KidSafe (or Guest) WiFi, Forced SafeSearch and Adblock

Argh, I'm almost there! I thought I'd had it with the SSID OpenWRT-KidSafe on both radio's but apparently I assumed it worked on both WiFi interfaces before I wrote here.

When I add both WiFi interfaces on the kidsafe network (actually, interface in /etc/config/network), I don't get an ip address. When I enable only one WiFi interface, then I can connect to that SSID. However, on my "main" config I have the same SSID on both WiFi interfaces, so the wireless devices can figure out themselves if they connect to the 5GHz band or the 2.4 GHz band.

I'm not a specialist on this, but I guess this has got something to do with config interface 'kidsafe' not being a bridge in /etc/config/network?

@D43m0n Thanks for the heads up on this new safe-search package. I am curious to take a look tonight at that, very nice.

Here is my etc/config/network in case beneficial:


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3f:b96f:82ef::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
#	option dns '208.67.222.222 208.67.220.220'
	option delegate '0'
	option _orig_ifname 'eth0 wlan0 wlan1'
	option _orig_bridge 'true'
	option ifname 'eth0'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option delegate '0'
	option peerdns '0'
#	option dns '208.67.222.222 208.67.220.220'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'

config interface 'kidsafe'
	option _orig_ifname 'wlan2'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option force_link '0'
	option type 'bridge'


thanks @WildByDesign. I think I nailed it, I've got 2 devices connected to the OpenWRT-KidSafe SSID and a few to the main SSID. I thought I'd just try to see if my assumption of the type 'bridge' was correct, so I created a bridge on the kidsafe network and selected both WiFi radios. That did the trick. And then you uploaded your /etc/config/network which shows you've also got option type 'bridge' enabled on that kidsafe interface. :+1:

I'll leave this configured as it is. If it somehow stalls for some reason I can't think of right now, I'm sure my daughter will let me know :sweat_smile:

There's one thing I might try in the near future and that is try to get IPv6 working. But as long as my ISP won't give me a native IPv6 address, there's no rush. At the moment, this setup seems perfect to me: a safer search is forced, YouTube is stricter than it was (had it on moderate for all of us, but that's separate now). And in the event she somehow manages to get an app on her iPad that can browse the network, that is safe too because of the separate IPv4 address.

So to recap: the only thing I added to make both WiFi radios work with one SSID, was add option type 'bridge' to config interface 'kidsafe' in /etc/config/network. In LuCI I selected both WiFi radio's for the SSID OpenWRT-KidSafe and presto!

:+1: really happy with this! :smile:

@D43m0n You're welcome. Excellent, I am glad that you've got it all sorted out and that you're pleased with how it's all working so far.

My ISP also still does not provide IPV6 and therefore I haven't focused on that at all for my setup.

Speaking of this new safe-search package, I haven't done much research on this yet. I had always done the forced safe search stuff manually within my setup. But having an .ipk package certainly makes that part easier. I've downloaded the safe-search package and will install later but I do have a question about it.

Does this safe-search package present any settings within the LuCI user interface, or does it have to be configured manually?

From what I can see, it's mostly manual configuration. But that is minimal. When you install the package, the necessary files are put in place and it's enabled by default. The option list addnhosts '/etc/safe-search/enabled' is added for you to the first dnsmasq instance in /etc/config/dhcp.

In LuCI, there's no specific menu for it, like there is with Adblock for instance. The only place where I found something was in the Resolv and Hosts Files tab under DHCP and DNS. There's a text field that had the location of the enabled safe-search files that are included by dnsmasq. From what I saw, that was the only LuCI part I recognized. The rest is as good to to. I also enabled YouTube restricted mode, that's disabled by default. You can enable that in the /etc/config/safe-search settings and then run the command safe-search-update. That will update the symlinks in /etc/safe-search/enabled and reload dnsmasq.

:+1:

@D43m0n Thank you so much, I appreciate it. Unfortunately, after a couple of hours testing, I was unsuccessful in getting safe-search package to work correctly on the current stable branch build 18.06.1. I had downloaded the package from master and installed manually, and also added the correct addnhosts line to the kidsafe instance of dnsmasq.

But in the end, it did not work for me. So I went back to my initial Safe Search manual setup the way I had it working since the beginning and all is well now. All good, either way.

that sure is a great way to educate your children about internet cencorship and how to work around it.

Hi, Thank you all for providing these wonderful instructions. I have managed to complete this setup using OpenWRT version 18.06.1 and 3200ACM router. A few observations and wanted to see if this common in every setup or just my own

  1. I cannot ping between my PC(LAN network) and Macbook(Kidsafe Wifi network), they fail with timeout. Is this expected?
  2. When i go to yahoo.com for ex. and search in web or images, the safe search is turned on by default. But it is easy to turn it off (unlike google). Is there any way to complete this enforcement through this setup? as it looks like the DNS lookup requests do not change with the web browser setting.

This is expected if you didn't allow traffic from LAN to KIDS_NETWORK in the firewall.

You do understand these instructions are to enable kids blocking, correct?
Why did you set up this up to disable it?

(Perhaps, I'm not understanding your question.)

I think the point is that you can click the on screen button to turn off restricted mode it will change on screen... but what won't change is that dnsmasq is returning an ip address for the restricted youtube search, so those ip addresses only respond with restricted searches.

@ChumpChange you do have to ensure that your kids computers are using the dnsmasq as their DNS resolver not something else on the internet. You can do this by blocking outbound requests to port 53.

1 Like

May be there was some DNS cache or something on my MacBook(now connected to Kidsafe) which was previously connected to some other WiFi network. After I cleared all the browser/dns cache etc... and reconnected, the MacBook is sufficiently protected for the kids.
With using cleanbrowsing custom DNS setting for the kidsafe interface, the site images.search.yahoo.com is blocked where the user can turn off safe search so I think its a fine setup now. Thanks
@dlakelan and @ lleachii

This looks like a brilliant solution.
I'm very keen to get this config up and running on my own device.
Before I start to work through the settings on the first post, has a guide for this been created?

I'm still a little uncertain what needs to be done with the 'resolv.conf.kidsafe' file?
Is the suggestion by matthew_eli the way to achieve success?

cp /etc/resolv.conf.kidsafe /tmp/resolv.conf.kidsafe

I got this working by running multiple dnsmasq instances. My 'kidsafe' network uses CleanBrowsing's family filter DNS resolvers whereas my 'unrestricted' uses unfiltered DNS resolvers. Happy to dig out my configs if they'd help.

1 Like

Thanks tectonic, any input is appreciated.
Did you have to have create a work around to separate the two resolve.conf files? Seems that a workaround needs putting in place to copy the secondary file into the correct place. Would be interested to see how you resolved that.

In short; I side-stepped it. I use the option noresolv '1' option to ensure each subnet uses only those DNS resolvers listed in list server

Here are my (slightly truncated; to remove irrelevant and sensitive config) configs:

/etc/config/dhcp: you'll see that I'm actually forwarding requests from the FamilySafe net to Unbound which is set to CleanBrowsing's family filters as mentioned in my previous post. This is completely optional and was an 'intellectual exercise' to get DoT working. You could just list CleanBrowsing's DNS addresses here, directly. Note that Google, Bing and Youtube are set to the Safe Mode by this filter, so I don't have to manage this myself
config dnsmasq 'main'
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option serversfile '/tmp/adb_list.overall'
	option nonwildcard '1'
	option localservice '1'
	list notinterface 'guest'
	list notinterface 'family'
	option dnssec '1'
	option dnsseccheckunsigned '1'
	option rebind_protection '1'
	option noresolv '1'
	list server '127.0.0.1#5453'

config dnsmasq 'guest'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/guest/'
	option domain 'guest'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.guest'
	option serversfile '/tmp/adb_list.overall'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	list interface 'guest'
	list notinterface 'lo'
	option dnssec '1'
	option dnsseccheckunsigned '1'
	list server '185.228.168.9'
	list server '185.228.169.9'

config dnsmasq 'family'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/family/'
	option domain 'family'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.family'
	option serversfile '/tmp/adb_list.overall'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	list interface 'family'
	list notinterface 'lo'
	option dnssec '1'
	option dnsseccheckunsigned '1'
	list server '127.0.0.1#53535'

config dhcp 'lan'
	option instance 'main'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option start '100'
	option limit '150'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guests'
	option start '100'
	option limit '150'
	option instance 'guest'
	option interface 'guest'
	option leasetime '1h'

config dhcp 'familysafe'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option instance 'family'
	option interface 'family'
/etc/config/network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2c:dd09:d634::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option ip6assign '60'
	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option username ''
	option password ''
	option ipv6 'auto'
	option peerdns '0'
	option dns '84.200.69.80 84.200.70.40'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	option dns '2001:1608:10:25::1c04:b12f 2001:1608:10:25::9249:d69b'

config interface 'streaming'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.0.1'
	option type 'bridge'

config interface 'MODEM'
	option proto 'static'
	option ifname 'eth0.2'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'

config interface 'family'
	option proto 'static'
	option ipaddr '172.16.1.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'LTE'
	option proto 'ncm'
	option ifname 'wwan0'
	option device '/dev/ttyUSB0'
	option mode 'preferlte'
	option apn 'three.co.uk'
	option dialnum '*99#'
	option ipv6 'auto'
	option metric '40'
	option delegeate '0'
	option disabled '0'
	option auto '0'

Finally, I have a couple of firewall rules to hijack DNS requests in order that all devices use the DNS servers that I want them to, and this also forces them through the adblock filter:

/etc/config/firewall
config redirect 'adblock_dns'
	option name 'Adblock DNS'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option dest_ip '192.168.100.1'

config redirect 'adblock_dns_guest'
	option name 'Adblock DNS Guest'
	option src 'guest'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option dest_ip '10.0.0.1'

config redirect 'adblock_dns_family'
	option name 'Adblock DNS Family'
	option src 'family'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option dest_ip '172.16.1.1'

Hope that helps.

is it possible to do this in GUI?
I see this topic is 1 year old. Is there a more simple solution today?

I guess it depends if you want to have separate networks (one for kid-safe use; and one unrestricted), or whether you're happy to have the same settings for everybody. If you're happy with just the one network, then simply using the DNS servers of your choice (e.g. https://cleanbrowsing.org/) can be readily achieved through LuCI.

If you want separate networks for different purposes, then I'm not aware of a simpler solution. My current set-up above has worked well and has been stable.

1 Like

For what it's worth, I ended up switching over to AdGuard Home ([HowTo] Running Adguard Home on OpenWrt) on OpenWrt several months ago because it made it much easier to achieve all of the KidSafe features. What I like especially regarding the switch to AGH was easy to toggle buttons to control features, block specific web services, etc.

But the best part for me was being able to filter all of the kids devices based on their MAC addresses and easily apply specific filtering features based on MAC, also that way I did not have to set static IP addresses or run multiple dnsmasq instances.

AGH is smooth like butter. :smiley:

2 Likes

An update on my set-up. I've switched from https://cleanbrowsing.org to NextDNS since it provides a bit more flexibility and some neat features (Ad and Content blocking; DoT and DoH; DNSSEC).

1 Like

Hey, thanks a lot for this!

I am a bit confused as to why you are not sharing the adblock config itself. I assume that you need to create two adblock configs, that creates two differents files /tmp/dnsmasq.d/adb_list_main_.overall and /tmp/dnsmasq.d/adb_list_kidsafe.overall, that are then picked up by the 2 dnsmasq instances when they start up.

Is that correct?