OpenWRT Part 3 – Network-level blocks

This will be a guide on how to configure network-level blocks to restrict malware, advertising and other unwanted media entering the network. You’ll have to reach your own moral conclusions on whether or not this is something you wish to pursue. By not allowing adverts on to your LAN, you will be depriving the sites you visit of revenue. If you are making direct payments to them via Flatter, Patreon etc then it’s probably OK.

The counter argument is that the advertising networks are an egregious invasion of privacy tracking you wherever you go on-line, a vector for malware and distracting from the content you wish to view. All well and good, but when there’s no money to support the production of said content; how happy will you be?

One thing to bear in mind is that a network-level block can’t be disabled per-site, affects every client on the network and will almost certainly break some services. If you do decide to pursue this, consider blocking only the worst offenders and running a white-list as well to permit some “advertising” services through.

Old Way

There’s one general approach you’ll find well documented for OpenWRT and for DD-WRT:

  1. Run a new web instance to serve a blank GIF. Use a different port or IP address
  2. Configure dnsmasq to block/white-list domains
  3. Have a firewall rule redirect requests to the new uhhtp instance.
  4. Have script launch everything at boot and update the lists.

This is a good guide for DD-WRT. For OpenWRT you could use this or this.

New Way

There is now an OpenWRT package to simplify this (although I still recommend reading the above guide so you understand what is happening), so we’ll go with that. For Chaos Calmer there’s no packages just yet, so ssh into the router, wget the latest git builds an install (correct at time of writing):

opkg install adblock_1.2.8-1_all.ipk 
opkg install luci-app-adblock_git-16.171.60975-65c7610-1_all.ipk

You can set which lists you want to use by editing /etc/config/adblock, or by using the GUI installed above.

Various configuration options for the network-level block

Various configuration defaults for the network-level block

All that remains now is to pick you list options (selecting them all will block ~80k domains), figure out which services are now broken so they can be white-listed and then set a crontab to update the block-lists. System/Scheduled Tasks and then add:

# start adblock script once a day at 0500.
0 05 * * *    /etc/init.d/adblock start

Even though the option is “start”, it will also take care of the updates.

One interesting thing to do, is to test it. So ssh into your router if not there already and stop adblock

/etc/init.d/adblock stop

Now ping doubeclick:

PING ( 56 data bytes
64 bytes from seq=0 ttl=49 time=30.735 ms
64 bytes from seq=1 ttl=50 time=32.105 ms

Enable adblock:

/etc/init.d/adblock start

And try to ping doubclick again:

PING ( 56 data bytes
ping: sendto: Operation not permitted

Here to can see the non-LAN IP address that has been resolved, this is what the script is then using to send 1×1 GIFs to your browser when on the interwebs.

Leave a Reply