I followed the instructions in the wiki to restrict access to certain websites and it doesn't work for me either. Currently using firmware 41375 on a WRT3200ACM. It has never worked on any firmware that I've used. Either we're doing something wrong or this is broken and nobody cares.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Oct 27, 2019 22:07 Post subject:
I think everyone gave up on it and just adds iptables commands to the GUI>Administration>Commands page. See https://forum.dd-wrt.com/wiki/index.php/Iptables_command#Deny_access_to_a_specific_Outbound_IP_address_with_logging. Change "logdrop" to "DROP" if you don't want each blocked packet to cause a log entry, and note that if you do want the logging, you'll need to enable both Syslogd and Klogd in the System Log section of GUI>Services>Services. You may need to enable firewall logging at the bottom of the GUI>Security>Firewall page as well. I can't really remember re the latter. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
That didn't help. I created an outgoing rule to block the IP that was returned from dig but it doesn't block it. I know I properly created the rule because I did the same thing for another site and that block worked. I even tried setting up a ufw rule on the box I want an outgoing block but that doesn't stop the connection either. Traceroute on that IP couldn't get past the ninth hop so something is not right.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Oct 28, 2019 14:34 Post subject:
[Edited to correct a serious error in the second paragraph!]
You can block a single site at the DNS level using a commands in dnsmasq's Additional Config. I've never actually used this approach, but I believe the command to block, say, hotmail.com would be address=/hotmail.com/0.0.0.0 and you can use as many such commands as you like.
A second approach would be to put addn-hosts=/tmp/badhosts in dnsmasq's Additional Config (there's nothing special about the name badhosts except that its not already in use) and then add a section in GUI>Administration>Commands, in the Startup Commands there, that looks like this:
to block foo.bar.com and bat.com, where of course you can add as many lines as you like. The only advantage of this over the first method is that it puts your list in the Startup commands where, if you are like me and have various customizations there, you can see things mostly in one place. Also having the names in a file, here /tmp/badhosts for quick reference in the CLI is nice.
Or, if you want to go further and block many thousands of ad sites and trackers as well, you can use the adblocker I have posted at the first link in my sig below. It goes in GUI>Administration>Startup, and you can use its blacklist to add specific additional sites to block. All it does is use the second method above on a large scale, drawing on three online lists of known trackers and ad sites. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
