Blocking ports not working on GUI LUCI

i want to block ports 443(dns over HTTPS) for certain ip's, and port 853(DNS OVER TLS) for everything below is the screen shot of what i have tried to implement. Both of my settings dont seem to work.

I have tried using BANIP package aswell to block doh servers using ip black list, while it works well and i cannot ping the ip's over terminal,dns over https on those ip's is still unblocked and cloudflare's tools can still connect to 1.1.1.1 over https and tls.

since you're blocking IGMP, try pinging 1.1.1.1, does it work ?

you could also try to replace the protocols with Any.

i have tried the commands from the dns hijacking wiki, they have crashed my router always idk why. and the gui commands mentioned in dns hijacking dont work for dns over https which runs on port 443. simply blocking port 443 should do the trick, has always worked on my pfsense boxes,tplink business series and cisco commercial firewalls.openwrt seems to ignore the blocks made via luci,even ban ip blacklists ip adresses are working over https idk why. Most probably cloudflare is using some different udp port.

works for me, but you probably want to add the ipv6 IPs to the rule.

root@OpenWrt:~# nslookup one.one.one.one
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      one.one.one.one
Address 1: 1.0.0.1
Address 2: 1.1.1.1
Address 3: 2606:4700:4700::1001
Address 4: 2606:4700:4700::1111
1 Like

These rules are not enabled.
For DoH only TCP is needed and since you are blocking IPv4 addresses there is no need to expand to IPv6 family.
Same for DoT, only TCP is needed.

1 Like

still dosent work , btw not using warp warp, just using dns over https warp

I didn't specify any ports in my rule, but who knows ...

if it doesn't work, you'll have to use tcpdump to see what it's actually doing.

yeah, i have even tried blocking the udp port warp uses, idk why it is still going through,tcpdump shall help. What is confusing to me is i am not able to ping 1.1.1.1 from the terminal,nor is cloudflare doh working through firefox.

The WARP client talks with our edge via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow zero-trust-client.cloudflareclient.com which will lookup the following IP addresses:

WARP utilizes UDP for all of its communications. By default, the UDP Port required for WARP is: UDP 2408. WARP can fallback to: UDP 500, UDP 1701, or UDP 4500.

https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/firewall/

1 Like

did block those,still works :confused: my lil brother is too smart has used warp before to bypass.

if you blocked everything in that link, it shouldn't even start.

Is your OpenWrt device acting as router?

ah now it is working, had accidentally kept UDP 500 to accept.what still works is 1.1.1.1 although not through firefox or through ping in cmd

well, you're only blocking TCP, ping is ICMP.
that's why I said you could put Any in the rule.

yes, it does has a ppoe connection.

now stuck on connecting

warps dead but normal 1.1.1.1 over https and TLS still works only through the cloudflare warp app though app dont know why.

if that's all you've got, you're now missing the old 1.1.1.1/1.0.0.1 + IPv6 rule.

i do have the other rules, firefox,normal pings etc are dead to all these, just the warp app 1.1.1.1 keeps on running even though i have added cloudflares ingress now. warp+/war vpn is officially dead aswell. just 1.1.1.1 is being a pia

Did you flush the conntrack table between your tests? You can do that by restarting (not reloading) the firewall service.

i did, plain DOH only through the warp app(no firefox,ping etc) still works,everything else is dead.