Perhaps you could use your expertise in examining the code to come up with a patch that would solve this?
AsX wrote:
Figured it out. On Access Restriction page, Status also has to set to Enabled (DUH!) Then dnsmasq_ms_telemetry in nvram is set to 1 and filters are engaged.
Internally in firewall.c, function lan2wan_chains checks "STAT" in filter rules and if not zero, in the end calls advgrp_chain, which processes filters. If status is not enabled on the Web, the "STAT" is zero and everything is bypassed.
Ideally, disabling Status on the Web should hide or grey out all other options as they are not used. Right now it's a bit misleading.
_________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Tue May 23, 2023 20:28 Post subject:
AsX wrote:
Figured it out. On Access Restriction page, Status also has to set to Enabled (DUH!) Then dnsmasq_ms_telemetry in nvram is set to 1 and filters are engaged.
Internally in firewall.c, function lan2wan_chains checks "STAT" in filter rules and if not zero, in the end calls advgrp_chain, which processes filters. If status is not enabled on the Web, the "STAT" is zero and everything is bypassed.
Ideally, disabling Status on the Web should hide or grey out all other options as they are not used. Right now it's a bit misleading.
The thing is.... I already know that...I even give a name to this policy and this is the way how restriction policy work...as all the page is about a certain policy...1-20.. but...even if you enable it (i always do) and select facebook,youtube, ebay, amazon and Hotmail..
i can still access those...tried with or without VPN or even with no SmartDNS and DNSmasq only...tons of save (apply) and reboot..still the same on my R7000.. no idea why..??
_________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Fri Jun 09, 2023 9:34 Post subject:
more testing on the ndpi rules
My testing system is R7800(52894) with Stubby for DoT and DNSmasq is (enabled)/not disabled, and has some other rules too..i do not use VPN client on this system...
on Access restriction page i have :
Policy - enabled
Name - BlockNdpi
Source - Any
clients - 1 mac address, x2 IP ranges
Selected rules.. quite few risk rules, dpi and L7
If ndpi rules are enabled (R7800/52894) iptables -vnL shows strange output of - only INPUT, FORWARD and OUTPUT chains..nothing else, as before there ware few other lines in this output...where you can see some other stuff..grp, lan2lan and ect....
So my question is...
-How to make those rules to work...?
-Do i have to use plain DNS and DNSmasq exclusivity..only - (ive made those rules to work only once on my R7000 running previous builds, but no idea what i did.., but there ware some filtered packets counted)
-Do i have to click or add something else..
-Are those rules suppose to work with VPN client on the router side too...?
-Is there any other particular way to add and set up the rules, as i clicked lots of save & apply/reboots, so far...? (tried via nvram values too)
If i add some extra dpi(youtube, facebook instagram and ect.) or l7 i can still access those via selected clients, that exists on the block list..and filtered packets stays 0
I can even perform some of the risk rules attacks..(im not gonna explain how) and still dont see any filtered packets on the page....
I'll let the router with those rules enabled for a day, to see if there will be any count on those..filtered packets...so far no heavy load on the CPU yet...
please forgive me my poor knowledge on the subject...however im eager to learn _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sat Jun 10, 2023 11:04 Post subject:
Ok after a day of testing those ndpi rules and filtered packets still on 0,
i restored my previous nvram back up file (with no ndpi rules policy) and now i can see appropriate output of iptables -vnL
if i enable ndpi iptables -vnL output show's only input, forward and output chain and nothing else..
I guess enabling ndpi policy interferes with building the firewall and adding the correct rules..
or...iptables -vnL just gets bugged and doesn't show the full output...yes i also have quite few iptables rules..in save firewall script... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
My testing system is R7800(52894) with Stubby for DoT and DNSmasq is (enabled)/not disabled, and has some other rules too..i do not use VPN client on this system...
Alozaros, this was an excellent analysis, thank you for posting
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sun Jun 11, 2023 11:34 Post subject:
gilius wrote:
Alozaros wrote:
more testing on the ndpi rules
My testing system is R7800(52894) with Stubby for DoT and DNSmasq is (enabled)/not disabled, and has some other rules too..i do not use VPN client on this system...
Alozaros, this was an excellent analysis, thank you for posting