DNS/Packet Firewall

That’s good point.
My Adguard home blocked with smart tv (Google tv)

Netflix is working fine :sweat_smile:
But shame I can’t block ad YouTube :roll_eyes: just buy premium :unamused:

Sorry off topic :confounded:

hmm its difficult what you request, and there is not really a one solution for this.

the best way to go is indeed via the dns route, but then again you have no control if netflix changes domain names and sub domain names.

if I needed to do something like this myself I would think of using ipsets via dnsmasq, this means all ips of domain x gets stored in a ipset which you then can use in the firewall rules of luci, in OpenWrt 23.5 and above they have support for ipsets via luci :), see luci → network → dhcp and dns settings → general settings, and in luci → network → firewall → ipsets.

and in the firewall traffic rules you also have support through it via the advanced tabs.

then you can make two traffic rules, one rule which allows all ips inside the ipset, followed with a rule which blocks all connections based on the src mac.

then you effectively make use of the priority and netflix and such will still work and devices not inside the mac src firewall rule still have full internet :slight_smile:

But it still requires knowing all the necessary domains - which is pretty difficult with high-scaling services like Netflix and AWS. Worth a try, but it will cost much effort.

1 Like

this is true, while iptables might help with wildcarding (this is btw a really bad bottleneck for nftables it has no wildcarding afaik), and they also come idd with random domains.

i’ve been trying something similar as OP, but then only with trying to get the domains split tunneled, it was a nightmare to maintain and figure, instead I vlan isolated, though this is not fully what the OP wants :stuck_out_tongue:

theres also something else which comes to mind, the package banip, it has a feature to allow only x ip maybe they have support for ipsets too?

you may only need a really new opkg not from gl repo :slight_smile:

Been doing some more research -it appears (FQDN Egress Filtering Solutions for Compliance | by CloudifyOps | Medium) what I need a firewall capable of having FQDN Egress Filtering rules - apparently IPFire ( https://www.ipfire.org) supports (have not tried it). Wonder if the advanced (Luci firewall) supports it? I am somewhat familiar with Luci now (since I needed to use it block all outbound traffic from the TV)

@xize11 - How did you setup the vlan isolation? If that makes it easier I could do that … I gave the TV a static IP using its MAC in the LAN - this way regardless how the TV starts DHCP or not it always gets a fixed IP

I would go with the guest network, it’s the same result but much easier to maintain.

1 Like

Found something that seems to do it ([OpenWrt Wiki] Filtering traffic with IP sets by DNS) - curious if anyone has tried it? Any experience?

Need to understand some vlans so I can isolate the TV and not impact my wife/son who are WFH and will not take kindly to the internet going down suddenly!

If you want no issues with the gl ui and its features i recommend to do what @admon said :+1:

1 Like

I have been looking to see how to create a “guest network” - have not yet found it

You have to add the corresponding LAN port the br-guest bridge.

1 Like

Ah - I have the Brume 2 (GL-MT2500) which does not have wifi - I use it as a router/dhcp/firewall I have a separate mesh ap for wifi. Will have to see how to get a separate “guest network” or something. vlan would be tough from what I read - apparently needs managed switches (this is a house so its a home network)

Jup if all ports are in use on the brume2 you need vlan :+1:, and a managed switch.

If you need help let me know.

Heres a topic i helped someone else with vlans to the video in this thread can be really helpful :+1:

Not really. Different network is fine - no need for VLAN.

Depends, brume has 2 ports so if its full welp i see no other solution :sweat_smile:, i dont know if his tv is connected directly on the brume.

1 Like

Ah, dang.

But even this would work by just adding a new network. In any case I would say Brume isn’t the right device for this kind of … experiment.

1 Like

Reading through Google it seems like there is no perfect solution but a reasonable one the best, based on a couple of links below, seems to beFQDN Egress Filtering.

I started crafting a firewall configuration that uses ipsets and rules. Appreciate feedback/help.

# ipset to select restricted devices by ip addresses
config ipset
	option name		‘blockedktvs’
	option match		‘src_net’
	option enabled	‘1’
	list	entry		‘’  # TV static IP address – using mac to ensure its fixed.

# ipset for allowed domains using FQDN based ipset.
config ipset
	option name		‘allowedsvc’
	option	match		‘dst_net’
	option	enabled	‘1’
	list	domain	‘netflix.com’
	list	domain	‘hulu.com

# rule to block all outbound traffic from blocked devices
config rule
	option name		‘blocktvs’
	option	src		‘lan’
	option	ipset		‘blockedtvs’
	option dest		‘wan’
	option	target		DROP
	option enabled	‘1’
# rule to allow traffic to allowed domains.
config rule
	option name		‘blocktvs’
	option	src		‘lan’
	option	ipset		‘allowedsvcs’
	option	dest		‘wan’
	option	target		ALLOW
	option enabled	‘1’
1 Like

Sorry about the formatting - did not realize it was interpreting as markdown

Jup this is kinda what i ment with this post.

But it will certainly be hard to maintain because netflix and other streaming services may use a variation of DRM tracking tools, and alot of different sub domains and random domains.

Alot of these streaming services use basicly just a website inside their app, it can be self aware a tracker has been blocked and refuse you access to the content, it also means it doesn’t always need a update it can be silently updated.

Hey I know it is old but you can try to use COntrolD for Dns as it has a lot of blocking features for ads and security etc. just check it it is quite cheap in Full Control plan which I am using for about a month now and never had problems with it :smiley: