I would also like to inquire about this -- especially logging IP addresses. My DNS server already logs all DNS requests and all traffic on port 53 is redirected to the intranet.
Also, I'm not in the EU or EEA, so GDPR doesn't apply to me, and I'm processing data of myself only, and my devices (which do not consent to the data processing but aren't considered people, so I don't need their consent )
I'm using 19.07rc2 on ramips/mt76x8 with an external syslog server.
Okay, though I would like to know if it's because of the thread age, or something else.
I'm inquiring about the topic of the post,
"I need to know what websites with either partial or complete URL are been visited from my home router. This can be either dumped to a local file and log-rotated or URL info be sent to an external syslog server."
Answered by #2.
So, in summary: I want to be able to log complete HTTP traffic metadata (URL, from LAN IP, to remote IP, via WAN IP, device location (wlan0, wlan1, eth0.1, eth0.2, eth0.3, eth0.4) to syslog and sync it remotely to an external server (which the build-in syslog server does, and I have successfully set it up).
Right now I have achieved this by adding iptables rules to log all traffic, but the results are not detailed at all. I would like to log HTTP URL and hostname, HTTPS hostname, TCP data in general (from ip & port, to ip & port).
Of course it's possible, I explicitly said hostname, not URL or any other metadata (well, other than IPs and ports of dest and src, time info).
Unless the browser implements Encrypted SNI, it will send the hostname as cleartext in the initial TLS handshake. And since the "browser" is not actually a browser but instead an embedded device with a really bad TLS implementation, it will never have Encrypted SNI enabled.
iptables is not the answer to logging HTTP and HTTPs metadata, it's suited for logging TCP, mostly. It's too low level.
Also, can you stop with the agressively-attacking attitude. I have been polite with you, it's only fair that you be polite to me, given that I have not posted anything that could be interpreted as being abusive, spam-like in nature, unwanted, etc.
In the context of usual forum ruleset of "ask for guidance only, don't request the whole solution", "are you seeking someone to assist you with those detailed rules?" comes off more as agressive than a genuine offer of help. Especially in the context of "So why don't you" and "or are you".
In any case, I apologize if I have misinterpreted it, English is not my mother tongue.
If I were trying to accomplish the goal, I'd run suricata or a similar packet-inspection tool on a suitable host. It would surprise me if a consumer all-in-one has enough compute power to do packet inspection at more than a trickle. MIPS-based SoCs have trouble with something as computationally simple as SQM at around 100-200 Mbps, for example.
Even diverting all the packets to an external host for analysis may well be beyond what an all-in-one can accomplish. Many/most achieve high throughput by offloading the flows from the CPU to the ASIC switch framework.
Seems like you'd need a topology that separates your network into VLANs (or physical LANs) so that you can accomplish your objective of identification of where the associated host is connected.
Instead of making a complete different thread, I'll just bump this one.
(Not my first post, having difficulties to get access to correct account log in information)
As topic says "knowing what websites are visited. I have not been able to figure out how to do this with simplicity (a neat GUI), usually when I wanted more knowledge of this, I had to type several commands and so on when using OpenWRT. I then got tiered of this and decided the bridge my raspberry pi 3B (PiHole) to my WRT3200acm (OpenWRT), this worked flawlessly. But as of today, my raspberry is my cars new Brain and I can there for no longer use PiHole in a simple way. So my question is:
Could OpenWRT in anyways take over PiHole tasks in terms of providing a good and simple GUI to log IPs, Hostnames, data used, by whom and when (time) and so on...
What I'm trying to do here will not break any laws. I feel like this should be said so noone needs to remind me of GDPR and alike. Thank you.
Yet... SNI is in the progress of being superseded by ESNI, once that is widely established not even the requested host name can be inferred anymore from the outside.