Locking down a guest VLAN


Now I have my guest network VLAN working I thought I would try and lock it down further.

My initial thoughts were to go full "corporate proxy" and basically give them nothing buy access to, say, Squid which has a blacklist or a whitelist.

Then block all over ports. Redirect all web ports to proxy.

But... Googling around I didnt find much traffic around this approach, it would also probably require a USB drive for the cache unless I can turn that down to a time 32Mb in /tmp RAM fs.

Are there any currently preferred approaches on Linux / OpenWRT for web filtering / whitelists / blacklists.

Note, I already use PiHole, but it doesn't protect against adult content.

Proxy works well, but most of the web is encrypted so there's very limited caching (maybe some CDN content, stuff like javascript libraries etc). The squid can only see the site name, not the full URL being requested, but even so it can provide a reasonable filter for domains, whereas just blocking ip addresses doesn't work well (since CDNs may host multiple sites from the same IP address, blocking that address will block "legitimate" sites as well as the ones you're trying to filter). Squid gets around that by only blocking at the name level.

I use squid to control policy on my home network so my kids have certain times when they can get certain sites (YouTube etc). I even have transfer quotas for googlevideo.com which I do by setting firewall marks on the packet and then accounting them in nftables.

HOWEVER I use explicit proxy on all the devices. If you don't set up the proxy in Android's wifi settings you don't get anything you don't want to go with a "transparent" method here (there is no such thing as "transparent" proxy of HTTPS, the only way it works at all is for you to install a certificate on the device and have the proxy actively man-in-the-middle attack the connection. it's NOT recommended)

1 Like

Is it something you would recommend running on OpenWRT on a router with 512Mb RAM?

Or would you offload it to an actual server?

I have both options, the only downside with redirecting to my server is... it's on the LAN so it would be a cross zone rule. Although, I'm sure I could convince it to pick up tagged vlans.


i'd say stop access to any web site you want to filter as early as possibly, i.e. use some kind of DNS blocking (e.g. adblock) as first guardian. no DNS resolution -> no content at all to URL filter. adblock is not just about ads, there are many other content categorized and can be used for filtering. even you can configure safe search, i.e. google.com is resolved to the safe version automatically.

@dlakelan why you don't recommend https proxy? yes, it is mitm attack basically, and yes, it requires proxy's cert to be trusted by all clients, but it is under my control, so why are you not suggesting? what are the drawbacks (other than probably resources)?

Well, the idea with a web proxy is the guest LAN does not need DNS and DNS can be completely blocked.

It will be the proxy server that makes the DNS request and if it don't like the hostname, it will just return a "Not available on this network" or similar page.

This is the way it is in work.

ping google.com
Unknown host: google.com