KidSafe (or Guest) WiFi, Forced SafeSearch and Adblock

fuller · December 5, 2018, 2:55pm

that sure is a great way to educate your children about internet cencorship and how to work around it.

ChumpChange · January 16, 2019, 3:13pm

Hi, Thank you all for providing these wonderful instructions. I have managed to complete this setup using OpenWRT version 18.06.1 and 3200ACM router. A few observations and wanted to see if this common in every setup or just my own

I cannot ping between my PC(LAN network) and Macbook(Kidsafe Wifi network), they fail with timeout. Is this expected?
When i go to yahoo.com for ex. and search in web or images, the safe search is turned on by default. But it is easy to turn it off (unlike google). Is there any way to complete this enforcement through this setup? as it looks like the DNS lookup requests do not change with the web browser setting.

lleachii · January 16, 2019, 5:13pm

This is expected if you didn't allow traffic from LAN to KIDS_NETWORK in the firewall.

You do understand these instructions are to enable kids blocking, correct?
Why did you set up this up to disable it?

(Perhaps, I'm not understanding your question.)

dlakelan · January 16, 2019, 5:42pm

I think the point is that you can click the on screen button to turn off restricted mode it will change on screen... but what won't change is that dnsmasq is returning an ip address for the restricted youtube search, so those ip addresses only respond with restricted searches.

@ChumpChange you do have to ensure that your kids computers are using the dnsmasq as their DNS resolver not something else on the internet. You can do this by blocking outbound requests to port 53.

ChumpChange · January 17, 2019, 8:40pm

May be there was some DNS cache or something on my MacBook(now connected to Kidsafe) which was previously connected to some other WiFi network. After I cleared all the browser/dns cache etc... and reconnected, the MacBook is sufficiently protected for the kids.
With using cleanbrowsing custom DNS setting for the kidsafe interface, the site images.search.yahoo.com is blocked where the user can turn off safe search so I think its a fine setup now. Thanks
@dlakelan and @ lleachii

UKRobster · July 1, 2019, 3:50pm

This looks like a brilliant solution.
I'm very keen to get this config up and running on my own device.
Before I start to work through the settings on the first post, has a guide for this been created?

I'm still a little uncertain what needs to be done with the 'resolv.conf.kidsafe' file?
Is the suggestion by matthew_eli the way to achieve success?

cp /etc/resolv.conf.kidsafe /tmp/resolv.conf.kidsafe

tectonic · July 1, 2019, 6:35pm

I got this working by running multiple dnsmasq instances. My 'kidsafe' network uses CleanBrowsing's family filter DNS resolvers whereas my 'unrestricted' uses unfiltered DNS resolvers. Happy to dig out my configs if they'd help.

UKRobster · July 1, 2019, 8:29pm

Thanks tectonic, any input is appreciated.
Did you have to have create a work around to separate the two resolve.conf files? Seems that a workaround needs putting in place to copy the secondary file into the correct place. Would be interested to see how you resolved that.

tectonic · July 2, 2019, 8:02am

In short; I side-stepped it. I use the option noresolv '1' option to ensure each subnet uses only those DNS resolvers listed in list server

Here are my (slightly truncated; to remove irrelevant and sensitive config) configs:

/etc/config/dhcp: you'll see that I'm actually forwarding requests from the FamilySafe net to Unbound which is set to CleanBrowsing's family filters as mentioned in my previous post. This is completely optional and was an 'intellectual exercise' to get DoT working. You could just list CleanBrowsing's DNS addresses here, directly. Note that Google, Bing and Youtube are set to the Safe Mode by this filter, so I don't have to manage this myself

config dnsmasq 'main'
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option serversfile '/tmp/adb_list.overall'
	option nonwildcard '1'
	option localservice '1'
	list notinterface 'guest'
	list notinterface 'family'
	option dnssec '1'
	option dnsseccheckunsigned '1'
	option rebind_protection '1'
	option noresolv '1'
	list server '127.0.0.1#5453'

config dnsmasq 'guest'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/guest/'
	option domain 'guest'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.guest'
	option serversfile '/tmp/adb_list.overall'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	list interface 'guest'
	list notinterface 'lo'
	option dnssec '1'
	option dnsseccheckunsigned '1'
	list server '185.228.168.9'
	list server '185.228.169.9'

config dnsmasq 'family'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/family/'
	option domain 'family'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.family'
	option serversfile '/tmp/adb_list.overall'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	list interface 'family'
	list notinterface 'lo'
	option dnssec '1'
	option dnsseccheckunsigned '1'
	list server '127.0.0.1#53535'

config dhcp 'lan'
	option instance 'main'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option start '100'
	option limit '150'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guests'
	option start '100'
	option limit '150'
	option instance 'guest'
	option interface 'guest'
	option leasetime '1h'

config dhcp 'familysafe'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option instance 'family'
	option interface 'family'

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2c:dd09:d634::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option ip6assign '60'
	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option username ''
	option password ''
	option ipv6 'auto'
	option peerdns '0'
	option dns '84.200.69.80 84.200.70.40'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	option dns '2001:1608:10:25::1c04:b12f 2001:1608:10:25::9249:d69b'

config interface 'streaming'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.0.1'
	option type 'bridge'

config interface 'MODEM'
	option proto 'static'
	option ifname 'eth0.2'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'

config interface 'family'
	option proto 'static'
	option ipaddr '172.16.1.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'LTE'
	option proto 'ncm'
	option ifname 'wwan0'
	option device '/dev/ttyUSB0'
	option mode 'preferlte'
	option apn 'three.co.uk'
	option dialnum '*99#'
	option ipv6 'auto'
	option metric '40'
	option delegeate '0'
	option disabled '0'
	option auto '0'

Finally, I have a couple of firewall rules to hijack DNS requests in order that all devices use the DNS servers that I want them to, and this also forces them through the adblock filter:

/etc/config/firewall

config redirect 'adblock_dns'
	option name 'Adblock DNS'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option dest_ip '192.168.100.1'

config redirect 'adblock_dns_guest'
	option name 'Adblock DNS Guest'
	option src 'guest'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option dest_ip '10.0.0.1'

config redirect 'adblock_dns_family'
	option name 'Adblock DNS Family'
	option src 'family'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option dest_ip '172.16.1.1'

Hope that helps.

Naftali · June 6, 2020, 7:35am

is it possible to do this in GUI?
I see this topic is 1 year old. Is there a more simple solution today?

tectonic · June 6, 2020, 9:42am

I guess it depends if you want to have separate networks (one for kid-safe use; and one unrestricted), or whether you're happy to have the same settings for everybody. If you're happy with just the one network, then simply using the DNS servers of your choice (e.g. https://cleanbrowsing.org/) can be readily achieved through LuCI.

If you want separate networks for different purposes, then I'm not aware of a simpler solution. My current set-up above has worked well and has been stable.

WildByDesign · June 7, 2020, 2:18pm

For what it's worth, I ended up switching over to AdGuard Home ([HowTo] Running Adguard Home on OpenWrt) on OpenWrt several months ago because it made it much easier to achieve all of the KidSafe features. What I like especially regarding the switch to AGH was easy to toggle buttons to control features, block specific web services, etc.

But the best part for me was being able to filter all of the kids devices based on their MAC addresses and easily apply specific filtering features based on MAC, also that way I did not have to set static IP addresses or run multiple dnsmasq instances.

AGH is smooth like butter.

tectonic · July 25, 2020, 9:39am

An update on my set-up. I've switched from https://cleanbrowsing.org to NextDNS since it provides a bit more flexibility and some neat features (Ad and Content blocking; DoT and DoH; DNSSEC).

SharkScout · April 12, 2021, 11:15am

Hey, thanks a lot for this!

I am a bit confused as to why you are not sharing the adblock config itself. I assume that you need to create two adblock configs, that creates two differents files /tmp/dnsmasq.d/adb_list_main_.overall and /tmp/dnsmasq.d/adb_list_kidsafe.overall, that are then picked up by the 2 dnsmasq instances when they start up.

Is that correct?

OW87 · October 9, 2022, 8:50am

Hello,
Could this tool be used for adblocking on specified devices ?

My objectif is to have some devices to use adblock and other device to never use it.
I can not separate by VLAN because multiple devices connects to the Ethernet ports.
So maybe have an include list(IP/MAC) which uses AdBlock.

If not, do you guys know other application that can do it ?

Thanks.

mercygroundabyss · October 9, 2022, 2:28pm

by using client ids you can use different configs for each device.

frollic · October 10, 2022, 5:01am

Point the IPs requiring restrictions to a safe/your DNS, and all the others to 8.8.8.8, in you DHCP config?

OW87 · October 10, 2022, 10:23am

The problem is that the only way I see to point them in the DHCP configuration.
But there is no configuration which permit to point to a DNS server depending on the device's IP/Host/MAC, only possible by router interface.

It would've been great if we could choose the DNS server to use by Device(IP/MAC/Hostname).

frollic · October 10, 2022, 10:24am

there is https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options
technically you can do the same in the firewall, based on IP/MAC route the DNS requests differently.

OW87 · October 10, 2022, 10:28am

Great, I'll try this. Thank you !