How to block ru crap?


I need to hard block (not just by TLD) ru and BY crap. At all. Preferably by IP ranges.

I found this instruction:

Method 1: Using IPset and GeoIP

  1. Install the ipset and geoip packages on your OpenWRT router:
opkg update
opkg install ipset geoip
  1. Create a new IP set for the countries you want to block:
ipset create block_ru hash:net
ipset create block_by hash:net
  1. Download the GeoIP database for the countries you want to block:
  1. Convert the GeoIP database to an IP set format:
geoip2ipset -c RU,BY GeoLite2-Country.mmdb block_ru block_by
  1. Add the IP sets to your firewall configuration to block traffic:
iptables -t filter -A FORWARD -m set --match-set block_ru src -j DROP
iptables -t filter -A FORWARD -m set --match-set block_by src -j DROP

Method 2: Using dnsmasq and GeoIP

  1. Install the dnsmasq package on your OpenWRT router:
opkg update
opkg install dnsmasq
  1. Configure dnsmasq to use the GeoIP database:
uci set dnsmasq.@dnsmasq[0].geoip=/usr/share/GeoIP/GeoLite2-Country.mmdb
uci commit dnsmasq
  1. Create a new configuration file for dnsmasq to block the countries:
echo "ipset=/block_ru,RU
ipset=/block_by,BY" >> /etc/dnsmasq.conf
  1. Restart dnsmasq to apply the changes:
/etc/init.d/dnsmasq restart

Will this config work? Or you have more advices?

P.S: I do not expect to 100% accurate block. I want to block most of ru crap.

Give it a try and report back.

Since it blocks the IP ranges it will help, but tbh … IP blocking is pretty useless since there are CDNs, vHosts and stuff like this.

It depends on your needs, which you need to clarify.

What do you mean? As I know they have law that forbids them to use servers abroad officially. They have abroad hostings blocked!

So in their case they should be blocked by IP :slight_smile:

On my website I already banned access from ru IPs by this method, so I wonder will it work on OpenWRT

Laws are only for people who obey them. :wink:
Many russians just use VPN - like in all „special“ countries.

try open website ""

Block all VPNs

@admon, can you take a look on this:

This ones to block…

Why? I want to block access from my network, not to my network (for this case I just set drop to all incoming traffic)

So you want to block traffic flows from your network to any russian one? Then you are good to go with IP addresses. But it won't help against russian websites located outside of russia. And yeah, they exist for sure.

Not 100% I don’t expect 100% efficiency. But 90% will be ok. The main idea to prevent my family to access that crap. I know that this can be bypassed but I don’t expect 100% efficiency, I need to make it more difficult to use that crap.

Can you advise me how to block them in bulk? Or even set auto update?

None of them will work out-of-the-box, at least not on my system.

I might look into this to create a script, but can't promise a time range for that.
Starting by using AdGuard Home and blocking ru domains is the best you can do so far.

Spitz doesn’t support it :disappointed_relieved:

I will be really pleased if so. It is not urgent. If you want, you may help. But if it is burden, you should not :slight_smile:

At least it's not possible to block that many addresses using the built-in firewall. It will cause the error:

uci: Parse error (too many arguments) at line 8563, byte 2372

The list would be huge, not even sure if the Spitz can handle it.

I can do extroot or store it on SD…

@alzhao or @Bruce any ideas?

It's not about storage. The IP lists (for RU it's nearly 8000 lines) must be used in RAM during all time so the firewall can evaluate the traffic. That should be waaaaay too much :face_with_peeking_eye:

1 Like

Can I use part of SD as RAM? Or maybe use dnsmasq for this?

No, not that I'm aware of.

You need to get a beefier device. Look into a X86 as your firewall, OPNsense, and use the the glinet as the access point.

Or get a Firewalla purple for $329. It can do repeater mode (travel mode), It can block 10 countries and other cool features.

Or go AdGuard DNS and block the countries there.

I wanna stick with Gl.

Found better solution.

uci add_list dhcp.@dnsmasq[0].address='/ru/'
uci commit dhcp
uci add_list dhcp.@dnsmasq[0].address='/su/'
uci commit dhcp
service dnsmasq restart

Also you can set adblocking even on weak devices like:

uci add_list dhcp.@dnsmasq[0].addnhosts="/sda1/hosts.txt"
uci commit dhcp
/etc/init.d/dnsmasq restart

This will add hosts file on your SD as additional hosts

Does it work as well?

I think very simple in adguard home
Add manual filter:


Might be working :thinking: second line is Cyrillic domain (*.рф)