Fine tuning Firewall - whitelist, blacklist, port 80/443

I use firewall->Traffic rules to completely block outgoing port 80 traffic on certain workstations. I am using MAC address as an identifier. Now I need to whitelist couple of domains. How do I do that? In addition, is it possible to block certain domains on those workstations regardless of ports? I can also block all traffic (web traffic on 80 and 443) and just whitellist certain domains regardless of ports if that is easier to implement.

This cannot be for the entire home subnet, just those workstations. I cannot segment using vlans as target workstation is sharing a folder and using a network printer.

Of course you can:

  • You'll have to make a script to get the IP address of these servers from DNS
  • You would white list by adding an ACCEPT rule to these IPs ABOVE the rules to block traffic

VLANs shouldn't cause a problem, if you wish to continue using Network Discovery protocols though, it might remain an issue.

Thanks @lleachii I like the suggestion. Workstation is running win10 I do not want to touch the internal network that is running fine. I would rather work with the firewall.

What is the sequence? Block first then allow (put holes) or allow first and then block rest? I am using the GUI/Luci interface right now. Can I block all the traffic in traffic rules GUI for 80 and 443 and run the script to whitelist just a few?

Where does the script run? Is it a shell script? Is it in the custom rules? Can you please provide a sample to whitelist as an example?

I didn't say run a script to do the block, I said run a script to get the IPs of the domains you wish to block. I would advice looking at how to use Bash, iptables and nslookup.

This can be done in the GUI, but you may have to install ipset.

On the router.

EDIT: It seems easier to just create another VLAN and setup FORWARD ACCEPT to your network file server and printer. I do this all the time

First create an ipset using the shell, and add the command to custom firewall rules.

ipset create whitelist hash:ip

Then in Luci, Firewall rules, additional arguments, add command below

-m set  -m set ! --match-set whitelist dst

In /etc/dnsmasq.conf, add a few lines like below


Then restart dnsmasq.

Also, you will have to install ipset:

opkg update
opkg install kmod-ipt-ipset ipset

It can be easily done in /etc/config/firewall itself without using any custom rule:

config ipset
    option name 'whitelist'
    option match 'dest_net'
    option family 'ipv4'
config rule
    option name 'Allow whitelist ipset'
    option src 'lan'
    option dest 'wan'
    option ipset 'whitelist'
    option target 'ACCEPT'

The dnsmasq config entry is the way you have mentioned

list ipset '/'
list ipset '/'
list ipset '/'
1 Like