Time and button controlled content filtering

As a result of COVID-19 I have remote learning kid at home. To avoid distraction during school time I devised time and button controlled content filtering. It filters out .youtube., .netflix., .hbogo., *.musical.ly, *.roblox.com and alike. However, since for example YouTube might be needed also during lesson the requirement is for easy way to disable filtering without the need to login to the router. WPS button acts as on-off switch for time activated additional content filtering list.

Assumptions:

  1. There are two instances of dnscrypt2 in the LAN (in my case on two separate R7800)
  2. WPS feature is not being used
  3. IPv6 is disabled (otherwise it also needs to be taken care of)

Instead of previously used family filter based on firewall rules:

iptables -t nat -I PREROUTING -i br-lan -m mac --mac-source BB:BB:BB:BB:BB:BB -p udp --dport 53 -j DNAT --to 208.67.222.123
iptables -t nat -I PREROUTING -i br-lan -m mac --mac-source BB:BB:BB:BB:BB:BB -p tcp --dport 53 -j DNAT --to 208.67.222.123

I have configured DHCP option based on a tag in /etc/config/dhcp on a router 192.168.1.1:

config host
	option name 'murphPC'
	option dns '1'
	option ip '192.168.1.50'
	option tag 'murph'
	option mac 'BB:BB:BB:BB:BB:BB'
config host
	option name 'murphPhone'
	option dns '1'
	option ip '192.168.1.51'
	option tag 'murph'
	option mac 'AA:AA:AA:AA:AA:AA'
config tag 'murph'
	option dhcp_option '6,192.168.1.2'

And on access point 192.168.1.2 I have enabled dnsmasq and configured it via file /etc/config/dhcp:

config dnsmasq
	option localise_queries '1'
	option expandhosts '1'
	option cachesize '1000'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option noresolv '1'
	option allservers '1'
	option logfacility '/tmp/log/dnsmasq.log'
	option quietdhcp '1'
	list server '/pool.ntp.org/1.1.1.1'
	list server '/downloads.openwrt.org/1.1.1.1'
	list server '/winhelp2002.mvps.org/1.1.1.1'
	list server '/smtp-mail.outlook.com/1.1.1.1'
	list server '/lan/192.168.1.1'
	list server '127.0.0.53#53'
	option nohosts '1'
	option rebind_protection '0'

and configured and enabled /etc/dnscrypt-proxy2/dnscrypt-proxy.toml (only lines changed from default), File blacklist.txt must exist.

server_names = ['adguard-dns-family', 'cisco-familyshield', 'cleanbrowsking-family', 'cloudflare-family']
block_unqualified = false
block_undelegated = false
blacklist_file = 'blacklist.txt'

Finally /etc/crontabs/root:

30 23 * * 0-4 cat /etc/dnscrypt-proxy2/optional-blacklist.txt /etc/dnscrypt-proxy2/murph.txt > /etc/dnscrypt-proxy2/blacklist.txt && /etc/init.d/dnscrypt-proxy restart && echo 1 > /sys/class/leds/r7800\:white\:wps/brightness
0 14 * * 1-5 cat /etc/dnscrypt-proxy2/optional-blacklist.txt > /etc/dnscrypt-proxy2/blacklist.txt && /etc/init.d/dnscrypt-proxy restart && echo 0 > /sys/class/leds/r7800\:white\:wps/brightness
59 23 * * 5-6 cat /etc/dnscrypt-proxy2/optional-blacklist.txt /etc/dnscrypt-proxy2/murph.txt > /etc/dnscrypt-proxy2/blacklist.txt && /etc/init.d/dnscrypt-proxy restart && echo 1 > /sys/class/leds/r7800\:white\:wps/brightness
0 7 * * 0,6 cat /etc/dnscrypt-proxy2/optional-blacklist.txt > /etc/dnscrypt-proxy2/blacklist.txt && /etc/init.d/dnscrypt-proxy restart && echo 0 > /sys/class/leds/r7800\:white\:wps/brightness

and replacement of the original /etc/rc.button/wps file:

#!/bin/sh

if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
        wps_led=$(cat /sys/class/leds/r7800\:white\:wps/brightness)
        if [ "$wps_led" -gt "0" ]; then
                cat /etc/dnscrypt-proxy2/optional-blacklist.txt > /etc/dnscrypt-proxy2/blacklist.txt && /etc/init.d/dnscrypt-proxy restart && echo 0 > /sys/class/leds/r7800\:white\:wps/brightness && logger "WPS button: murph.txt - disable"
        else
        cat /etc/dnscrypt-proxy2/optional-blacklist.txt /etc/dnscrypt-proxy2/murph.txt > /etc/dnscrypt-proxy2/blacklist.txt && /etc/init.d/dnscrypt-proxy restart && echo 1 > /sys/class/leds/r7800\:white\:wps/brightness && logger "WPS button: murph.txt - enable"
        fi
fi

return 0