Posted: Mon Feb 20, 2017 11:33 Post subject: Adblock for DD-WRT (version 2)
Adblock for DD-WRT
--------------------------------
Script for blocking ads on DD-WRT
Developed and tested on: NETGEAR R8500 / R7800
Hardware requirements: Minimum 4GB USB drive.
Partitioned, formatted, and mounted as swap (256-512MB), /jffs (1-2GB), and /opt (1-2GB)
NOTE: DO NOT try to run this script on your internal jffs.
Software requirements: DD-WRT , cURL (with entware if unavailable with your firmware)
Installation:
-------------
1.
Code:
cd /jffs/dnsmasq
2.
Code:
curl -o adblock.sh adblock.sh
or
Code:
wget -O adblock.sh adblock.sh
2.
Code:
chmod +x adblock.sh
3. Use --update or -u command line option to update to the latest version.
Settings:
---------
1. Disable internal flash (JFFS2) if it's enabled.
2. Enable DNSMasq and local DNS for LAN and WAN. Add these lines under the additional options section.
3. Enter additional options for dnsmasq if required, for example:
Code:
domain-needed
bogus-priv
4. Under Administration -> Cron, enter this or choose your own schedule (this executes this script on Mondays and Thursdays at 0600 hours):
Code:
0 6 * * 1,4 root /jffs/dnsmasq/adblock.sh
5. Reboot
Usage:
------
1. Add your custom blacklist or whitelist domains to myblacklist and mywhitelist files respectively.
2. Do not save anything in blacklist or whitelist files as they will be overwritten every
time the script is executed.
--
Changelog:
20200201:
MAJOR UPGRADE. Now supports remote operations as well. If your router is not powerful enough to run this script, you can now install this on a Linux system/Raspberry Pi and use the --remote=(router ip address) option to upload generated lists via SSH. Note that this mode is interactive and you will asked for your router's root password (not saved anywhere). To automate this, you can configure router with ssh keys.
Automatic fallback to wget if curl is unavailable. Not recommended though as BusyBox wget is severely limited in functionality and scope.
This release also supports DEBUG output if you face any errors. Check command line options.
adbhostgen (old version) is still functional and will remain so for a while. No new features will be added to this, so I recommend that you upgrade and change "adbhostgen.sh" to "adblock.sh" on all the relevant config pages.
20180331:
POINT RELEASE with all the bugfixes and new features from the alpha releases below.
20180329a2:
No more "bad name at line n" errors.
20180328a2:
Changed default ad destination IP from 0.0.0.0 to 0.1.2.3
20180327a1:
New options:
-i <ip-address>
--ip=<ip-address>
where <ip-address> is an IPv4 address of your own personal ad hell.
20180326a1:
New options:
-f, blocks Facebook.com and services
-F, blocks Facebook, Instagram, and WhatsApp
20180324a6:
Significant changes and bugfixes. The script should behave better as a cron job now.
A new option -q or --quiet suppresses output to stdout/console, yet retains log entires.
Considering that many users are still on ancient DD-WRT versions with outdated and/or
expired cURL certificates and exotic configuration that often doesn't play well with
this script, it now uses insecure cURL downloads (-k) as default mode of operation.
For experienced users, the new --secure command line parameter restores the secure
TLS/SSL communication with servers. After thinking long and hard and working with
users on solving their problems, offering sane defaults with switches to enable
advanced functionality seems like a good tradeoff. For now.
rev28: script gracefully handles network downtime failures and DNS resolution issues. Automatically sorts whitelist and custom_hosts, and creates backup of the last hosts file.
together with dnsmasq as local dns and dhcp. You can use any inet hosts file you like of course. Disadvantage of hosts is it need to be hosts not domains. As extra I use the dnsmasq option field. I list the domains like:
1. The script merges 18 different hosts files into one for aggressive ad-blocking. This is obviously a custom solution since I use the same hosts file across different systems/networks.
2. Includes a whitelist/blacklist solution for custom needs.
3. Helps you start right away with minimum configuration. It's almost completely automated and portable.
4. Creates a backup of the last hosts file, just in case.
5. It's the best solution for my needs so far.
The script is actually quite straightforward and simple.
rev31: Renamed "createmphosts.sh" to "adbhostgen.sh", added silent option to the #01 list, as suggested by fatalhalt, updated the original post with fresh instructions and images.
Posted: Wed Jun 21, 2017 11:27 Post subject: Re: Ad-blocking on Netgear R8500
Yamaraj wrote:
System: Netgear R8500
Firmware: Kong's DD-WRT v3.0-r31870M (04/16/17)
Additional configuration: OpenVPN client and an 8GB pendrive partitioned and formatted as swap, /jffs, and /opt running Kong's optware.
Background: Needed a more elegant and basic setup than dealing with the nuances of OpenVPN and Privoxy enabled on the same router. Repurposing RPi3 had something to do with it, too.
2. Create/download the file "whitelist" without quotes in /jffs/dnsmasq and populate it with the domains you do not want blocked. ̶E̶n̶s̶u̶r̶e̶ ̶t̶h̶e̶r̶e̶'̶s̶ ̶n̶o̶ ̶t̶r̶a̶i̶l̶i̶n̶g̶ ̶n̶e̶w̶l̶i̶n̶e̶/̶c̶r̶.̶ [rev25]
4. Execute adbhostgen.sh in /jffs/dnsmasq to generate the hosts file. By default the hosts file is quite aggressive and approx 10MB in size, which is manageable enough for Netgear R8500. Comment out the hosts repos as you see fit.
Should work on R7000, R8000 and other >128MB RAM routers too. Any feedback is welcome.
It`s any way to make one computer (specified ip) or a IP range to be excluded from the filter? Like using iptables on router or using a different dns on the computer?
I've tried the solution of chjohans:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=740330
"Add the following to your "Startup" script:
dnsmasq -S 208.67.222.222 -R -i br0 -p 1054
This starts an dnsmasq instance on port 1054 using the OpenDNS DNS server (208.67.222.222)
Add the following to your "Firewall" script:
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054 "
but the router prioritizes his own host file instead skiping it.
does anyone have the solution?
Thanks.
Posted: Sat Nov 25, 2017 6:36 Post subject: Re: Ad-blocking on Netgear R8500
genlish wrote:
It`s any way to make one computer (specified ip) or a IP range to be excluded from the filter? Like using iptables on router or using a different dns on the computer?
I've tried the solution of chjohans:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=740330
"Add the following to your "Startup" script:
dnsmasq -S 208.67.222.222 -R -i br0 -p 1054
This starts an dnsmasq instance on port 1054 using the OpenDNS DNS server (208.67.222.222)
Add the following to your "Firewall" script:
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.100 --dport 53 -j DNAT --to $(nvram get lan_ipaddr):1054 "
but the router prioritizes his own host file instead skiping it.
does anyone have the solution?
Thanks.
You will probably need to install optware and use another instance of dnsmasq to setup a separate DNS for those IPs. I haven't tried that yet. Anyone?
[rev33]: added mpdomains for additional protection. Lists updated.
Joined: 16 Nov 2015 Posts: 6185 Location: UK, London, just across the river..
Posted: Sat Nov 25, 2017 8:06 Post subject:
personally i find privoxy as a little slow and buggy, although its working it add's a latency on browsing and sometimes blocks not listed sites ... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 53045 WAP
TP-Link WR1043NDv2 -DD-WRT 54420 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall,VPN,x1VLAN
TP-Link WR1043NDv2 -DD-WRT 54475 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 54475 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 54475 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 54475 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
personally i find privoxy as a little slow and buggy, although its working it add's a latency on browsing and sometimes blocks not listed sites ...
Yeah, I played with it for a while and then settled for this solution for the same reasons. This script may not be perfect, but it can be tailored to do exactly what I want. _________________ Routers
NETGEAR R7800 x2: DD-WRT v3.0-r42847 std (04/06/20)
NETGEAR R8500: DD-WRT v3.0-r41517 std (11/11/19)
rev36: Added a secure version of the script which downloads cURL CA cert directly from the author's server and then uses secure transmission for downloading lists. Whitelist now applies to the domain list as well as hosts list. _________________ Routers
NETGEAR R7800 x2: DD-WRT v3.0-r42847 std (04/06/20)
NETGEAR R8500: DD-WRT v3.0-r41517 std (11/11/19)
Joined: 30 Jan 2015 Posts: 676 Location: Texas, USA
Posted: Tue Dec 05, 2017 16:20 Post subject:
Yamaraj,
I tried this and works great!. But seems bit aggressive list. Do you have a lite version of the blacklist?
With this current list I see issues with,
facebook and some deal sites such as Slickdeals.com and some legitimate redirect links. _________________ ASUS AXE16000 Main Gateway: Fiber 2gbps up/down
2 X ASUS RT-AX89X: Mesh nodes
QNAP QSW-1208-8C 12-Port 10GbE Switch
Nighthawk SX10 10GbE Switch
3 X R9000 DD-WRT Mesh
.
