DNS/Packet Firewall

I have a Brume 2 and am very happy with it - everything works well. I use it as a DNS firewall using the builtin AdGuard, have the wireguard VPN setup.

However, I wanted to firewall outbound traffic from some devices on the network better. Specifically I have a TV where I want to only allow Netflix, Amazon Prime and a couple of other sites only and disable all other outbound traffic. Not sure on the best way to do that. There was some advice on Google (not for Brume specically) about using a “packet firewall” or a “DNS firewall”. For now I have just assigned the TV a static IP on the LAN and blocked all out outbound traffic - not ideal for watching netflix though!

Any advice or suggestions are welcome. I am reasonably competent on computers, networks and sysadmin but not an expert.


to be honest: Forget about this when using a router as a firewall only. There are more or less different ways to get to this - but it’s nothing that simply works.

You could go with AdGuard for trying to block all communication but the streaming services. This requires you to know all streaming DNS names - good luck finding them all :wink:

IP is not affected by this, so you have to do the same on IP level. The firewall of the router isn’t user friendly enough to do so. And you need to know all required IP spaces - good luck finding them as well …

My opinion: Go with a professional firewall (maybe some refurbished Sophos from eBay) or install OpnSense on another device to use this. Both systems will bring additional problems. :sweat_smile:

I would put my TV into the guest network and well… accept that there might be data transfers I don’t want.

That’s good point.
My Adguard home blocked with smart tv (Google tv)

Netflix is working fine :sweat_smile:
But shame I can’t block ad YouTube :roll_eyes: just buy premium :unamused:

Sorry off topic :confounded:

hmm its difficult what you request, and there is not really a one solution for this.

the best way to go is indeed via the dns route, but then again you have no control if netflix changes domain names and sub domain names.

if I needed to do something like this myself I would think of using ipsets via dnsmasq, this means all ips of domain x gets stored in a ipset which you then can use in the firewall rules of luci, in OpenWrt 23.5 and above they have support for ipsets via luci :), see luci → network → dhcp and dns settings → general settings, and in luci → network → firewall → ipsets.

and in the firewall traffic rules you also have support through it via the advanced tabs.

then you can make two traffic rules, one rule which allows all ips inside the ipset, followed with a rule which blocks all connections based on the src mac.

then you effectively make use of the priority and netflix and such will still work and devices not inside the mac src firewall rule still have full internet :slight_smile:

But it still requires knowing all the necessary domains - which is pretty difficult with high-scaling services like Netflix and AWS. Worth a try, but it will cost much effort.

1 Like

this is true, while iptables might help with wildcarding (this is btw a really bad bottleneck for nftables it has no wildcarding afaik), and they also come idd with random domains.

i’ve been trying something similar as OP, but then only with trying to get the domains split tunneled, it was a nightmare to maintain and figure, instead I vlan isolated, though this is not fully what the OP wants :stuck_out_tongue:

theres also something else which comes to mind, the package banip, it has a feature to allow only x ip maybe they have support for ipsets too?

you may only need a really new opkg not from gl repo :slight_smile:

Been doing some more research -it appears (FQDN Egress Filtering Solutions for Compliance | by CloudifyOps | Medium) what I need a firewall capable of having FQDN Egress Filtering rules - apparently IPFire ( https://www.ipfire.org) supports (have not tried it). Wonder if the advanced (Luci firewall) supports it? I am somewhat familiar with Luci now (since I needed to use it block all outbound traffic from the TV)

@xize11 - How did you setup the vlan isolation? If that makes it easier I could do that … I gave the TV a static IP using its MAC in the LAN - this way regardless how the TV starts DHCP or not it always gets a fixed IP

I would go with the guest network, it’s the same result but much easier to maintain.

1 Like

Found something that seems to do it ([OpenWrt Wiki] Filtering traffic with IP sets by DNS) - curious if anyone has tried it? Any experience?

Need to understand some vlans so I can isolate the TV and not impact my wife/son who are WFH and will not take kindly to the internet going down suddenly!

If you want no issues with the gl ui and its features i recommend to do what @admon said :+1:

1 Like

I have been looking to see how to create a “guest network” - have not yet found it

You have to add the corresponding LAN port the br-guest bridge.

1 Like

Ah - I have the Brume 2 (GL-MT2500) which does not have wifi - I use it as a router/dhcp/firewall I have a separate mesh ap for wifi. Will have to see how to get a separate “guest network” or something. vlan would be tough from what I read - apparently needs managed switches (this is a house so its a home network)

Jup if all ports are in use on the brume2 you need vlan :+1:, and a managed switch.

If you need help let me know.

Heres a topic i helped someone else with vlans to the video in this thread can be really helpful :+1:

Not really. Different network is fine - no need for VLAN.

Depends, brume has 2 ports so if its full welp i see no other solution :sweat_smile:, i dont know if his tv is connected directly on the brume.

1 Like

Ah, dang.

But even this would work by just adding a new network. In any case I would say Brume isn’t the right device for this kind of … experiment.

1 Like

Reading through Google it seems like there is no perfect solution but a reasonable one the best, based on a couple of links below, seems to beFQDN Egress Filtering.

I started crafting a firewall configuration that uses ipsets and rules. Appreciate feedback/help.

# ipset to select restricted devices by ip addresses
config ipset
	option name		‘blockedktvs’
	option match		‘src_net’
	option enabled	‘1’
	list	entry		‘’  # TV static IP address – using mac to ensure its fixed.

# ipset for allowed domains using FQDN based ipset.
config ipset
	option name		‘allowedsvc’
	option	match		‘dst_net’
	option	enabled	‘1’
	list	domain	‘netflix.com’
	list	domain	‘hulu.com

# rule to block all outbound traffic from blocked devices
config rule
	option name		‘blocktvs’
	option	src		‘lan’
	option	ipset		‘blockedtvs’
	option dest		‘wan’
	option	target		DROP
	option enabled	‘1’
# rule to allow traffic to allowed domains.
config rule
	option name		‘blocktvs’
	option	src		‘lan’
	option	ipset		‘allowedsvcs’
	option	dest		‘wan’
	option	target		ALLOW
	option enabled	‘1’
1 Like

Sorry about the formatting - did not realize it was interpreting as markdown