Some security measures

Hello and thanks for reading and considering my questions. They are simple but as I am new here, I cannot assume to know their answers. These are questions that take the form of needs I would like met using the firmware.

I would like to block certain devices from using only certain websites at certain times that I will supply. And to have the chance to add to this list of websites.

I would like to block access to the internet at certain times for certain devices and at certain specified times, after which the 'block' will not apply.

I will like to subject enhanced safe search results for certain devices. These devices would be identified by IP.

I would like to have a message displayed each time users of these devices breach these 'rules.'

That's all for now. And, again, many, many thanks.


Search is your friend:

(I literally typed most of your sentences verbatim into search and got the links I would provide you.)


  • You want a Layer 3 router to capture a web search based on the initiating host - then redirect it to another website???
    • If so, do you mean HTTP or HTTPS?
  • How do you suggest the router guess you're on a search site or want to go to one?
  • Displayed where?
  • Your router has a display?
  • To be clear...which rule(s) - please don't say "all of them"?

EDIT: Additionally, none of your statements end with a question mark, so it's really difficult to determine what you asked or what your question is. I'll take the easy route since you didn't ask how and simply say all of what you listed seems possible - the web search thing may be difficult though.


This is a good point and I now fix it by asking clear questions that I will also use to search on the link you sent.
How can I block devices from accessing the Internet at certain time of the day.
How can I create a set of websites that these devices can access at certain time of the day
How can I use for example ( to subject certain devices, while other devices on the same network are not subjected to being blocked from accessing the sites on that host file
How can I set up Openwrt to display a message on the user's browser when they attempt to visit a website they are not allowed, such as: "you are not allowed to visit this website....."

Thanks a lot



Please answer the question. If you don't know a term (i.e. "Layer 3"); don't assume it didn't apply to you. I am replying directly to you and your inquires after all.

Nothing was cleared up. A router is a Layer 3 device. If you don't need it, then remove the OpenWrt. Web browsing is Layer 7...your device handles Layer again:

(Also, can you work on not messing up quotes - so your responses don't appear to be my words. That's very difficult to follow.)

EDIT: I noticed you didn't ask again about the web search thing, so I struck-out that information above.

1 Like

@vgaetera thanks a lot for these pointers. Now I have lots to read :grinning:

I will do so and if i have further questions come back to this thread. If not, I will mark it 'solved.'

Thanks a lot.

1 Like

I surmise you could also use Adblock for the commands and run a cron job to enable/disable the lists...but displaying the violation to the SRC host is difficult no matter what option you use.

1 Like

Yes, this will be correct. And would such a website be within Openwrt, such as a webpage within the router that I can configure with the message I want displayed on Layer 7 devices.

I tried, but can't seem to figure out how to do so and multiple separate quotes is not good either. How can I do it with single quote?

Just to make things clear, these are the specific questions.

No. You would have to create some API (if I'm not mixing terms here - no :coffee: yet) for the client to receive those. You're mixing what's called layers of abstraction. Hence your term "Layer 7 devices" phrasing missed the point and shows partial understanding. Your clients are Layers 1-7; but they talk to your router on Layer 3 though. :wink:

Your router passes IP packets (Layer 3) received from clients to WAN, it doesn't:

  • process HTTP (Layer 7)
  • HTTPS (Layer 7)
  • nor render web pages to see if it's a search page - so it knows the client is sending a particular term, nor send display messaged to computer screens (Layer 7), etc. (I added the specific example here in case a search site(s) was a part of this inquiry)

It does:

  • In most cases process the DNS request (Layer 7)
  • Block traffic by firewall (Layers 2, 3 and/or 4 - usually Layer 3)


  • You have to configure the router to block and notify itself (easy)
    • This level of ease would depend on if you use firewall (easy because you can log it) - or a domain block list (not sure where the warning is logged, if at all)
  • Put that notification into something that can be transmitted to the client
  • Have software on the client that received the message

To my knowledge, the latter two software do not exist - you'd have to script this. I supposed old Windows messaging protocol and clients could work to send/receive the message...but this is rarely used these days and I'm not aware of a OpenWrt software package to transmit.

:confused: Just don't type inside the quotebox you pasted. Simple.

Per your DM and other responses, this already became clear. And TBH, you could have simply edited your first or subsequent post (mainly to correct them). Now your quote in Post No. 10 references a post and phantom text that does not contain what you wrote.

Disability-compliant readers will have a hard time, but I can read and follow.

The best way to handle decisions about websites is to make them in a piece of software that processes application layer stuff (layer 7). For the web, this is a web proxy. The best bet is to use squid. Because of https it can only make decisions on domain names not web content, but it's sufficient. The user will get a message that the proxy is refusing connections if they try to open a website that is blocked... To do this you must explicitly set proxy on all clients, and block routing of port 80 and 443 for http and https. At that point going through the proxy is the only option


Could the OP make a transparent proxy and have iptables send the packets there?

(The OP should understand though, any traffic that uses 80/tcp and 443/tcp that is not actually HTTP and HTTPS respectively, will fail using this method.)

Transparent proxies don't work with https without a man in the middle attack which is way harder than just setting explicit proxies, so no. Just set the proxy explicitly and voila


Very true, forgot that part.