtube, facebook resolves to many ip addresses therefore you cannot create firewall rules to block destination ip address based that easy.
but. if you use ipset then it is manageable:
replace dnsmasq with dnsmasq-full
add ipset configuration for dnsmasq, i.e. dnsmasq whenever resolves a *.youtube.com domain name its ip address will be stored in an ipset list.
this ipset list can be used with firewall now, and you can simply match against the set of ip address automatically and source mac address.
if you configure static ip address for you clients instead of DHCP then you can even create fw rule against those static ip addresses instead of mac address.
there is no ipset setup, enter ipset help to see all possible arguments
# ipset help
Usage: ipset [options] COMMAND
create SETNAME TYPENAME [type-specific-options]
Create a new set
add SETNAME ENTRY
Add entry to the named set
del SETNAME ENTRY
Delete entry from the named set
test SETNAME ENTRY
Test entry in the named set
Destroy a named set or all sets
List the entries of a named set or all sets
Save the named set or all sets to stdout
Restore a saved state
Flush a named set or all sets
rename FROM-SETNAME TO-SETNAME
Rename two sets
swap FROM-SETNAME TO-SETNAME
Swap the contect of two existing sets
Print help, and settype specific help
Print version information
Quit interactive mode
(/off friendly note: in IT world documentation is usually the last thing people are care ... owrt wiki is on the better end of the range but there are no paid employees to work on documentation here neither, so it can happen that something is not up to date for example not following os/application changes. so follow recipes if you can but sometimes you need to adopt )
you can directly edit /etc/config/dhcp as an alternative to uci, add something like this:
# are comments
config ipset 'netflix' # <- name of config item in uci world NOT the name of ipset
list name 'is_Netflix' # <- content (below) can be in multiple ipset, this is one named is_Netflix
list name 'is_Streaming4' #<- this is another ipset
list domain 'nflxvideo.net' # <- result of multiple domain resolution (ip addresses) can be stored in an ipset
list domain 'netflix.com' # <- another domain to be resolved
and in /etc/config/firewall something like this
option name 'whatever rule'
option src 'lan'
option dest 'wan'
option target 'REJECT'
option ipset 'is_Netflix' # <- you can simple reference to an ipset
# and firewall will match against all ip addresses stored in that ipset
option family 'ipv4'
list proto 'all'