I wanna block instagram from being opened in my network.
To avoid bypassing via custom DNS i wanna block by ip:
NetRange: 157.240.0.0 - 157.240.255.255
Can you help me?
I'm not sure if this can be done on the gl ui, but on luci this is possible this is under traffic rules inside the firewall.
What you are look for is:
You need multiple rules:
name: block fb lan to wan
Src zone: lan
dest zone: wan
destination ip: 157.240.0.0/16
action/target: drop
name: block fb lan to wgclient
Src zone: lan
dest zone: wgclient
destination ip: 157.240.0.0/16
action/target: drop
name: block fb guest to wan
Src zone: guest
dest zone: wan
destination ip: 157.240.0.0/16
action/target: drop
name: block fb guest to wgclient
Src zone: guest
dest zone: wgclient
destination ip: 157.240.0.0/16
action/target: drop
Optionally it might be better to let dnsmasq populate ipsets based on domains, then block the ipset, because ip can change.
sometimes its better to not block on ip like cloudflare, you will unintentionally block other sites aswell.
A ipset is a group of ips, dnsmasq is the dns server of your router which can auto add ips to that ipset, you could use dns hijacking however it will be more complicated if the user uses a vpn, DoH, and DoT (easier to block).
In my case i block it on dns and hijack all dns, banip blocks DoH and I block Dot port 853 the only thing I can't prevent is vpn, but it is possible to also block it.
It is pretty easy. Just block all ports that not used by you.
For example I allow only: 443, 53, 21
Blocking DoH is not the case for me as it will break Firefox security.
I think it is just better to block ip sets.
But Tor cannot be blocked at all, there will always be the way to bypass via moats.
That's not a real solution. Security by obscurity.
Many VPN will run on TCP/443 anyway.
1 Like