Asus BQ16 - Firewall url filter not working?

[rexet]

Hello,

I have just received my pair of BQ16 (non Pro since I'm in Europe).
Everything seems to work pretty well so far except the ULR Filter from the Firewall. Whatever ULR filters I register in the "Deny List", I can still access them.
It was working great with my previous Asus routers (AXE16000, ET12, etc).

Are you experiencing the same issue?

Thanks

 

[eibgrad]

The problem here is that URL filtering is antiquated and no longer very effective.

When this feature was introduced many years ago, http (the insecure, UNencrypted version of the web protocol) was the one and only option. URL filtering would examine the URL in its entirety, both the domain name and URI (the trailing part after the domain name) and block access based on a simple string search and comparison. About as simple as it gets.

However, we now use https (the secure, encrypted version of the web protocol) for almost everything. Even if you specify http in the address bar, Chrome and most other browsers will automatically convert it to https.

What this means is that the ability for the router to block access these days based on the URL is severely limited due to the predominance of encryption.

Not to be completely undone, the firmware developers responded by using the search term(s) to block DNS (i.e., search and compare based on the domain name alone). If a match is found, the query to the DNS service itself is blocked (i.e., DROPped in firewall terms). So despite the fact it's still called URL filtering, it's actually more accurate to call it DNS filtering nowadays.

admin@lab-merlin1:/tmp/etc# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination       
…
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            192.168.1.1          udp dpt:53 STRING match  "google" ALGO name bm TO 65535 ICASE
…

In the above firewall snippet, I told URL filtering to block "google". Notice it is intercepting protocol UDP on port 53 on the INPUT chain (which is DNSMasq, the router's default DNS server/proxy) and DROPping the packet on a string match. This is *before* it even gets to the DNS server!

If you attempt to bypass DNSMasq and access a public DNS server on port 53, it does basically the same thing, but using the FORWARD chain.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination       
…
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 STRING match  "google" ALGO name bm TO 65535 ICASE
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           WEBSTR match url google  reject-with tcp-reset
…

At the time, it seemed like a good (if imperfect) alternative. However, we now have DNS being encrypted as well w/ things like DoH, DoT, etc. So now URL filtering based on DNS has been effectively neutered as well.

Of course, the use of personal VPN solutions completely undermines URL filtering too.

Despite all this, could it still work for some ppl? Yes, but the devil is in the details, such as whether you're now using a secure form of DNS when previously you weren't (more and more ppl are doing so as they upgrade). That's why I went into such detail about the implementation of URL filtering, or else it wouldn't make sense why it can sometimes seem so unreliable, if not outright broken.

Basically, URL filtering is antiquated and no longer effective in many cases. It remains in the GUI mostly for historical purposes. IMO, it should have been removed years ago since it's now just a needless source of frustration for users. It's permanently broken because the industry as a whole has moved towards greater security and privacy. The way things are going, I expect it to be totally useless in the not too distant future.

Frankly, if all that URL filtering is going to provide is DNS-based filtering (which is pretty much the case now), you'd be better off to move it to the DNS tools themselves where it is much more likely to be effective and reliable.

 

[rexet]

Thank you very much eibgrad for this complete educational answer.

If I do now understand why the URL Filtering is antiquated, I am not sure to understand what is the right way to execute what I'm trying to achieve.

I have an application that is trying to automatically update online everytime I launch it but the newest versions are not compatible with my system. I can't disable this automatic update feature. I'm just trying to block this application to connect over the internet by blacklisting the domain it reach to update (update.xxx.com).

With my previous routers, I was just adding the domaine update.xxx.com to the deny list and everything was working as intended until I upgraded to the BQ16.

I do believe there is a bug in the BQ16 router because the configuration of the deny list is exactly the same as with my previous Asus router.

I do understand that it was not the "best" way to block an app but it was working perfectly well.
It is ok because I just blocked the app using the Windows firewall that hosts the app but in the future, I would love to understand the right way to do such a thing on the router side using DNS tools like you mentionned.

Thanks

 

[ColinTaylor]

With my previous routers, I was just adding the domain update.xxx.com to the deny list and everything was working as intended until I upgraded to the BQ16.

Does update.xxx.com always resolve to the same IP address? If it does you could use Firewall - Network Services Filter to block that IP address.

 

[eibgrad]

As an alternative to the suggestion by @ColinTaylor, you could add the following to DNSMasq to deny name resolution to the device requesting update.xxx.com.

address=/update.xxx.com/0.0.0.0

You need to add it using a dnsmasq.conf.add file, as described in the following link.

Asus Merlin - OpenVPN Policy Rules to direct Roku to another gateway

Hi Guys, I have been using the RT-AC87U router on the latest merlin firmware and am trying to policy rules to redirect the Roku Express through another default gateway 10.27.43.20 (Synology NAS) which is setup as a VPN Server on OpenVPN. I have a particular device Roku Express which does not...

www.snbforums.com

Of course, you need to replace the DNSMasq directives in that link w/ the above address directive.

The difference between @ColinTaylor's method and mine is that the former blocks based on an explicit IP address (or addresses if there is more than one) in the FORWARD chain of the firewall, and remains unchanged until YOU decide to change it. IOW, it is NOT sensitive to a change in ip address(es) for the given domain name. My method solves that problem by denying access based on the domain name; it always resolves to 0.0.0.0, which is unrouteable. However, my method can be circumvented if the client chooses NOT to use the domain name but the explicit IP address(es), or just bypasses DNSMasq entirely.

So perhaps a combination of both methods might be the best strategy, w/ each correcting the shortcomings of the other.

 

[rexet]

Thank you all for the suggestions. I guess it is time for me to learn a bit more about all these things and you gave me a lot to start with!

 

[Stepalex]

@rexet I am thinking of replacing my XT12s with these, are you using them in a wireless backhaul mode? Can you do a more detailed review please?​

 

[rexet]

@Stepalex
Yes I'm using it with a wireless backhaul.

My previous setup was a pair of XT12 and few months after purchasing them I have replaced one of them with a AXE16000 to benefit from the Merlin firmware on the router side (mainly for more advanced VPN features). The main goal is to bring the maximum bandwidth to my desktop which is separated by 2 other rooms from the router. I also wanted a solid wifi system to all my devices in the house (around 30). Since this is a rental appartment, I can't put wires.

With this previous setup I was getting a 1700mbps backhaul speed.

I have now replaced the whole setup with a pair of BQ16. I also own a BE98 but right now I don't use it because I'm waiting for a stable Merlin/Gnuton firmware as well as a stable backhaul link between the BE98 and the BQ16. According to Dong Knows review, this is not the case right now, quoting:

"If you intend to mix the ZenWiFi BE16 Pro with other AiMesh Wi-Fi 7 hardware, such as the GT-BE98 Pro, to form the "ultimate" gaming mesh, it's not yet time. The combo will work if you use wired backhauling (recommended) with MLO turned off. If you intend to use MLO as the wireless link, it's best to wait until all the kinks are worked out before opting for a mixed hardware setup."

With this new pair of BQ16 I have now an amazing 5000mbps MLO backhaul link (compared to the previous 1700mbps from the ET12). For the record, my ISP delivers 8Gbps.
So far the system seems pretty stable even if this is too early to say.
I'm just having this minor issue with the url filter and I have experienced some issues with my Sonos Beam. For some reason, the Beam is struggling to deal with the Smart Connect feature from the Asus which is weird because it was working great with the ET12. To fix this, I have created a dedicated 2.4Ghz guess network only for the Sonos Beam and now everything works great.

 

[Stepalex]

Thank you for the above. I am basically waiting for Merlin or Gnuton to indicate that BQ16 will be supported, and will buy them immediately, as they do seem to be Asus' best offering at the moment.

 

[Stepalex]

@rexet Do you know for sure if BQ16 supports AFC already (BQ16 Pro does, whereas the flagship BE98 Pro still does not)?

 

[rexet]

Hmmm that is a good question. I assume that it does based on Dong Knows review of the BQ16 Pro but I can't say for sure that the B16 non Pro does it too. Is there an easy way to check it?