KidSafe (or Guest) WiFi, Forced SafeSearch and Adblock
I had been experimenting for several weeks with creating a Guest wireless network with LEDE. Particularly of interest, I wanted multiple dnsmasq instances and thorough filtering options with @dibdot s phenomenal Adblock package.
Initially I had a lot of difficulty getting Adblock to filter multiple dnsmasq instances on separate zones. That is what took the majority of time to troubleshoot and solve. I've got Adblock filtering multiple dnsmasq instances on separate zones successfully now.
Then I thought about changing that Guest wireless network into a network safe for kids with Adblock filtering lists, but also OpenDNS Family Shield, forced Google SafeSearch, Bing Family Shield, and Strict Restricted YouTube access, etc. The main wireless network remains entirely unrestricted, though Adblock filtering is still active..
I have learned a lot via the LEDE Project forum and OpenWrt forum over the years and this is my way of giving back. I wanted to share this since it may be beneficial for some parents wanting to keep their kids safer online or some code benefits here for guest network and Adblock filtering in general.
I will try to update this thread as I continue to add more filtering options to keep kids safe online.
forces network level protection on all kids iPads, iPhones, laptops, etc. within the home network
makes use of multiple instances of dnsmasq and dhcp
forced Google SafeSearch, Bing Family Filter, and Strict Restricted YouTube access
utilizes OpenDNS Family Shield
additional local filtration (ads, trackers, malware, etc.) with @dibdot s Adblock for multiple dnsmasq instances
main wireless network remains entirely unrestricted, though Adblock filtering is still active
(related dhcp/dnsmasq additions)
config dnsmasq 'main' option domainneeded '1' option boguspriv '1' option filterwin2k '0' option localise_queries '1' option rebind_protection '1' option rebind_localhost '1' option local '/lan/' option domain 'lan' option expandhosts '1' option nonegcache '0' option authoritative '1' option readethers '1' option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.auto' option nonwildcard '1' list interface 'lan' option cachesize '1000' option logfacility '/dev/null' config dnsmasq 'kidsafe' option domainneeded '1' option boguspriv '1' option filterwin2k '0' option localise_queries '1' option rebind_protection '1' option rebind_localhost '1' option local '/kidsafe/' option domain 'kidsafe' option expandhosts '1' option nonegcache '0' option authoritative '1' option readethers '1' option leasefile '/tmp/dhcp.leases.kidsafe' option resolvfile '/tmp/resolv.conf.kidsafe' option strictorder '1' option nonwildcard '1' list interface 'kidsafe' list notinterface 'lo' option cachesize '1000' option logfacility '/dev/null' list address '/google.com/184.108.40.206' list address '/google.ca/220.127.116.11' list address '/bing.com/18.104.22.168' list address '/bing.ca/22.214.171.124' list address '/youtube.com/126.96.36.199' list address '/m.youtube.com/188.8.131.52' list address '/youtubei.googleapis.com/184.108.40.206' list address '/youtube.googleapis.com/220.127.116.11' list address '/youtube-nocookie.com/18.104.22.168' list server '22.214.171.124' list server '126.96.36.199' config dhcp 'lan' option instance 'main' option interface 'lan' option start '100' option limit '150' option leasetime '12h' config dhcp 'kidsafe_private' option instance 'kidsafe' option interface 'kidsafe' option start '100' option limit '150' option leasetime '12h' config dhcp 'wan' option interface 'wan' option ignore '1' config odhcpd 'odhcpd' option maindhcp '0' option leasefile '/tmp/hosts/odhcpd' option leasetrigger '/usr/sbin/odhcpd-update'
(related firewall additions)
config zone option name 'kidsafe' option input 'ACCEPT' option forward 'DROP' option output 'ACCEPT' option network 'kidsafe' config rule option target 'ACCEPT' option proto 'tcp udp' option dest_port '53' option name 'KidSafe DNS' option src 'kidsafe' config rule option enabled '1' option target 'ACCEPT' option proto 'udp' option dest_port '67-68' option name 'KidSafe DHCP' option src 'kidsafe' config redirect 'adblock_dns' option name 'Adblock DNS' option src 'lan' option proto 'tcp udp' option src_dport '53' option dest_port '53' option target 'DNAT' config redirect 'adblock_dns_kidsafe' option name 'Adblock DNS KidSafe' option src 'kidsafe' option proto 'tcp udp' option src_dport '53' option dest_port '53' option target 'DNAT' config forwarding option dest 'wan' option src 'kidsafe'
(related network additions)
config interface 'kidsafe' option proto 'static' option ipaddr '192.168.3.1' option delegate '0' option dns '188.8.131.52 184.108.40.206' option netmask '255.255.255.0'
(related wireless additions / radio settings may differ)
config wifi-iface option device 'radio0' option mode 'ap' option encryption 'psk2+ccmp' option key '****' option network 'kidsafe' option ssid 'OpenWrt-KidSafe'