Adblock support thread

tmomas · August 23, 2017, 4:48pm

Leverbush · August 23, 2017, 4:58pm

nslookup doubleclick.net
Server:         200.42.4.199
Address:        200.42.4.199#53

Name:      doubleclick.net
Address 1: 172.217.28.206
Address 2: 2800:3f0:4002:805::200e

@tmomas I forgot Ive asked this here already, sorry about that.

dibdot · August 23, 2017, 6:29pm

Sorry, wrong lookup, please try the following:

> nslookup doubleclick.net <localhost/router IP>

that should produce something like that:

root@blackhole:~# nslookup doubleclick.net 192.168.1.254
Server: 192.168.1.254
Address: 192.168.1.254#53

** server can't find doubleclick.net: NXDOMAIN
** server can't find doubleclick.net: NXDOMAIN

Menion · August 23, 2017, 7:25pm

Hi
adblock 2.8.5 (but also older version) cannot start automatically with LEDE boot up, I have to start it manually from "startup" page or from shell with /etc/init.d/adblock
Same thing happen on a kirkwood router, sunxi and atheros router

dibdot · August 23, 2017, 7:34pm

Please post your adblock.conf (global section) and the output of 'ubus list'

Menion · August 23, 2017, 8:04pm

root@MenionRouter:~# ubus list
dhcp
hostapd.wlan0
hostapd.wlan0-1
log
network
network.device
network.interface
network.interface.WAN6
network.interface.lan
network.interface.loopback
network.interface.vpn0
network.interface.vpn1
network.interface.wan
network.rrdns
network.wireless
service
session
system
uci

config

config adblock 'global'
        option adb_cfgver '2.5'
        option adb_whitelist '/etc/adblock/adblock.whitelist'
        option adb_whitelist_rset '\$1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower(\"^\"\$1\"\\\|[.]\"\$1)}'
        option adb_forcedns '1'
        option adb_restricted '0'
        option adb_nullportssl '65443'
        option adb_percentage '0%/0%'
        option adb_overall_count '18229'
        option adb_lastrun '06.12.2016 10:37:06'
        option adb_triggerdelay '2'
        option adb_debug '1'
        option adb_forcesrt '0'
        option adb_backup '0'
        option adb_backupdir '/mnt'
        option adb_manmode '0'
        option adb_enabled '1'

dibdot · August 23, 2017, 8:13pm

That's a totally outdated config and the startup trigger entry is missing (adb_iface). Please start with a fresh config from main package repo and try again.

Menion · August 23, 2017, 8:56pm

Very good, thanks for the hint

ratsputin · August 23, 2017, 9:41pm

I'm receiving the following in the logs, attempting to bring up adblock v2.6.2-1:

Wed Aug 23 16:28:25 2017 user.notice adblock-[2.6.2] error: no active/supported DNS backend found
Wed Aug 23 16:28:25 2017 user.notice adblock-[2.6.2] error: Please check 'https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md' (LEDE Reboot 17.01.2 r3435-65eec8bd5f)

I've removed Dnsmasq and replaced it with bind. Looking in the sources, it runs the following command:

ubus -S call service list

Here is the output from that command:

{"adblock":{"instances":{"adblock":{"running":false,"command":["\/usr\/bin\/adblock.sh"],"term_timeout":5}}},"collectd":{"instances":{"instance1":{"running":true,"pid":1686,"command":["\/usr\/sbin\/collectd","-f"],"term_timeout":5}}},"cron":{"instances":{"instance1":{"running":true,"pid":1601,"command":["\/usr\/sbin\/crond","-f","-c","\/etc\/crontabs","-l","8"],"term_timeout":5}}},"dnsmasq":{"instances":{"cfg02411c":{"running":false,"command":["\/usr\/sbin\/dnsmasq","-C","\/var\/etc\/dnsmasq.conf.cfg02411c","-k","-x","\/var\/run\/dnsmasq\/dnsmasq.cfg02411c.pid"],"term_timeout":5}}},"dropbear":{"instances":{"instance1":{"running":true,"pid":1621,"command":["\/usr\/sbin\/dropbear","-F","-P","\/var\/run\/dropbear.1.pid","-p","192.168.1.1:22","-p","fdda:5e85:487::1:22","-K","300"],"term_timeout":5,"data":{"mdns":{"ssh_22":{"service":"_ssh._tcp.local","port":22,"txt":["daemon=dropbear"]}}},"respawn":{"threshold":3600,"timeout":5,"retry":5}}}},"firewall":{},"gpio_switch":{},"log":{"instances":{"instance1":{"running":true,"pid":1145,"command":["\/sbin\/logd","-S","64"],"term_timeout":5,"respawn":{"threshold":3600,"timeout":5,"retry":5}}}},"named":{"instances":{"instance1":{"running":true,"pid":7144,"command":["\/usr\/sbin\/named","-u","bind","-f","-c","\/etc\/bind\/named.conf"],"term_timeout":5,"respawn":{"threshold":3600,"timeout":5,"retry":5}}}},"network":{"instances":{"instance1":{"running":true,"pid":1216,"command":["\/sbin\/netifd"],"term_timeout":5,"limits":{"core":"unlimited"},"respawn":{"threshold":3600,"timeout":5,"retry":5}}}},"odhcpd":{"instances":{"instance1":{"running":true,"pid":1232,"command":["\/usr\/sbin\/odhcpd"],"term_timeout":5,"respawn":{"threshold":3600,"timeout":5,"retry":5}}}},"rpcd":{"instances":{"instance1":{"running":true,"pid":1154,"command":["\/sbin\/rpcd"],"term_timeout":5}}},"sysntpd":{"instances":{"instance1":{"running":true,"pid":1769,"command":["\/usr\/sbin\/ntpd","-n","-N","-S","\/usr\/sbin\/ntpd-hotplug","-p","0.lede.pool.ntp.org","-p","1.lede.pool.ntp.org","-p","2.lede.pool.ntp.org","-p","3.lede.pool.ntp.org"],"term_timeout":5,"respawn":{"threshold":3600,"timeout":5,"retry":5}}}},"system":{},"tor":{"instances":{"instance1":{"running":true,"pid":1637,"command":["\/usr\/sbin\/tor","--runasdaemon","0"],"term_timeout":5}}},"ubus":{"instances":{"instance1":{"running":true,"pid":902,"command":["\/sbin\/ubusd"],"term_timeout":5,"respawn":{"threshold":3600,"timeout":1,"retry":0}}}},"uhttpd":{"instances":{"instance1":{"running":true,"pid":1658,"command":["\/usr\/sbin\/uhttpd","-f","-h","\/www","-r","LEDE","-x","\/cgi-bin","-u","\/ubus","-t","60","-T","30","-k","20","-A","1","-n","3","-N","100","-R","-p","0.0.0.0:80","-p","[::]:80","-q"],"term_timeout":5,"respawn":{"threshold":3600,"timeout":5,"retry":5}}}},"urandom_seed":{"instances":{"urandom_seed":{"running":false,"command":["\/sbin\/urandom_seed"],"term_timeout":5}}}}

Digging through the list, I do see the following:

"named":{"instances":{"instance1":{"running":true,"pid":7144,"command":["\/usr\/sbin\/named","-u","bind","-f","-c","\/etc\/bind\/named.conf"]

It looks like the code does support this; am I missing something here?

Thanks,

Brett

Leverbush · August 23, 2017, 10:41pm

Same result as before. Im running default settings on everything except on dnscrypt where im using three resolvers.
Just enabled "Force local DNS" and "Force Overall Sort" but nothing. Restarting adblock didnt help so far either.

dibdot · August 24, 2017, 6:59am

Hi,

bind support has been added in 2.8.x release series, so please take the latest adblock snapshot release and read the online documentation regarding bind integration (both links are in the first post of this thread).

dibdot · August 24, 2017, 7:04am

Then you've borked your dnsmasq configuration ... in the other thread you've mentioned that all works quite well - try to remember what you have changed afterwards and revert it ...

maurer · August 24, 2017, 1:00pm

hey there,

i'm trying to work on turris omnia with latest 2.8.5 and kresd (default) but it seems that it's somehow not parsing the lists:
log below

2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: info : start adblock processing ...
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: action: , manual_mode:0, backup: 0, dns: dnsmasq, fetch: busybox (-), mem_total: 1031, force_srt/_dns: 0/1
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: adaway, enabled: 1, url: https://adaway.org/hosts.txt, rset: $0 ~/^127\.0\.0\.1[ \t]+([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($2)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: adaway, mode: restore, count: 0, in_rc: 127, out_rc: 127
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: adaway, mode: remove, count: 0, in_rc: 127, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: adguard, enabled: 0, url: https://raw.githubusercontent.com/AdguardTeam/AdguardDNS/master/Filters/filter.txt, rset: {FS="[|^]"} $0 ~/^\|\|([A-Za-z0-9_-]+\.){1,}[A-Za-z]+\^$/{print tolower($3)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: adguard, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: blacklist, enabled: 0, url: /etc/adblock/adblock.blacklist, rset: $1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($1)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: blacklist, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: disconnect, enabled: 1, url: https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt, rset: $1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($1)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: disconnect, mode: restore, count: 0, in_rc: 127, out_rc: 127
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: disconnect, mode: remove, count: 0, in_rc: 127, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: dshield, enabled: 0, url: https://www.dshield.org/feeds/suspiciousdomains_Low.txt, rset: $1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($1)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: dshield, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: feodo, enabled: 0, url: https://feodotracker.abuse.ch/blocklist/?download=domainblocklist, rset: $1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($1)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: feodo, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: hphosts, enabled: 0, url: https://hosts-file.net/ad_servers.txt, rset: $0 ~/^127\.0\.0\.1[ \t]+([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($2)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: hphosts, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: malware, enabled: 0, url: https://mirror.cedia.org.ec/malwaredomains/justdomains, rset: $1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($1)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: malware, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: malwarelist, enabled: 0, url: http://www.malwaredomainlist.com/hostslist/hosts.txt, rset: $0 ~/^127\.0\.0\.1[ \t]+([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($2)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: malwarelist, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: openphish, enabled: 0, url: https://openphish.com/feed.txt, rset: {FS="/"} $3 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($3)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: openphish, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: palevo, enabled: 0, url: https://palevotracker.abuse.ch/blocklists.php?download=domainblocklist, rset: $1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($1)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: palevo, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: ransomware, enabled: 0, url: https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt, rset: $1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($1)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: ransomware, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: reg_cn, enabled: 0, url: https://easylist-downloads.adblockplus.org/easylistchina+easylist.txt, rset: {FS="[|^]"} $0 ~/^\|\|([A-Za-z0-9_-]+\.){1,}[A-Za-z]+\^$/{print tolower($3)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: reg_cn, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: reg_pl, enabled: 0, url: http://adblocklist.org/adblock-pxf-polish.txt, rset: {FS="[|^]"} $0 ~/^\|\|([A-Za-z0-9_-]+\.){1,}[A-Za-z]+\^$/{print tolower($3)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: reg_pl, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: reg_ro, enabled: 0, url: https://easylist-downloads.adblockplus.org/rolist+easylist.txt, rset: {FS="[|^]"} $0 ~/^\|\|([A-Za-z0-9_-]+\.){1,}[A-Za-z]+\^$/{print tolower($3)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: reg_ro, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: reg_ru, enabled: 0, url: https://easylist-downloads.adblockplus.org/ruadlist+easylist.txt, rset: {FS="[|^]"} $0 ~/^\|\|([A-Za-z0-9_-]+\.){1,}[A-Za-z]+\^$/{print tolower($3)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: reg_ru, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: securemecca, enabled: 0, url: http://securemecca.com/Downloads/hosts.txt, rset: $0 ~/^127\.0\.0\.1[ \t]+([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($2)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: securemecca, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: shalla, enabled: 0, url: http://www.shallalist.de/Downloads/shallalist.tar.gz, rset: {FS="/"} $1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($1)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: shalla, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: spam404, enabled: 0, url: https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt, rset: $1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($1)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: spam404, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: sysctl, enabled: 0, url: http://sysctl.org/cameleon/hosts, rset: $0 ~/^127\.0\.0\.1[ \t]+([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($2)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: sysctl, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: whocares, enabled: 0, url: http://someonewhocares.org/hosts/hosts, rset: $0 ~/^127\.0\.0\.1[ \t]+([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($2)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: whocares, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: winspy, enabled: 0, url: https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/win10/spy.txt, rset: $0 ~/^0\.0\.0\.0[ \t]+([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($2)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: winspy, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: winhelp, enabled: 0, url: http://winhelp2002.mvps.org/hosts.txt, rset: $0 ~/^0\.0\.0\.0[ \t]+([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($2)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: winhelp, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: yoyo, enabled: 1, url: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext, rset: $1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($1)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: yoyo, mode: restore, count: 0, in_rc: 127, out_rc: 127
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: yoyo, mode: remove, count: 0, in_rc: 127, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: zeus, enabled: 0, url: https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist, rset: $1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower($1)}
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: debug: name: zeus, mode: remove, count: 0, in_rc: 4, out_rc: 0
2017-08-24T12:58:53+03:00 notice adblock-[2.8.5]: info : block list with overall 0 domains loaded successfully (OpenWrt omnia 15.05)

dibdot · August 24, 2017, 1:56pm

Hi,
you're are my first turris omnia volunteer - welcome!
At a first glance two problems here in the log:

adblock detects "dnsmasq" as dns backend. Probably kresd & dnsmasq are running in parallel and dnsmasq comes first in the detection procedure. To overwrite the default, please set in the global section of adblock.conf:
option adb_dnslist 'kresd'
You are using busybox wget applet without SSL support for your downloads, therefore you can't download any list from SSL download sites. Please install full wget package with SSL support.

Also please check the online documentation for further kresd integration ... but as I said before, this is completely untested ... good luck!

maurer · August 24, 2017, 2:09pm

hi,

1 is done.
for 2 i've just commented the fetch_client validation part and it worked:

ssl_lib="-"
if [ -x "${adb_fetch}" ]
then

   if [ "$(readlink -fn "${adb_fetch}")" = "/usr/bin/wget-nossl" ]

```
   then
```

       adb_fetchparm="--no-config --quiet --no-cache --no-cookies --max-redirect=0 --timeout=10 -O"

   elif [ "$(readlink -fn "/bin/wget")" = "/bin/busybox" ] || [ "$(readlink -fn "${adb_fetch}")" = "/bin/busybox" ]

```
   then
```
```
       adb_fetch="/bin/busybox"
```
```
       adb_fetchparm="-q -O"
```
```
   else
```
```
       ssl_lib="built-in"
```
```
   fi
```
fi

and got 2017-08-24T14:09:18+03:00 notice adblock-[2.8.5]: info : block list with overall 9814 domains loaded successfully (OpenWrt omnia 15.05)

but checking a ad domain returns the IP
root@turris:/tmp# nslookup zmt100.com localhost
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost

Name: zmt100.com
Address 1: 162.221.6.13

the list is populated correctly i think
root@turris:/tmp# grep -m 5 .co /tmp/kresd/adb_list.overall
0001.2waky.com CNAME .
*.0001.2waky.com CNAME .
001wen.com CNAME .
*.001wen.com CNAME .
009blog.com CNAME .
...

dibdot · August 24, 2017, 2:25pm

I've send you a PM for further analysis.

metric · August 24, 2017, 3:18pm

I am using adblock version 2.6.2 from the latest stable release. I notice the same bug as AdBlock: Whitelist not working? #4534

In addition, clients in LAN and guest network are able to change system DNS entry and bypass adblock although I have checked force DNS.

I have rebooted the router and confirmed that the whitelist and force DNS setting are saved.

I am looking for snapshot version but cannot find it for ar71xx architecture. I have TP-Link TL-WDR3600 v1

dibdot · August 24, 2017, 3:33pm

This package is architecture independent - just use the download links from the first post.

Is your router configured as an AP in your LAN? If so, than this firewall rule can't work, of course ... it only makes sense in "classic" router mode.

metric · August 25, 2017, 12:02am

@dibdot Thanks for the quick reply. I upgraded to the latest version 2.8.5. Now the whitelist works fine. I did not know that there are platform independent packages.

The router is in classic standalone router mode. One WAN, One home LAN, and One Guest network on a separate subnet. Wfi radio is only connected to the guest network and home LAN has a separate AP.

Guests only get IPV4 addresses. home LAN has both IPV6 and IPV4.

Even after using "Force local DNS" option guests are able to use their own dns server. I am thinking of adding a custom firewall rule for guest network 192.168.2.0

iptables -t nat -A PREROUTING -s 192.168.2.0/24 -p udp --dport 53 -j DNAT --to 192.168.1.1
Will this work?

I have 128 MB RAM so I enabled most of the lists except region specific lists. (I am assuming that the lists stay in the memory and do not create excessive flash writes). The router seems to handle it ok and I still have ~60% RAM free.

dibdot · August 25, 2017, 5:38am

if the guests are coming from a different subnet/zone the rule doesn't work, at this stage it's hardcoded to 'lan' zone. In your /etc/config/firewall you should find something like this:

config redirect 'adblock_dns'
option name 'Adblock DNS'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'

Simply change the src-option, restart the firewall and it should work ...