Block youtube and facebook for certain pc's not all

Hello we bought a cheap router and we installed it with openwrt 20.01. we are a small company but several departaments.
I would like to block certains pc (by MAC Address ) to youtube and facebook and others have acess.

I am lost! I a am a newbie with openwrt is there a tutorial or a step by step I can use?

Then provide a separate DNS for those who shouldn't be blocked, or the other way around.

1 Like

Adguard home, It's can block for certain client IP to access certain sites

I already have adguard install but that blocks all the trafic to youtube and facebook. how can I aplie olny to some mac address.
Thanks in advance

Hi, you can block fb/yt access for certain clients IP address. For blocking by mac address I don't think adguard have features for that

hi,

youtube, facebook resolves to many ip addresses therefore you cannot create firewall rules to block destination ip address based that easy.

but. if you use ipset then it is manageable:
replace dnsmasq with dnsmasq-full
add ipset configuration for dnsmasq, i.e. dnsmasq whenever resolves a *.youtube.com domain name its ip address will be stored in an ipset list.
this ipset list can be used with firewall now, and you can simply match against the set of ip address automatically and source mac address.

if you configure static ip address for you clients instead of DHCP then you can even create fw rule against those static ip addresses instead of mac address.

2 Likes

I'm lost how can that be done ?

  • add ipset configuration for dnsmasq, i.e. dnsmasq whenever resolves a *.youtube.com domain name its ip address will be stored in an ipset list
  • this ipset list can be used with firewall now, and you can simply match against the set of ip address automatically and source mac address.
1 Like

As mentioned, if you have installed Adguard anyways I think the easiest way is to block clients there:

Go to:
Settings/Client settings/add client -> enter the IP or MAC of the client

Then go to “Block specific services” and untick “Use Global blocked services” and enable all the services you only want to block for that client.

Another option would be to install luci-app-banip and filter via ASN Selection.

Google ASN of facebook, youtube etc….

And then enter it in the ASN Selection under the tab Blocklist Sources

Here an example blocking facebook:

Notice! If you are using a snapshot version of openwrt with firewall 4 and nftables I think you can’t use banip at the moment because I think it hasn’t been adapted yet.

1 Like

In my first atempt i tryied to follow this tutorial . Got stuck in the same place as today

[OpenWrt Wiki] Filtering traffic with IP sets by DNS

When I am running the last command to add domain I get this

root@OpenWrt:~# uci add_list dhcp.filter.domain="youtube.com"
root@OpenWrt:~# uci commit dhcp.filter.domain
root@OpenWrt:~#
root@OpenWrt:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
root@OpenWrt:~#
root@OpenWrt:~# # Populate IP sets with IP
root@OpenWrt:~# ipset setup
ipset v7.6: No command specified: unknown argument setup
Try `ipset help' for more information.
root@OpenWrt:~#

when i see what is there

List domains added to filter

root@OpenWrt:~# uci get dhcp.filter.domain | sed 's/ /\n/g'
youtube.com                             ""don't know why it puts a youtube windows here""
youtube.com

List IPs that will be blocked because they resolve to these do
mains

root@OpenWrt:~# ipset list filter
ipset v7.6: The set with the given name does not exist
root@OpenWrt:~# ipset list filter6
ipset v7.6: The set with the given name does not exist
root@OpenWrt:~#

What am I missing here ?

thank you for explained in details.

[OpenWrt Wiki] Filtering traffic with IP sets by DNS

When I am running the last command to add domain I get this

root@OpenWrt:~# uci add_list dhcp.filter.domain="[youtube.com](http://youtube.com)"
root@OpenWrt:~# uci commit dhcp.filter.domain
root@OpenWrt:~#
root@OpenWrt:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
root@OpenWrt:~#
root@OpenWrt:~# # Populate IP sets with IP
root@OpenWrt:~# ipset setup
ipset v7.6: No command specified: unknown argument setup
Try `ipset help' for more information.
root@OpenWrt:~#

when i see what is there

List domains added to filter

root@OpenWrt:~# uci get dhcp.filter.domain | sed 's/ /\n/g'
[youtube.com](http://youtube.com) ''
[youtube.com](http://youtube.com)

List IPs that will be blocked because they resolve to these do
mains

root@OpenWrt:~# ipset list filter
ipset v7.6: The set with the given name does not exist
root@OpenWrt:~# ipset list filter6
ipset v7.6: The set with the given name does not exist
root@OpenWrt:~#

What am I missing here ?

there is no ipset setup, enter ipset help to see all possible arguments

# ipset help
ipset v7.6

Usage: ipset [options] COMMAND

Commands:
create SETNAME TYPENAME [type-specific-options]
        Create a new set
add SETNAME ENTRY
        Add entry to the named set
del SETNAME ENTRY
        Delete entry from the named set
test SETNAME ENTRY
        Test entry in the named set
destroy [SETNAME]
        Destroy a named set or all sets
list [SETNAME]
        List the entries of a named set or all sets
save [SETNAME]
        Save the named set or all sets to stdout
restore
        Restore a saved state
flush [SETNAME]
        Flush a named set or all sets
rename FROM-SETNAME TO-SETNAME
        Rename two sets
swap FROM-SETNAME TO-SETNAME
        Swap the contect of two existing sets
help [TYPENAME]
        Print help, and settype specific help
version
        Print version information
quit
        Quit interactive mode

(/off friendly note: in IT world documentation is usually the last thing people are care ... owrt wiki is on the better end of the range but there are no paid employees to work on documentation here neither, so it can happen that something is not up to date for example not following os/application changes. so follow recipes if you can but sometimes you need to adopt :wink: )

you can directly edit /etc/config/dhcp as an alternative to uci, add something like this:

# are comments
config ipset 'netflix' # <- name of config item in uci world NOT the name of ipset
        list name 'is_Netflix' # <- content (below) can be in multiple ipset, this is one named is_Netflix
        list name 'is_Streaming4' #<- this is another ipset
        list domain 'nflxvideo.net' # <- result of multiple domain resolution (ip addresses) can be stored in an ipset
        list domain 'netflix.com' # <- another domain to be resolved

and in /etc/config/firewall something like this


config rule
        option name 'whatever rule'
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'
        option ipset 'is_Netflix' # <- you can simple reference to an ipset
# and firewall will match against all ip addresses stored in that ipset
        option family 'ipv4'
        list proto 'all'

hope it helps. good luck.