Hi
I need to hard block (not just by TLD) ru and BY crap. At all. Preferably by IP ranges.
I found this instruction:
Method 1: Using IPset and GeoIP
- Install the
ipset and geoip packages on your OpenWRT router:
opkg update
opkg install ipset geoip
- Create a new IP set for the countries you want to block:
ipset create block_ru hash:net
ipset create block_by hash:net
- Download the GeoIP database for the countries you want to block:
wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb
- Convert the GeoIP database to an IP set format:
geoip2ipset -c RU,BY GeoLite2-Country.mmdb block_ru block_by
- Add the IP sets to your firewall configuration to block traffic:
iptables -t filter -A FORWARD -m set --match-set block_ru src -j DROP
iptables -t filter -A FORWARD -m set --match-set block_by src -j DROP
Method 2: Using dnsmasq and GeoIP
- Install the
dnsmasq package on your OpenWRT router:
opkg update
opkg install dnsmasq
- Configure dnsmasq to use the GeoIP database:
uci set dnsmasq.@dnsmasq[0].geoip=/usr/share/GeoIP/GeoLite2-Country.mmdb
uci commit dnsmasq
- Create a new configuration file for dnsmasq to block the countries:
echo "ipset=/block_ru,RU
ipset=/block_by,BY" >> /etc/dnsmasq.conf
- Restart dnsmasq to apply the changes:
/etc/init.d/dnsmasq restart
Will this config work? Or you have more advices?
P.S: I do not expect to 100% accurate block. I want to block most of ru crap.
admon
2
Give it a try and report back.
Since it blocks the IP ranges it will help, but tbh … IP blocking is pretty useless since there are CDNs, vHosts and stuff like this.
It depends on your needs, which you need to clarify.
What do you mean? As I know they have law that forbids them to use servers abroad officially. They have abroad hostings blocked!
So in their case they should be blocked by IP 
On my website I already banned access from ru IPs by this method, so I wonder will it work on OpenWRT
admon
4
Laws are only for people who obey them. 
Many russians just use VPN - like in all „special“ countries.
@admon, can you take a look on this:
This ones to block…
Why? I want to block access from my network, not to my network (for this case I just set drop to all incoming traffic)
admon
8
So you want to block traffic flows from your network to any russian one? Then you are good to go with IP addresses. But it won't help against russian websites located outside of russia. And yeah, they exist for sure.
Not 100% I don’t expect 100% efficiency. But 90% will be ok. The main idea to prevent my family to access that crap. I know that this can be bypassed but I don’t expect 100% efficiency, I need to make it more difficult to use that crap.
Can you advise me how to block them in bulk? Or even set auto update?
admon
10
None of them will work out-of-the-box, at least not on my system.
I might look into this to create a script, but can't promise a time range for that.
Starting by using AdGuard Home and blocking ru domains is the best you can do so far.
Spitz doesn’t support it 
I will be really pleased if so. It is not urgent. If you want, you may help. But if it is burden, you should not
admon
12
At least it's not possible to block that many addresses using the built-in firewall. It will cause the error:
uci: Parse error (too many arguments) at line 8563, byte 2372
The list would be huge, not even sure if the Spitz can handle it.
I can do extroot or store it on SD…
@alzhao or @bruce any ideas?
admon
14
It's not about storage. The IP lists (for RU it's nearly 8000 lines) must be used in RAM during all time so the firewall can evaluate the traffic. That should be waaaaay too much 
1 Like
Can I use part of SD as RAM? Or maybe use dnsmasq for this?
No, not that I'm aware of.
You need to get a beefier device. Look into a X86 as your firewall, OPNsense, and use the the glinet as the access point.
Or get a Firewalla purple for $329. It can do repeater mode (travel mode), It can block 10 countries and other cool features.
admon
17
Or go AdGuard DNS and block the countries there.
I wanna stick with Gl.
Found better solution.
uci add_list dhcp.@dnsmasq[0].address='/ru/0.0.0.0'
uci commit dhcp
uci add_list dhcp.@dnsmasq[0].address='/su/0.0.0.0'
uci commit dhcp
service dnsmasq restart
Also you can set adblocking even on weak devices like:
uci add_list dhcp.@dnsmasq[0].addnhosts="/sda1/hosts.txt"
uci commit dhcp
/etc/init.d/dnsmasq restart
This will add hosts file on your SD as additional hosts
slesar
20
I think very simple in adguard home
Add manual filter:
||*.ru/^
||*.xn--p1ai$/^
Might be working 
second line is Cyrillic domain (*.рф)
