well isn't this far harder than before?
this is exactly the reason why i'm not adopting FW4. With FW3 i have a long list of ipsets to filter web access to my iot devices, why are we trying to make things harder?
i don't even know if the fw4-compliant dnsmasq-full is out and if it manages ipsets..
It depends on what you are referring, the wiki example referenced in this new wiki page share exactly the same approach, with a list of domains translated into list of IPs.
The fw4 equivalent of ipset are called sets, with dnsmasq 2.87 will be introduced --nftset as equivalent of --ipset (https://github.com/openwrt/openwrt/pull/4977).
So I would say that is not harder than before, is just moving to something different.
i was referring exactly to the equivalent of ipset that - please correct me if i'm wrong - today is still not available and we don't even have an expected availability.
I was planning to start from scratch to abandon 21.02 and go back to master, but it seems it's not the case..
There won't be a standalone ipset replacement, the successor is nftables' builtin set support. See https://wiki.nftables.org/wiki-nftables/index.php/Ipset for some further information.
The equivalent of ipset is available and is called sets, is no longer an external package but is bundled with nftables. What is missing is the equivalent of dnsmasq --ipset option, that will be avaiable in 2.8.7 as --nftset option.
So, if you are filling your ipset from a list of domains, the functionalities are already there. If you are filling your ipset from a subset of queries resolved by dnsmasq you still have to wait.
Q.Could this Work on OpenWrt 21.02.3, how to add fw4 feature on 21.02.3?
Q.HowTo Create a new interface like wildlan . Is it virtual ?
Q.I try this method for whitelist feature, Is there any more detailed references or examples?
O.Does it support wildcard domain name?
Seems that you have fw3, so use the link for fw3 (in the first paragraph of the first topic).
Hi, thank you for the neat tutorial! It worked perfectly on an Archer C6v3 with a custom image of OpenWRT 22.03.0. I will use this to replace a former ipset configuration that directed traffic to streaming sites like Netflix over WAN directly instead of using the wireguard tunnel. Therefor, my aim was not to only allow traffic to the IPs from the list but to reroute the traffic over a different interface, which lead to a slight alteration. However, the core steps were the same.
Something to add to your tutorial could be how to remove the rules again:
nft delete rule inet fw4 forward_wildlan handle 450
nft delete set inet fw4 handle 449
The handle number may change depending on other nft configurations.
Hi,
glad it helped, how are you managing the multiple urls that netflix has?
Regarding the handles, in the wiki page the handle are no longer referenced directly to avoid that issue, here for your reference https://openwrt.org/docs/guide-user/firewall/filtering_traffic_at_ip_addresses_by_dns.
Good adjustment. I accidently deleted a wrong handle while testing the deletion, which wasn't an issue due to persistent configuration in /etc/config/firewall but for other circumstances it might cause one.
The urls Netflix uses for streaming and which are necessary to reroute traffic to aren't many. They also have expanded only once or twice in the past two years. As of now adding these domains is sufficient to be able to watch all content in Germany while having everything else routed over a wireguard tunnel:
netflix.com
netflix.net
nflxext.com
nflximg.com
nflximg.net
nflxvideo.net
nflxso.net
Further tests will extend to DAZN, Sky and other streaming services that use geoblocking and seem to also block whole address ranges from serverfarms that allow anyone to host a server.
Those urls unfortunately didn't worked as allow-list, likely netflix is trying to access some subdomain.netflix.something that results in a different IP than the base domain itself.
Once dnsmasq 2.8.7 will be available, using the nft-sets it will be possible to allow the full set of subdomains without have to list them all.
Hmm, I need to check it out again then. Interestingly enough, Netflix and DAZN work without any filter rules in place, which wasn't the case with previous builds for Archer C7, C59 and older TP-Link models.
Thanks again though, I'll let you know whether I succeed in the future. 
For anyone searching for a way to implement the old DNS firewall with ipsets in new snapshot releases or everyone with dnsmasq 2.87 in 22.03 i posted a howto in devel section
Nice, then we should use the "list domain" in the dhcp configuration to create an allowed list of domains to be served.
If you don't mind, you could update this page to reflect this better option with the new dnsmasq.
I haven't applied for a wiki account yet. But if anyone wants to use the post and its content its information its free. have at it 
Hi @kdw,
I've tried to configure the nft set according to your guide, but I wasn't able to get it working. For sure I was missing some piece, but got the firewall to be not able to recognize properly the nftset.
For anyone else that could find himself in my same condition, to get it working I've skipped UCI and configured directly as follow:
The nftset is created via command line as in previous cases, but the timeout is added on the set instead of being applied at time of adding IPs:
nft add set inet fw4 blackhole { type ipv4_addr \; timeout 24h \;}
In the setup the wildlan has no forward to wan, so no communication will happen unless it points to an IP address included in the set.
nft insert rule inet fw4 forward_wildlan ip daddr @blackhole accept
Those first two commands are same as in the previous example, but the set is now filled directly dy dnsmasq. To do so, update /etc/dnsmasq.conf
nftset=/#/4#inet#fw4#blackhole
The above instruction will have dnsmasq tp update any URL into blackhole. To allow only a subset of URLs it can be used instead
nftset=/google.com/4#inet#fw4#blackhole
I will update also the wiki.
Please don't add wiki instructions using manual nft commands, document the proper uci solution instead.
Syntax should be:
config ipset
option family ipv4
option name blackhole
option timeout 86400
list match ip
config rule
option family ipv4
option proto all
option src wildlan
option dest *
option ipset 'blackhole dest'
option target accept
Sorry for that, but haven't been able to get it working with UCI. The wiki page I'm referring was already created (before dnsmasq 2.87) with nft commands and now I've updated to cover also the case of latest dnsmasq.
Hope that the wiki page will not be removed.
I see, okay
As I've succesfully got Netflix only access for my TV with the above approach (with the use of nft set) I want to share something that wasn't completely clear to me at the beginning.
As starting point to get the list of domains to whitelist you enable the DNS logging, preferably on an external device via UDP messages. While looking for the domans that the TV will try to access, you cherrypick the ones that looks legitimate and include in the list of allowed ones.
Many domains will return a Canonical Name (CNAME), so the DNS log will look like:
query exampledomain.com
reply exampledomain.com CNAME cnameforexampledomain.com
query cnameforexampledomain.com
reply cnameforexampledomain.com is at 192.168.1.101 (it will of course be not a private address as this one).
My mistake was to include in the allow list cnameforexampledomain .com instead of exampledomain .com
At least dnsmasq 2.89-4 doesn't process within the nft set the CNAME related queries, but instead it process the main domain (exampledomain .com) and the relevant CNAME.