KidSafe (or Guest) WiFi, Forced SafeSearch and Adblock

@grrr2
Sorry for the late reply.

dnsmasq don't generate those resolv files.
The resolv file (and the .auto?) are generated by the system.
As i understand this, it contains all dns severs from all interfaces.

So by default dnsmasq will use those dns servers that are present in the resolv(.auto) file.

Each instance would use the same dns servers.

It would be possible to have multiple resolv files.
But then you would need to generate those files before hand.

I think it would be better to have noresolv 1 and then use the server option to specify the dns servers.
So you can have different dns servers for each dnsmasq instance.

//edit
After re-reading the thread.
Your problem is that your second dnsmasq instance is not using the correct resolv.conf file ?
I think this was fixed some time ago in latest trunk.

I also noticed setting noresolv 1 will result in an empty resolv.conf file.

With noresolv 0

search lan
nameserver 127.0.0.1

With 1 it is empty.
This will break the name resolution in luci connections tab for example.
I guess also other things will not work correctly.

what would be fantastic would be for all this work to be pulled together as an app for LuCI

I agree with this 100%. Some sort of .ipk package to install or built-in LuCI config page. I love this idea since it would be beneficial to a lot of families out there with young children that parents want to keep relatively safe online. However, unfortunately, I do not have the skills to create this at all. If anyone else wants to help with that process, I would be happy to help in ways that I am able to.

me neither - but again, happy to help is if I can with testing etc

i tried similar things, but when kids were told by older kids to just install some free vpn, all bets are off

I’ve been trying to get this set up on my R7800 with a recent master build from hnyman. I can’t get 2 instances of dnsmasq running, for starters. I then also have trouble using the second WiFi network to connect to the internet. When I read the wiki on dnsmasq (updated October 2018), I get the idea that the solutions posted here are not complete enough so I can understand what I’m doing wrong

Could someone please post their config files from /etc/config? I prefer not the additions, but the whole file. And of course, don’t forget to remove passwords and SSID’s or anything that could relate to your stuff

I’m thinking I’d need:

/etc/config/dhcp
/etc/config/wireless
/etc/config/network
/etc/config/firewall
/etc/config/adblock

-- EDIT --
I got it! It's working now! I've combined it with adblock and safe-search. Safe-search is a new package that recently got merged in master. My recent R7800 build from hnyman was new enough to update the package list and install it.

For future reference, when I forget things or mess them up, here's my setup (the part that matters):
/etc/config/dhcp:

config dnsmasq 'main'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.main'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option serversfile '/tmp/adb_list.overall'
	option local '/home/'
	option domain 'home'
	option nonwildcard '1'
	list interface 'lan'

config dnsmasq 'kidsafe'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.kidssafe'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option serversfile '/tmp/adb_list.overall'
	option local '/kidsafe/'
	option domain 'kidsafe'
	option nonwildcard '1'
	list interface 'kidsafe'
	list notinterface 'lo'
	list addnhosts '/etc/safe-search/enabled'
	

config dhcp 'lan'
	option instance 'main'
	option interface 'lan'
	option dnsmasq_config 'main'
	option dhcpv6 'server'
	option ra 'server'
	option start '80'
	option limit '250'
	option leasetime '24h'
	option ra_default '1'
	list domain 'local'
	list dns 'fdad:be5a:4f7::1'
	option force '1'
	option ndp 'relay'
	option ra_management '1'

config dhcp 'kidsafe_private'
	option instance 'kidsafe'
	option interface 'kidsafe'
	option dnsmasq_config 'kidsafe'
	option start '100'
	option limit '250'
	option leasetime '24h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option dnsmasq_config 'main'

/etc/config/network:

config interface 'kidsafe'
	option proto 'static'
	option ipaddr '192.168.3.254'
	option delegate '0'
	option dns '9.9.9.9 149.112.112.112 2620:fe::fe'
	option netmask '255.255.255.0'

/etc/config/wireless:

config wifi-iface
	option device 'radio0'
	option network 'kidsafe'
	option mode 'ap'
	option encryption 'psk2+ccmp'
	option wps_pushbutton '0'
	option key '****'
	option ssid 'OpenWRT-KidSafe'
	option ieee80211w '2'

config wifi-iface
	option device 'radio1'
	option network 'kidsafe'
	option mode 'ap'
	option encryption 'psk2+ccmp'
	option wps_pushbutton '0'
	option key '****'
	option ssid 'OpenWRT-KidSafe'
	option ieee80211w '1'

And finally /etc/config/firewall:

config zone
	option name 'kidsafe'
	option input 'ACCEPT'
	option forward 'DROP'
	option output 'ACCEPT'
	option network 'kidsafe'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'KidSafe DNS'
	option src 'kidsafe'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'KidSafe DHCP'
	option src 'kidsafe'

config redirect 'adblock_dns'
	option name 'Adblock DNS'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_dns_kidsafe'
	option name 'Adblock DNS KidSafe'
	option src 'kidsafe'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config forwarding
	option dest 'wan'
	option src 'kidsafe'

Awesome stuff!

Remember that I also installed the package safe-search, hence I have one line in /etc/config/dhcp that points to a directory where multiple lists can be added: list addnhosts '/etc/safe-search/enabled'

Argh, I'm almost there! I thought I'd had it with the SSID OpenWRT-KidSafe on both radio's but apparently I assumed it worked on both WiFi interfaces before I wrote here.

When I add both WiFi interfaces on the kidsafe network (actually, interface in /etc/config/network), I don't get an ip address. When I enable only one WiFi interface, then I can connect to that SSID. However, on my "main" config I have the same SSID on both WiFi interfaces, so the wireless devices can figure out themselves if they connect to the 5GHz band or the 2.4 GHz band.

I'm not a specialist on this, but I guess this has got something to do with config interface 'kidsafe' not being a bridge in /etc/config/network?

@D43m0n Thanks for the heads up on this new safe-search package. I am curious to take a look tonight at that, very nice.

Here is my etc/config/network in case beneficial:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3f:b96f:82ef::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
#	option dns '208.67.222.222 208.67.220.220'
	option delegate '0'
	option _orig_ifname 'eth0 wlan0 wlan1'
	option _orig_bridge 'true'
	option ifname 'eth0'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option delegate '0'
	option peerdns '0'
#	option dns '208.67.222.222 208.67.220.220'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'

config interface 'kidsafe'
	option _orig_ifname 'wlan2'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option force_link '0'
	option type 'bridge'

thanks @WildByDesign. I think I nailed it, I've got 2 devices connected to the OpenWRT-KidSafe SSID and a few to the main SSID. I thought I'd just try to see if my assumption of the type 'bridge' was correct, so I created a bridge on the kidsafe network and selected both WiFi radios. That did the trick. And then you uploaded your /etc/config/network which shows you've also got option type 'bridge' enabled on that kidsafe interface.

I'll leave this configured as it is. If it somehow stalls for some reason I can't think of right now, I'm sure my daughter will let me know

There's one thing I might try in the near future and that is try to get IPv6 working. But as long as my ISP won't give me a native IPv6 address, there's no rush. At the moment, this setup seems perfect to me: a safer search is forced, YouTube is stricter than it was (had it on moderate for all of us, but that's separate now). And in the event she somehow manages to get an app on her iPad that can browse the network, that is safe too because of the separate IPv4 address.

So to recap: the only thing I added to make both WiFi radios work with one SSID, was add option type 'bridge' to config interface 'kidsafe' in /etc/config/network. In LuCI I selected both WiFi radio's for the SSID OpenWRT-KidSafe and presto!

really happy with this!

@D43m0n You're welcome. Excellent, I am glad that you've got it all sorted out and that you're pleased with how it's all working so far.

My ISP also still does not provide IPV6 and therefore I haven't focused on that at all for my setup.

Speaking of this new safe-search package, I haven't done much research on this yet. I had always done the forced safe search stuff manually within my setup. But having an .ipk package certainly makes that part easier. I've downloaded the safe-search package and will install later but I do have a question about it.

Does this safe-search package present any settings within the LuCI user interface, or does it have to be configured manually?

From what I can see, it's mostly manual configuration. But that is minimal. When you install the package, the necessary files are put in place and it's enabled by default. The option list addnhosts '/etc/safe-search/enabled' is added for you to the first dnsmasq instance in /etc/config/dhcp.

In LuCI, there's no specific menu for it, like there is with Adblock for instance. The only place where I found something was in the Resolv and Hosts Files tab under DHCP and DNS. There's a text field that had the location of the enabled safe-search files that are included by dnsmasq. From what I saw, that was the only LuCI part I recognized. The rest is as good to to. I also enabled YouTube restricted mode, that's disabled by default. You can enable that in the /etc/config/safe-search settings and then run the command safe-search-update. That will update the symlinks in /etc/safe-search/enabled and reload dnsmasq.

@D43m0n Thank you so much, I appreciate it. Unfortunately, after a couple of hours testing, I was unsuccessful in getting safe-search package to work correctly on the current stable branch build 18.06.1. I had downloaded the package from master and installed manually, and also added the correct addnhosts line to the kidsafe instance of dnsmasq.

But in the end, it did not work for me. So I went back to my initial Safe Search manual setup the way I had it working since the beginning and all is well now. All good, either way.

that sure is a great way to educate your children about internet cencorship and how to work around it.

Hi, Thank you all for providing these wonderful instructions. I have managed to complete this setup using OpenWRT version 18.06.1 and 3200ACM router. A few observations and wanted to see if this common in every setup or just my own

1. I cannot ping between my PC(LAN network) and Macbook(Kidsafe Wifi network), they fail with timeout. Is this expected?
2. When i go to yahoo.com for ex. and search in web or images, the safe search is turned on by default. But it is easy to turn it off (unlike google). Is there any way to complete this enforcement through this setup? as it looks like the DNS lookup requests do not change with the web browser setting.

This is expected if you didn't allow traffic from LAN to KIDS_NETWORK in the firewall.

You do understand these instructions are to enable kids blocking, correct?
Why did you set up this up to disable it?

(Perhaps, I'm not understanding your question.)

I think the point is that you can click the on screen button to turn off restricted mode it will change on screen... but what won't change is that dnsmasq is returning an ip address for the restricted youtube search, so those ip addresses only respond with restricted searches.

@ChumpChange you do have to ensure that your kids computers are using the dnsmasq as their DNS resolver not something else on the internet. You can do this by blocking outbound requests to port 53.

May be there was some DNS cache or something on my MacBook(now connected to Kidsafe) which was previously connected to some other WiFi network. After I cleared all the browser/dns cache etc... and reconnected, the MacBook is sufficiently protected for the kids.
With using cleanbrowsing custom DNS setting for the kidsafe interface, the site images.search.yahoo.com is blocked where the user can turn off safe search so I think its a fine setup now. Thanks
@dlakelan and @ lleachii

This looks like a brilliant solution.
I'm very keen to get this config up and running on my own device.
Before I start to work through the settings on the first post, has a guide for this been created?

I'm still a little uncertain what needs to be done with the 'resolv.conf.kidsafe' file?
Is the suggestion by matthew_eli the way to achieve success?

cp /etc/resolv.conf.kidsafe /tmp/resolv.conf.kidsafe

I got this working by running multiple dnsmasq instances. My 'kidsafe' network uses CleanBrowsing's family filter DNS resolvers whereas my 'unrestricted' uses unfiltered DNS resolvers. Happy to dig out my configs if they'd help.

Thanks tectonic, any input is appreciated.
Did you have to have create a work around to separate the two resolve.conf files? Seems that a workaround needs putting in place to copy the secondary file into the correct place. Would be interested to see how you resolved that.