I have a Brume 2 and am very happy with it - everything works well. I use it as a DNS firewall using the builtin AdGuard, have the wireguard VPN setup.
However, I wanted to firewall outbound traffic from some devices on the network better. Specifically I have a TV where I want to only allow Netflix, Amazon Prime and a couple of other sites only and disable all other outbound traffic. Not sure on the best way to do that. There was some advice on Google (not for Brume specically) about using a “packet firewall” or a “DNS firewall”. For now I have just assigned the TV a static IP on the LAN and blocked all out outbound traffic - not ideal for watching netflix though!
Any advice or suggestions are welcome. I am reasonably competent on computers, networks and sysadmin but not an expert.
to be honest: Forget about this when using a router as a firewall only. There are more or less different ways to get to this - but it’s nothing that simply works.
You could go with AdGuard for trying to block all communication but the streaming services. This requires you to know all streaming DNS names - good luck finding them all
IP is not affected by this, so you have to do the same on IP level. The firewall of the router isn’t user friendly enough to do so. And you need to know all required IP spaces - good luck finding them as well …
My opinion: Go with a professional firewall (maybe some refurbished Sophos from eBay) or install OpnSense on another device to use this. Both systems will bring additional problems.
I would put my TV into the guest network and well… accept that there might be data transfers I don’t want.
hmm its difficult what you request, and there is not really a one solution for this.
the best way to go is indeed via the dns route, but then again you have no control if netflix changes domain names and sub domain names.
if I needed to do something like this myself I would think of using ipsets via dnsmasq, this means all ips of domain x gets stored in a ipset which you then can use in the firewall rules of luci, in OpenWrt 23.5 and above they have support for ipsets via luci :), see luci → network → dhcp and dns settings → general settings, and in luci → network → firewall → ipsets.
and in the firewall traffic rules you also have support through it via the advanced tabs.
then you can make two traffic rules, one rule which allows all ips inside the ipset, followed with a rule which blocks all connections based on the src mac.
then you effectively make use of the priority and netflix and such will still work and devices not inside the mac src firewall rule still have full internet
But it still requires knowing all the necessary domains - which is pretty difficult with high-scaling services like Netflix and AWS. Worth a try, but it will cost much effort.
this is true, while iptables might help with wildcarding (this is btw a really bad bottleneck for nftables it has no wildcarding afaik), and they also come idd with random domains.
i’ve been trying something similar as OP, but then only with trying to get the domains split tunneled, it was a nightmare to maintain and figure, instead I vlan isolated, though this is not fully what the OP wants
theres also something else which comes to mind, the package banip, it has a feature to allow only x ip maybe they have support for ipsets too?
you may only need a really new opkg not from gl repo
Been doing some more research -it appears (FQDN Egress Filtering Solutions for Compliance | by CloudifyOps | Medium) what I need a firewall capable of having FQDN Egress Filtering rules - apparently IPFire ( https://www.ipfire.org) supports (have not tried it). Wonder if the advanced (Luci firewall) supports it? I am somewhat familiar with Luci now (since I needed to use it block all outbound traffic from the TV)
@xize11 - How did you setup the vlan isolation? If that makes it easier I could do that … I gave the TV a static IP using its MAC in the LAN - this way regardless how the TV starts DHCP or not it always gets a fixed IP
Need to understand some vlans so I can isolate the TV and not impact my wife/son who are WFH and will not take kindly to the internet going down suddenly!
Ah - I have the Brume 2 (GL-MT2500) which does not have wifi - I use it as a router/dhcp/firewall I have a separate mesh ap for wifi. Will have to see how to get a separate “guest network” or something. vlan would be tough from what I read - apparently needs managed switches (this is a house so its a home network)
Reading through Google it seems like there is no perfect solution but a reasonable one the best, based on a couple of links below, seems to beFQDN Egress Filtering.
I started crafting a firewall configuration that uses ipsets and rules. Appreciate feedback/help.
# ipset to select restricted devices by ip addresses
config ipset
option name ‘blockedktvs’
option match ‘src_net’
option enabled ‘1’
list entry ‘10.0.1.71’ # TV static IP address – using mac to ensure its fixed.
# ipset for allowed domains using FQDN based ipset.
config ipset
option name ‘allowedsvc’
option match ‘dst_net’
option enabled ‘1’
list domain ‘netflix.com’
list domain ‘hulu.com
# rule to block all outbound traffic from blocked devices
config rule
option name ‘blocktvs’
option src ‘lan’
option ipset ‘blockedtvs’
option dest ‘wan’
option target DROP
option enabled ‘1’
# rule to allow traffic to allowed domains.
config rule
option name ‘blocktvs’
option src ‘lan’
option ipset ‘allowedsvcs’
option dest ‘wan’
option target ALLOW
option enabled ‘1’