I would like help, please, with creating a simple firewall rule to block one client device from accessing one specific website. The reason why I want it as a firewall rule is because I can easily enable/disable the rule if necessary.
I have a new access point on my network with a static IP of 192.168.1.5, and it hits up www.netgear.com thousands of times per day. I would like to block this with a firewall rule. This access point has no purpose for doing that. If/when I decide to manually check for a firmware update for that device, I can temporarily disable the firewall rule.
That sounds good. I will try to create a rule and see if I can figure it out. If it fails, then I will post back here to request some help with rules. Thank you.
My understanding of firewall rules is very limited, so please bear with me.
The first attempt at creating my own rule seems to have blocked the device from manually checking for firmware updates (which is fine) but the DNS resolution for www.netgear.com is still successfully going through fast and furious.
Clearly, I have not done this correctly. Could you please have a look and see what I could do to improve this? Thanks
config rule
option name 'Netgear'
option src 'lan'
option dest '*'
option proto 'tcp udp'
option target 'REJECT'
list src_ip '192.168.1.5'
config rule
option name 'Netgear'
option src 'lan'
option dest 'wan'
option proto 'tcp udp'
option target 'REJECT'
list src_ip '192.168.1.5'
Unfortunately, the DNS resolution is still going through.
I could try blacklisting www.netgear.com in Adblock which I'm certain would work. However, the Adblock reporting would still be cluttered with requests to that domain.
I came up with something that works. Can you please let me know if this is a safe and acceptable method?
Basically, I'm using a redirect instead and it is based on the MAC address of the Netgear access point. It grabs anything on port 53 with the purpose of sending it to nowhere. In this case, it's sending it to port 5354 which has nothing listening for DNS requests.
My idea here was that it gets lost and never resolved. I have tested it and it's working exactly how I want. However, I do not know if there are any repercussions (ie. performance, etc.) for doing the firewall rule this way.
config redirect
option target 'DNAT'
option name 'Netgear Discard DNS'
option src 'lan'
option proto 'tcp udp'
list src_mac 'xx:xx:xx:xx:xx:xx'
option src_dport '53'
option dest_port '5354'
Instead of setting this in openwrt you could try to do a few things.
Disable DNS on the WAN side of the netgear router and if you can't do that try to change the IP of the DNS server to a IP that either does not exist or will not respond to DNS requests.
I would first try 0.0.0.0 and if that does not work try 127.0.0.1 and if that don't work try any IP that it will accept.