I maintain a school's IT infrastructure and I'm using Openwrt 23.05 on our router.
We already use cloudfare to prevent access to pornographic websites.
I'd like to have some more fine grained control within the school, I'd like to have two lists :
List 1) Websites to which I would like to block access.
List 2) Staff computers
Then, I would like to allow the staff computers list to access all websites and I would like to block all the websites in list 1 to any other connected devices.
I know a little about openwrt but I'm far from an expert. What would be the best way of achieving this? ipsets ?
Given the stakes here, I'd personally recommend that you consider a commercially available solution. I say this for a few reasons:
make sure it's done with the best available methods/knowledge/lists
kids are enterprising and may know or learn about circumvention methods that could catch you off guard and/or will cause you to be engaged in a cat-and-mouse game
CYA. - you don't want to be on the hook for this if/when things go wrong.
That said, if you do still want to roll your own, I think the most practical option (although not fool proof) is DNS based. As @brada4 mentioned, adblocks and ban IP can do this.
You can also use pihole (another DNS filter) and you can also use upstream resolvers like cloudflare and others that are nominally filter adult and other inappropriate sites.
Finally, be sure to hijack DNS requests to ensure that users don't attempt to bypass your local DNS. And if you are running your own DNS, make sure you've got redundancy so that you can have some protection against a bad DNS server causing a school wide outage.
Will not take long for older classes to bring VPN to younger classes. Mine came home with such gift , now using parent sanctioned cloudflare .3 with promise to not flex to teachers one can game at school if really urgent.