Help with Firewall rule to block one website for one client

I would like help, please, with creating a simple firewall rule to block one client device from accessing one specific website. The reason why I want it as a firewall rule is because I can easily enable/disable the rule if necessary.

I have a new access point on my network with a static IP of 192.168.1.5, and it hits up www.netgear.com thousands of times per day. I would like to block this with a firewall rule. This access point has no purpose for doing that. If/when I decide to manually check for a firmware update for that device, I can temporarily disable the firewall rule.

Thank you for your time.

firewall doesn't really work with DNS names, but IPs.

your IP rule would only work if you kept the IPs up to date.

I'm still trying to think of exactly what should be done and how.

What about a firewall rule to deny access to 192.168.1.5 from any kind of name resolution on port 53?

That would block all name resolution instead of just the one website, of course. But that should be fine from an access point perspective.

you could completely reject outgoing traffic for the device's IP.

That sounds good. I will try to create a rule and see if I can figure it out. If it fails, then I will post back here to request some help with rules. Thank you.

My understanding of firewall rules is very limited, so please bear with me.

The first attempt at creating my own rule seems to have blocked the device from manually checking for firmware updates (which is fine) but the DNS resolution for www.netgear.com is still successfully going through fast and furious.

Clearly, I have not done this correctly. Could you please have a look and see what I could do to improve this? Thanks

config rule
	option name 'Netgear'
	option src 'lan'
	option dest '*'
	option proto 'tcp udp'
	option target 'REJECT'
	list src_ip '192.168.1.5'

try dest wan instead of *

I changed it following your suggestion:

config rule
	option name 'Netgear'
	option src 'lan'
	option dest 'wan'
	option proto 'tcp udp'
	option target 'REJECT'
	list src_ip '192.168.1.5'

Unfortunately, the DNS resolution is still going through.

I could try blacklisting www.netgear.com in Adblock which I'm certain would work. However, the Adblock reporting would still be cluttered with requests to that domain.

@frollic

I came up with something that works. Can you please let me know if this is a safe and acceptable method?

Basically, I'm using a redirect instead and it is based on the MAC address of the Netgear access point. It grabs anything on port 53 with the purpose of sending it to nowhere. In this case, it's sending it to port 5354 which has nothing listening for DNS requests.

My idea here was that it gets lost and never resolved. I have tested it and it's working exactly how I want. However, I do not know if there are any repercussions (ie. performance, etc.) for doing the firewall rule this way.

config redirect
	option target 'DNAT'
	option name 'Netgear Discard DNS'
	option src 'lan'
	option proto 'tcp udp'
	list src_mac 'xx:xx:xx:xx:xx:xx'
	option src_dport '53'
	option dest_port '5354'

Instead of setting this in openwrt you could try to do a few things.

Disable DNS on the WAN side of the netgear router and if you can't do that try to change the IP of the DNS server to a IP that either does not exist or will not respond to DNS requests.

I would first try 0.0.0.0 and if that does not work try 127.0.0.1 and if that don't work try any IP that it will accept.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.