Install the packages and configure IP sets for domains to block. Set up firewall rules to filter LAN client traffic which destination matches the IP sets. Configure the domains which addresses should be stored in the IP sets.
# Install packages opkg update opkg remove dnsmasq opkg install dnsmasq-full ipset # Configure IP sets uci -q delete firewall.block uci set firewall.block="ipset" uci set firewall.block.name="block" uci set firewall.block.family="ipv4" uci set firewall.block.storage="hash" uci set firewall.block.match="ip" uci -q delete firewall.block6 uci set firewall.block6="ipset" uci set firewall.block6.name="block6" uci set firewall.block6.family="ipv6" uci set firewall.block6.storage="hash" uci set firewall.block6.match="ip" # Block LAN client traffic with IP sets uci -q delete firewall.block_fwd uci set firewall.block_fwd="rule" uci set firewall.block_fwd.name="Block-IPset-DNS" uci set firewall.block_fwd.src="lan" uci set firewall.block_fwd.dest="wan" uci set firewall.block_fwd.family="ipv4" uci set firewall.block_fwd.proto="all" uci set firewall.block_fwd.ipset="block dest" uci set firewall.block_fwd.target="REJECT" uci -q delete firewall.block6_fwd uci set firewall.block6_fwd="rule" uci set firewall.block6_fwd.name="Block-IPset-DNS" uci set firewall.block6_fwd.src="lan" uci set firewall.block6_fwd.dest="wan" uci set firewall.block6_fwd.family="ipv6" uci set firewall.block6_fwd.proto="all" uci set firewall.block6_fwd.ipset="block6 dest" uci set firewall.block6_fwd.target="REJECT" uci commit firewall /etc/init.d/firewall restart # Configure domains to block uci -q delete dhcp.@dnsmasq.ipset uci add_list dhcp.@dnsmasq.ipset="/example.com/block,block6" uci add_list dhcp.@dnsmasq.ipset="/example.net/block,block6" uci commit dhcp /etc/init.d/dnsmasq restart
Flush DNS cache on the clients and restart the client browser. Verify your client traffic is properly filtered on the router.
Collect and analyze the following information.
# Restart the services /etc/init.d/log restart; /etc/init.d/firewall restart; /etc/init.d/dnsmasq restart # Log and status logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq # Runtime configuration pgrep -f -a dnsmasq iptables-save ip6tables-save ipset list # Persistent configuration uci show dhcp; uci show firewall