Hello we bought a cheap router and we installed it with openwrt 20.01. we are a small company but several departaments.
I would like to block certains pc (by MAC Address ) to youtube and facebook and others have acess.
I am lost! I a am a newbie with openwrt is there a tutorial or a step by step I can use?
youtube, facebook resolves to many ip addresses therefore you cannot create firewall rules to block destination ip address based that easy.
but. if you use ipset then it is manageable:
replace dnsmasq with dnsmasq-full
add ipset configuration for dnsmasq, i.e. dnsmasq whenever resolves a *.youtube.com domain name its ip address will be stored in an ipset list.
this ipset list can be used with firewall now, and you can simply match against the set of ip address automatically and source mac address.
if you configure static ip address for you clients instead of DHCP then you can even create fw rule against those static ip addresses instead of mac address.
Notice! If you are using a snapshot version of openwrt with firewall 4 and nftables I think you can’t use banip at the moment because I think it hasn’t been adapted yet.
When I am running the last command to add domain I get this
root@OpenWrt:~# uci add_list dhcp.filter.domain="youtube.com"
root@OpenWrt:~# uci commit dhcp.filter.domain
root@OpenWrt:~#
root@OpenWrt:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
root@OpenWrt:~#
root@OpenWrt:~# # Populate IP sets with IP
root@OpenWrt:~# ipset setup
ipset v7.6: No command specified: unknown argument setup
Try `ipset help' for more information.
root@OpenWrt:~#
when i see what is there
List domains added to filter
root@OpenWrt:~# uci get dhcp.filter.domain | sed 's/ /\n/g'
youtube.com ""don't know why it puts a youtube windows here""
youtube.com
List IPs that will be blocked because they resolve to these do
mains
root@OpenWrt:~# ipset list filter
ipset v7.6: The set with the given name does not exist
root@OpenWrt:~# ipset list filter6
ipset v7.6: The set with the given name does not exist
root@OpenWrt:~#
When I am running the last command to add domain I get this
root@OpenWrt:~# uci add_list dhcp.filter.domain="[youtube.com](http://youtube.com)"
root@OpenWrt:~# uci commit dhcp.filter.domain
root@OpenWrt:~#
root@OpenWrt:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
root@OpenWrt:~#
root@OpenWrt:~# # Populate IP sets with IP
root@OpenWrt:~# ipset setup
ipset v7.6: No command specified: unknown argument setup
Try `ipset help' for more information.
root@OpenWrt:~#
when i see what is there
List domains added to filter
root@OpenWrt:~# uci get dhcp.filter.domain | sed 's/ /\n/g'
[youtube.com](http://youtube.com) ''
[youtube.com](http://youtube.com)
List IPs that will be blocked because they resolve to these do
mains
root@OpenWrt:~# ipset list filter
ipset v7.6: The set with the given name does not exist
root@OpenWrt:~# ipset list filter6
ipset v7.6: The set with the given name does not exist
root@OpenWrt:~#
there is no ipset setup, enter ipset help to see all possible arguments
# ipset help
ipset v7.6
Usage: ipset [options] COMMAND
Commands:
create SETNAME TYPENAME [type-specific-options]
Create a new set
add SETNAME ENTRY
Add entry to the named set
del SETNAME ENTRY
Delete entry from the named set
test SETNAME ENTRY
Test entry in the named set
destroy [SETNAME]
Destroy a named set or all sets
list [SETNAME]
List the entries of a named set or all sets
save [SETNAME]
Save the named set or all sets to stdout
restore
Restore a saved state
flush [SETNAME]
Flush a named set or all sets
rename FROM-SETNAME TO-SETNAME
Rename two sets
swap FROM-SETNAME TO-SETNAME
Swap the contect of two existing sets
help [TYPENAME]
Print help, and settype specific help
version
Print version information
quit
Quit interactive mode
(/off friendly note: in IT world documentation is usually the last thing people are care ... owrt wiki is on the better end of the range but there are no paid employees to work on documentation here neither, so it can happen that something is not up to date for example not following os/application changes. so follow recipes if you can but sometimes you need to adopt )
you can directly edit /etc/config/dhcp as an alternative to uci, add something like this:
# are comments
config ipset 'netflix' # <- name of config item in uci world NOT the name of ipset
list name 'is_Netflix' # <- content (below) can be in multiple ipset, this is one named is_Netflix
list name 'is_Streaming4' #<- this is another ipset
list domain 'nflxvideo.net' # <- result of multiple domain resolution (ip addresses) can be stored in an ipset
list domain 'netflix.com' # <- another domain to be resolved
and in /etc/config/firewall something like this
config rule
option name 'whatever rule'
option src 'lan'
option dest 'wan'
option target 'REJECT'
option ipset 'is_Netflix' # <- you can simple reference to an ipset
# and firewall will match against all ip addresses stored in that ipset
option family 'ipv4'
list proto 'all'