Willie you do a very professional presentation of the subject matter. I am like you, when I hear Symantec I normally run the other way. This looks like just what I need for the safety of my grandsons on the internet. Thanks again for a great job.
If you have a Ring Doorbell. It uses port 53. Ask me how I know. LOL. Fixed it by adding a rule to the top of the stack to allow port 53 for that source MAC address.
Willie great video... just found your channel and found the answer to the opendns issue i have been having.. .presentation is excellent...am also deploying some ubiquiti network equipment over the next week or two. Its nice to visually see confirmation or correction of the configs i am trying to use..thank you for doing these videos... it is a great help...
Hello, thanks for looking at my comment. So, I could not get this to work on my new EdgeRouter 4 with the Firmware of v1.10.5. the only thing That I changed from your video was the DNS service, I went with OpenDNS Family. If I configured the DNS in windows, it would work fine and block sites. But if I just put it in the system tab on the router it did not block the bad sites. DNS forwarding was listing to eth1 and 2. I think it may have to do with the cache on the router. I found a workaround by going to the config tree (service / DNS / forwarding: DNS forwarding), and adding the DNS under the name-server section. Should it have worked without going to the config tree?
If I wanted to use the "C" pair on my guest network for the young ones, and the "B" pair on my corporate network, would I define two /24 networks in the Unifi controller (one corp and one guest) and a single /23 on the EdgeRouter or something like that? And I guess we would still want to block other dns, that would look basically the same. Any thoughts?
thank you for your video and it worked great. I have a question, Instead of blocking all other DNS traffic, how would you redirect it to those same Norton DNS servers instead of blocking where it would be seamless for the end user instead of getting a page can't be displayed message in their browser, it would just continue to use the router's DNS servers that provide the filtering?
I'm already handing out the correct DNS through DHCP, what if this was used for a public network and you didn't have access to their device, if they manually set their device to 8.8.8.8 instead of not being to get out online, how would you just re-direct them to the router's DNS servers that you want them to use instead of block? This article kind of explains it without giving the step by step in the GUI. community.ubnt.com/t5/EdgeMAX/Forced-redirect-of-DNS-for-public-hotspot/td-p/1419636
You can also redirect the DNS to the router using iptable rules. First set up OpenDNS (or your preferred DNS) in your router on the WAN side and then add these two rules to your firewall iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT
Hi Willie, For some reason, when I set my eth0 to static(which has the same IP as dhcp), I lose internet connectivity. I am using Unifi AP on eth1. Do you know why does this happen?
Hi Willie, your tutorial worked wonderfully. Just had a quick question. How do you configure the rule to work only for a specific client (ip) or IP group?
I think I understand what that means and will give it a try, but I am better at following instructions. If you ever have the time to create some instructions on this secondary step that would be awesome and greatly appreciated.
Willie I enjoy your videos they are great to watch Although I Have been trying this tutorial on DNS filtering and have had no Luck I would like to implement something like this but it hasn't worked for me
I get all the way through the config part But when I try to type any URL it tells me that there is no Internet connection so then I have to go through and delete the rules created to be able to get back online
last time I checked was yesterday and they where the same Ive attempted this several times now and I keep getting the same result i went as far as changing the DNS settings in my DHCP lease on the router
I tried doing this with OpenDNS on my edgerouter v1.9.1 and it blocked all traffic. I also tried using a DNS box inside my network (Pi-Hole) with no luck. Any advice?
Hi Willie....I am setting up an edgrouter with 3 ubiqiti access points and am trying to use this dns filtering technique. DNS forwarding is listening on both eth1 and switch0. Nslookup fails whenever i try to use a name server other than the one in the firewall rules (the filtering DNS servers) so i am confident the rules are working.. NSlookup testing shows that it is using 192.168.1.1 (the router) as the name server but it does not block the unwanted content. It doesn't look like it is being redirected to the blocked content landing page. Any ideas what i am doing wrong?
yes.. i configured the rules to prevent all dns traffic except the dns servers i want used. testing with nslookup proves that the client is using the router for dns ..testing with a browser allows access to the site that should be blocked. to prove the rules are working i used nslookup with google dns servers .. the nslookup fails so i am pretty sure the rules are working.. i worked around the issue by having the dhcp servers provide the dns filtering servers to each client rather than the gateway of the subnet and it does perform the blocks as expected. it just leaves a hole in the protection. i tried changing the dhcp to provide the router ip on both subnets but the result was he same. sites that should be blocked are not.
i think i found the problem .. eth0 is dhcp - it is getting dns server in addition to the servers configured in the gui from the isp. from cli show dns forwarding name servers show multiple dns servers in addition to the ones configured in gui..
Willie Howe before I set this up, if I don't set the name servers, and just define the DNS servers in the DHCP settings of my guest kids network... will this still work ? Ps love all your videos 10k here you come 👏🏼
Thank you! I came your way from CrossTalk, glad I did. Would this filtering also work for ads on sites (without having adblock installed)? I know people have concerns of some ads that will play within TH-cam or even Facebook that their children shouldn't see.
+Willie Howe thank you! I've been using Unifi APs for a little while professionally, but I'm moving into a new house and plan to do a whole "test" production environment with them: USG, Unifi Switch, APs, etc. I wish the new Amplifi kits would be applicable to me, but they may be stuff I can recommend to family.
Could I have those restricted DNS active on just one VLAN? My idea is to have an "unrestricted" VLAN1 that uses the normal DNS, but for the kids I create a separate VLAN (incl. separate W-LAN) which uses those restricted DNS servers. How could I achieve this? :)
I followed your guide. My client gets 199.85.126.20 & 199.85.127.20 as DNS. All other DNS requests get blocked (tested with nslookup like you did). However porn sites are not blocked. I can still access the sites that were blocked in your video. I also tried to flush the DNS, but no change. What could I have done wrong? :-/
after more research and help from opendns, it appears that my ISP uses a stealth proxy cache, and because of that neither opendns nor norton work for me. :-/ here is the topic in case you are interested. support.opendns.com/hc/en-us/community/posts/115007097508-Web-Content-Filtering-not-working-and-I-don-t-know-why
Great video, as all the others are too, but for people running the WAN interface with DHCP setting this will not work. Because the edgerouter will use the DNS of the ISP. Therefor they should use content filtering. If I am not mistaken.
Im obviously completly useless. Your guides are perfect for an idiot that bought a way to advanced router. But funny thing, somehow, after following every step of your way, I somehow ended up blocking the entire internet, except for facebook.. :P
OpenDns is much better than that.. but, none of them block porn images in google or any other search engine...they only block domains, but if you type the word porn in google images, you will see, well, porn. - - Also, anyone who installs a chrome or firefox vpn plugin will be able to bypass ANY and ALL router settings.
Willie you do a very professional presentation of the subject matter. I am like you, when I hear Symantec I normally run the other way. This looks like just what I need for the safety of my grandsons on the internet. Thanks again for a great job.
If you have a Ring Doorbell. It uses port 53. Ask me how I know. LOL. Fixed it by adding a rule to the top of the stack to allow port 53 for that source MAC address.
Willie great video... just found your channel and found the answer to the opendns issue i have been having.. .presentation is excellent...am also deploying some ubiquiti network equipment over the next week or two. Its nice to visually see confirmation or correction of the configs i am trying to use..thank you for doing these videos... it is a great help...
Thank you so much! That really helped me get this router configured. Cheers!
Hello, thanks for looking at my comment. So, I could not get this to work on my new EdgeRouter 4 with the Firmware of v1.10.5. the only thing That I changed from your video was the DNS service, I went with OpenDNS Family. If I configured the DNS in windows, it would work fine and block sites. But if I just put it in the system tab on the router it did not block the bad sites. DNS forwarding was listing to eth1 and 2. I think it may have to do with the cache on the router. I found a workaround by going to the config tree (service / DNS / forwarding: DNS forwarding), and adding the DNS under the name-server section. Should it have worked without going to the config tree?
Your workaround worked for me for about 5 minutes but then it just went back to not working. In my case, it blocked everything.
Really enjoy your presentation style. Good work.
Willie, you're the best... finally something that blocks porn from my kids!
If I wanted to use the "C" pair on my guest network for the young ones, and the "B" pair on my corporate network, would I define two /24 networks in the Unifi controller (one corp and one guest) and a single /23 on the EdgeRouter or something like that? And I guess we would still want to block other dns, that would look basically the same. Any thoughts?
Hi Willie, do you know how to make your router gui inaccessible to the wan?
thank you for your video and it worked great. I have a question, Instead of blocking all other DNS traffic, how would you redirect it to those same Norton DNS servers instead of blocking where it would be seamless for the end user instead of getting a page can't be displayed message in their browser, it would just continue to use the router's DNS servers that provide the filtering?
I'm already handing out the correct DNS through DHCP, what if this was used for a public network and you didn't have access to their device, if they manually set their device to 8.8.8.8 instead of not being to get out online, how would you just re-direct them to the router's DNS servers that you want them to use instead of block? This article kind of explains it without giving the step by step in the GUI. community.ubnt.com/t5/EdgeMAX/Forced-redirect-of-DNS-for-public-hotspot/td-p/1419636
Thank you.
You can also redirect the DNS to the router using iptable rules.
First set up OpenDNS (or your preferred DNS) in your router on the WAN side and then add these two rules to your firewall
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT
Hi Willie,
For some reason, when I set my eth0 to static(which has the same IP as dhcp), I lose internet connectivity. I am using Unifi AP on eth1. Do you know why does this happen?
If I have an alternate DNS server (pi hole) I don't need to set anything under DNS forwarding correct?
Is there a way to locally (on EdgeRouter) block a list of outbound DNS addresses instead of tunneling out externally to a 3rd-party?
Hi Willie, your tutorial worked wonderfully. Just had a quick question. How do you configure the rule to work only for a specific client (ip) or IP group?
I think I understand what that means and will give it a try, but I am better at following instructions. If you ever have the time to create some instructions on this secondary step that would be awesome and greatly appreciated.
Willie I enjoy your videos they are great to watch Although I Have been trying this tutorial on DNS filtering and have had no Luck I would like to implement something like this but it hasn't worked for me
I get all the way through the config part But when I try to type any URL it tells me that there is no Internet connection so then I have to go through and delete the rules created to be able to get back online
Norton option 2 same as your Video
last time I checked was yesterday and they where the same Ive attempted this several times now and I keep getting the same result i went as far as changing the DNS settings in my DHCP lease on the router
I tried doing this with OpenDNS on my edgerouter v1.9.1 and it blocked all traffic. I also tried using a DNS box inside my network (Pi-Hole) with no luck. Any advice?
can i apply it to only one of my ports like only for eth1 but the rest can use whatever dns they want
Hi Willie....I am setting up an edgrouter with 3 ubiqiti access points and am trying to use this dns filtering technique. DNS forwarding is listening on both eth1 and switch0. Nslookup fails whenever i try to use a name server other than the one in the firewall rules (the filtering DNS servers) so i am confident the rules are working.. NSlookup testing shows that it is using 192.168.1.1 (the router) as the name server but it does not block the unwanted content. It doesn't look like it is being redirected to the blocked content landing page. Any ideas what i am doing wrong?
yes.. i configured the rules to prevent all dns traffic except the dns servers i want used. testing with nslookup proves that the client is using the router for dns ..testing with a browser allows access to the site that should be blocked. to prove the rules are working i used nslookup with google dns servers .. the nslookup fails so i am pretty sure the rules are working.. i worked around the issue by having the dhcp servers provide the dns filtering servers to each client rather than the gateway of the subnet and it does perform the blocks as expected. it just leaves a hole in the protection. i tried changing the dhcp to provide the router ip on both subnets but the result was he same. sites that should be blocked are not.
i think i found the problem .. eth0 is dhcp - it is getting dns server in addition to the servers configured in the gui from the isp. from cli show dns forwarding name servers show multiple dns servers in addition to the ones configured in gui..
Hi Willie, will this block file sharing and video sharing?
Hi Willie, love the videos, great work. Two quick questions...why did you setup the norton dns ip's in the system nameservers, and why port 53?
Willie Howe before I set this up, if I don't set the name servers, and just define the DNS servers in the DHCP settings of my guest kids network... will this still work ?
Ps love all your videos 10k here you come 👏🏼
will this work without the firewall rules if the firewall is off?
Can this be used in conjunction with the dnsmasq.sh and cron job you did in the other video? Great work btw thanks so much!
Same here. Thanks a mil.
Can I use my ASUS router as an AP with the Ubiquiti for wireless
Hello, Willie, I know this is an old video. But did you do a video like this for the USG?
What do you suggest for the USG? Is openDNS a good option?
Can you acknowledge and/or show if the DNS filtering works if acceding sites via search engine?
Can you do the same with any known malicious sites?
Thank you! I came your way from CrossTalk, glad I did.
Would this filtering also work for ads on sites (without having adblock installed)? I know people have concerns of some ads that will play within TH-cam or even Facebook that their children shouldn't see.
Thank you so much for your help and responsiveness. Would any of the EdgeRouter stuff translate to the USG?
+Willie Howe thank you! I've been using Unifi APs for a little while professionally, but I'm moving into a new house and plan to do a whole "test" production environment with them: USG, Unifi Switch, APs, etc. I wish the new Amplifi kits would be applicable to me, but they may be stuff I can recommend to family.
Been trying to set this up on my router but it is not working
Hello
Is it possible to use the norton connectsafe on only the guest network via Unifi cloud ?
Okay, so it i not possible to make it work with Norton connectsafe?
Could I have those restricted DNS active on just one VLAN? My idea is to have an "unrestricted" VLAN1 that uses the normal DNS, but for the kids I create a separate VLAN (incl. separate W-LAN) which uses those restricted DNS servers. How could I achieve this? :)
I followed your guide. My client gets 199.85.126.20 & 199.85.127.20 as DNS. All other DNS requests get blocked (tested with nslookup like you did). However porn sites are not blocked. I can still access the sites that were blocked in your video. I also tried to flush the DNS, but no change. What could I have done wrong? :-/
after more research and help from opendns, it appears that my ISP uses a stealth proxy cache, and because of that neither opendns nor norton work for me. :-/ here is the topic in case you are interested. support.opendns.com/hc/en-us/community/posts/115007097508-Web-Content-Filtering-not-working-and-I-don-t-know-why
Great video, as all the others are too, but for people running the WAN interface with DHCP setting this will not work. Because the edgerouter will use the DNS of the ISP. Therefor they should use content filtering. If I am not mistaken.
Correction, it's working but the chrome kept the route from opened when stuff changed. Somehow the "in private browsing" isn't that private either.
Willie!! Will this affect current L2tp configuration?
@@WillieHowe great! I didn't think so due to specified VPN DNS. I'll give it a go using openDNS. Thanks Willie!
...with an EdgeRouter X and a UniFi AP AC LR only.
yes it was just a clarification. Thanks a mil.
is this works?
Im obviously completly useless. Your guides are perfect for an idiot that bought a way to advanced router. But funny thing, somehow, after following every step of your way, I somehow ended up blocking the entire internet, except for facebook.. :P
se fosse em portugues era bom
CONCORDO
OpenDns is much better than that.. but, none of them block porn images in google or any other search engine...they only block domains, but if you type the word porn in google images, you will see, well, porn. - - Also, anyone who installs a chrome or firefox vpn plugin will be able to bypass ANY and ALL router settings.
So This is for NO PORN what so ever.... i shall download this for . humanity sake :/ :D