Selective Parental Control in my build of firmware

[kamoj]

Great job!!!
Saw you use 2 R7800 routers - what a luxury!
I'll have your job in mind for future additions, thank you!
PS
Maybe you could make a simplified description for us with only one router?

I have created for OpenWrt some additional family filter solution to limit access to particular services during school hours. Maybe someone will be interested to transpose it for Voxel's build. @Voxel and @kamoj feel free to integrate it into the build or add-on if that would make sense.

 

[percy3]

Great job!!!
Saw you use 2 R7800 routers - what a luxury!
I'll have your job in mind for future additions, thank you!
PS
Maybe you could make a simplified description for us with only one router?

Is it possible to run two instances of dnscrypt2 with Voxel's build? If so I can try to mimic my solution with just one R7800.
Used R7800s have pretty decent prices recently so I decided it's a time to improve WiFi coverage or to have something to play with if I fancy without disrupting others access to the Internet.

 

[kamoj]

I would guess it's possible, but I have never tried. You give .toml file as argument when starting it... @Voxel can guide if it's possible.
You are doing a smart setup, especially if you can find an R7800 at reduced price!!!

Is it possible to run two instances of dnscrypt2 with Voxel's build? If so I can try to mimic my solution with just one R7800.
Used R7800s have pretty decent prices recently so I decided it's a time to improve WiFi coverage or to have something to play with if I fancy without disrupting others access to the Internet.

 

[KW.]

My man I cant bring anything constructive to this post but I can say like a child I want it! This function would really add value to the router and daily life and solve one of the biggest gaps in the netgear firmware. I will have to wait patiently and hope you geniuses can implement it in an easy way thou. All the codes made my brain spin around and overload so my flight behavior got triggered

It so fascinating being in this forum everyday minds in here create something new that really adds allot of value.

 

[R. Gerrits]

I would guess it's possible, but I have never tried.

Should be possible, as long as you run both instances on a different port, and have them each use different locations for things like pid-file and log-file.

As I understand it, a computer connects via port 53 to dnsmasq on the router and then dnsmasq proxies the request via dnscrypt2 to some dns-servers on the internet.

So we'd also need to run 2 instances of dnsmasq (also with different file locations) , perhaps one on 53 (using the first instance of dnscrypt2) and one on 5353 (using the second instance of dnscrypt2).

And then we must use some iptables rules to redirect all traffic for port 53 to port 5353 on the router, for computers that we want to force to the 2nd dnscrypt2 instance.

 

[percy3]

Should be possible, as long as you run both instances on a different port, and have them each use different locations for things like pid-file and log-file.

As I understand it, a computer connects via port 53 to dnsmasq on the router and then dnsmasq proxies the request via dnscrypt2 to some dns-servers on the internet.

So we'd also need to run 2 instances of dnsmasq (also with different file locations) , perhaps one on 53 (using the first instance of dnscrypt2) and one on 5353 (using the second instance of dnscrypt2).

And then we must use some iptables rules to redirect all traffic for port 53 to port 5353 on the router, for computers that we want to force to the 2nd dnscrypt2 instance.

Right except the last bit. Should be easier and more clean with DHCP option 6.

 

[R. Gerrits]

Right except the last bit. Should be easier and more clean with DHCP option 6.

With option 6, you can only specify a different DNS server IP, not a different DNS port.
So this will only work if you give the router a 2nd IP and have one dnsmasq listening on the 1st IP and the 2nd dnsmasq listening on the 2nd IP. Possible, but might be more complex.

Also, kids can easily figure out to use a manual DNS server (like 8.8.8.8) and then they simply bypass the parental controls.
Also, some google stuff might also use hardcoded DNS IPs, so also those can only be tackled by redirecting DNS traffic on firewall level.

 

[percy3]

With option 6, you can only specify a different DNS server IP, not a different DNS port.
So this will only work if you give the router a 2nd IP and have one dnsmasq listening on the 1st IP and the 2nd dnsmasq listening on the 2nd IP. Possible, but might be more complex.

Also, kids can easily figure out to use a manual DNS server (like 8.8.8.8) and then they simply bypass the parental controls.
Also, some google stuff might also use hardcoded DNS IPs, so also those can only be tackled by redirecting DNS traffic on firewall level.

Good points however iptable thing is not so straight forward too. Remember by default both server and clients are on the same LAN segment.

 

[R. Gerrits]

Good points however iptable thing is not so straight forward too. Remember by default both server and clients are on the same LAN segment.

iptables is not my area of expertise, but afaik even traffic from for instance a client on 192.168.1.100 to the server on 192.168.1.1, should pass through the PREROUTING chain of the nat table.
So it should be able to change the destination port before it gets routed to the the server.

so something like this should work to redirect all dns requests coming from a device with MAC-address BB:BB:BB:BB:BB:BB to the dnsmasq on 5353.

iptables -t nat -I PREROUTING -i br0 -m mac --mac-source BB:BB:BB:BB:BB:BB -p udp --dport 53 -j DNAT --to 192.168.1.1:5353
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source BB:BB:BB:BB:BB:BB -p tcp --dport 53 -j DNAT --to 192.168.1.1:5353

 

[R. Gerrits]

Did some tests:
First observation, using port 5353 is not such a good idea.
I launched a 2nd dnsmasq on port 5353, with logging enabled. And to my surprise, in the logfile I saw tons of requests being handled.
It seems that 5353 is for multicast DNS, which apparently is being used by a lot of devices.

So I changed the 2nd dnsmasq to use port 5300.
This time, the log file stayed empty.
Then I used dig on my NAS, to do some lookups -> I can see them being handled by my regular dnsmasq (actually pihole-FTL, but that is irrelevant for this test.)

Then I added these 2 rules to iptables:
(where 00:1f:33:aa:bb:cc is the mac-address of my NAS)

iptables -t nat -I PREROUTING -i br0 -m mac --mac-source 00:1f:33:aa:bb:cc -p udp --dport 53 -j REDIRECT --to-port 5300
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source 00:1f:33:aa:bb:cc -p tcp --dport 53 -j REDIRECT --to-port 5300

Again did some dns lookups -> they now are visible in the log-file of the 2nd dnsmasq

I also tried forcing my nas to use 8.8.8.8 (dig @8.8.8.8 some.request.nl) -> also this request is visible in the log-file of the 2nd dnsmasq.
So it cannot be bypassed...
(Well maybe if some application or browser uses DNS-over-HTTP.
Defining the canary use-application-dns.net should prevent browsers from automatically using DoH.
But I'm not sure what happens if someone manually enables DoH.)

Last remark: I switched the iptables commands to use REDIRECT instead of DNAT. This makes the commands a little more simple as it doesn't need the ip-address of the router.

And some idea to make it more manageble without needing to write a gui.
If you add the devices you want to restrict to DHCP with some special prefix, then you could add some scripting to /opt/scripts/firewall-start.sh to parse the nvram reservation# entries to find the mac-addresses to be added to iptables.

 

[HELLO_wORLD]

For info, if you are using my firewall-blocklist script, this is not a problem, just make sure to insert code before this line in firewall-start.sh file (so the last line is):

[ -x /opt/bolemo/scripts/firewall-blocklist ] && /opt/bolemo/scripts/firewall-blocklist _fws

Also, if you edit firewall-start.sh and then decide to use the blocklist script, it will keep your own settings in firewall-start.sh

 

[theoak]

What about a port forward rule? Port 53, from MAC/IP redirect to desired DNS IP port 53. Well, that is what I do with my router (not an Orbi - my Orbi is in AP mode). Not sure if the Orbi port forward rules could do that.

 

[R. Gerrits]

What about a port forward rule? Port 53, from MAC/IP redirect to desired DNS IP port 53. Well, that is what I do with my router (not an Orbi - my Orbi is in AP mode). Not sure if the Orbi port forward rules could do that.

If you'd use a port forward rule, then you'd redirect ALL traffic to port 53 on the router to a different IP and/or port.
The goal here was to selectively only redirect some devices to a DNS-server with parental controls, while keeping others on the default DNS-server.

Also, if I look at iptables, then port forwarding rules only affect traffic that goes from the internal network to the public IP-address of the router.