How To: Block Access To Specific Websites from your Router using Tomato Firmware

Tomato firmware is a free, downloadable firmware for the Linksys WRT series and some Buffalo and Asus routers which provides vastly improved functionality over the stock firmware. One of the nice things about Tomato, assuming you have a router which it’ll run on, is that it provides a very configurable method of selectively blocking access to the net in general, specific applications or protocols, or even specific websites. So if you have youngish kids who have (largely) unsupervised access to a computer with a net connection, you can keep them away from social networking sites like facebook, myspace, habbo etc. pretty easily. Here’s how:

1.) Go to you routers web interface ( on my setup) and click on Access Restriction


2.) Click on Add to create a new rule


3.) Untick Block All Internet Access to display the full options list, and set it up something like this:


In the above example I’m only blocking selected machines (so the wife still has access to facebook etc.) – the PC the kids have access to is, and my IP is 101 (so I can test the blocks on my machine before removing myself from the block list).

The blocklist uses regex sub-string matching to decide which sites to block as follows:

  • Regular words on their own are blocked if they occur anywhere in the site URL, so for example, having the word facebook in there will block sites such as:,,, anything.facebook.anything-else
  • Words with a dollar sign at the end of them will block domains ending with what you’ve specified, that is, putting: .com$ would block ALL sites ending with .com, so putting$ would block,,, etc. etc.
  • Words starting with a caret (^) block all domains starting with what you’ve specied, that is, putting: ^chat will block sites like, but not or
  • Words starting with a caret and ending with a dollar sign blocks that exact address, i.e. ^$ would block, but not or (i.e.this page)

You can also block specific protocols (BitTorrent, eDonkey, LimeWire etc.) using the built-in IPP2P module, or via Layer 7 (Application Layer) deep packet inspection, which can detect and block traffic of specific types (World of Warcraft, FTP, Flash etc. etc.) regardless of what port they’re running on. Which is both amazingly awesome and slightly depressing at the same time.

I’m a firm believer in preparing the child for the world, and not the world for the child – but sometimes it can make life easier to restrict the amount of mischief they can get up to, hence the social networking blockage. Now all you need to do is make sure you’ve got a strong password on your router (which isn’t stored on a post-it note under your keyboard) and you can keep the little darlings out of harms way with a few clicks… Until they discover pr0n, where you’re going to probably going to have to take a whitelist rather than a blacklist approach like this.

Once you’ve started, where does it end, eh?

Anyways – Happy Benevolent Dictatorship!

56 thoughts on “How To: Block Access To Specific Websites from your Router using Tomato Firmware”

  1. Hello. Thanks for the great article. I see so many of these types of articles allude to protection of the children and how this method should not be used to shelter the children. That’s fine. I’m all for preparing my children for the mean streets. However, I am using these methods to block sites so my children don’t hog every available MB of bandwidth flowing into the house with youtube, farmville facespace, pandora,, etc. I can tell them not to youtube, not to pandora, but if I am in the middle of a WebEx with a client, and my clients are demonstrating issues live that I see 20 seconds later, as the sysadmin of my household, I am going to draconianishly (my new word) block their access to sites I know suck up all of the bandwidth to the detriment of other network users. My kids are pretty good kids. They make good grades, don’t get into trouble, they are smart kids….But they don’t always do what I tell them to do. I’ll pick my battles of will. Blocking access to websites is something I am just not going to argue about. It’s not a moral issue. It’s not an issue with much value to be learned. When they go to college, their administrators are going to cap their use of PTP and social media and sharing sites. When they graduate from school and get their own places to live, they can get internet and go hog wild. Thanks again, and thanks for not being too smug about censorship, etc. Some of us have legitimate reasons to block (I know all about QoS, etc., I’m just not going to deal with it in my house. On weekends, I can shut off access restrictions.)

    1. Great comment – and I absolutely concur that sometimes you have to pick your battles with the young ‘uns.

      Glad you found the article of use – I guess that’s why I write ’em :)


    2. Tomato firmware also has qos. If bandwidth priority is your issue, then you can specify what ports or app types get priority. Maybe even set bandwidth limits by ip or connection type. Tomato is very flexible.

      1. Good day,

        It would be so generous if you could help me to apply bandwidth quotas.
        I have flashed Netgear WNR3500Lv2 with Tomato.
        I have 30 user , i want to allot 2Gb data to each.
        Is it possible I can do with tomato.


  2. Hi r3dux,

    I came across your article while surfing web for solution to restrict internet access.
    Your method is useful, but it will be very troublesome for me to setup the rules.

    I am in a office environment, and I want staff to access only certain webpages that will be relevant to work.
    I learned how to block certain site or block all from you, but you also mentioned a white list at the end of your article.
    I am thinking of placing two rules, one is to restrict any access to internet, and set another rule to allow access of specified website.
    However, I am stuck on how to set up a “allow” rule. Do you happen to know how to set up such?

    thanx in advance.


    1. Hi Harry,

      If you’re not going to block from the router, then you have to block from the system, for which you could use the system’s hosts file.

      You can set up a whitelist (where only the websites you want allowed can be accessed) by reading this guide, however, if the system users have administrator access, they can modify the hosts file to circumvent the block.

      However, If I were in your shoes – I wouldn’t block access at all; I’d advise the staff that the computers are for work use during work hours, and only during specified lunch or tea breaks can they be used for personal use (browsing, banking, facebook etc).

      If you make that policy clear to them, then they shouldn’t waste time messing about on the net when they should be working (and if they continue to mess around in work time, you can take any disciplinary steps you may consider necessary).

      The other benefit of not blocking sites is morale. Blocking websites is a workplace frustration that can lead to lowered morale, as the whitelist you provide will invariably not contain all the sites which might be required for the staff to perform their roles to the best of their abilities. If you give them free reign, with a recognised, clearly explained and enforced policy, then your workforce will be happier and more productive without the need for any blocking, and the associated problems that it can introduce.

      Just my two-cents…


      1. Thank you for your prompt reply.

        I too agree with you that not blocking sites could allow staff to access information they need easier.
        However, our work environment does not require them to spend much time obtaining information from sites.
        total access to internet is available at specific station, which is free to use at all times.

        I have allowed them to freely access internet before, but result is they bring in virus and eventually crash all my data, that is not a risk I would like to take again.

        So I searched the web again, and it seems that tomato firmware does not have a built in whitelist filter. Guess I have to try other approach. Your info is helpful. Thank you :)

    1. I used your guide to keep my wife off of MSN, which will work out well for both of us, because she won’t find articles that undermine her self-esteem and prey on female insecurities, and I will save hours of time each week, hell, probably days a year, possibly even a year or two of my life, as I’ll no longer have to re-explain to her that she’s not fat and I’m not straying.


  3. Thanks, this just saved me some grief. I saw the screen but didn’t know how to use it. Totally agree with your approach. the more I use Tomato, the move I love it!

    I use OpenDNS to do the white list/blacklist thing, and then use these router rules to specifically block activities. For example, I have internet access blocked (except for the PC in the kitchen area) for 90 minutes after my daughter comes home, so she can do homework, etc. Strangely she never wants to use the unblocked PC …

    Facebook is the big issue, she will sign in “just for a moment!” that seems to stretch. Now I can let her use the PC, but not Facebook. Awesome.

  4. Ive been using .
    It uses a better procedure than blocking social media sites because it only monitors websites during production hours. People/Employees still have the option to use it for a breather or during breaks really . Sometimes they use it for work too .

  5. I set this up per your article, however I’ve noticed a problem. I have it set to block facebook among some other sites, but if the sites (namely facebook) are accessed through an HTTPS request the connection is still made instead of blocked. Is there a way to get past this? I am using the most current tomato firmware on a WRT54GL. Would the hosts file be a better option? I don’t normally have to block traffic but it’s getting out of hand as of recently.

    1. Hi Jack, unfortunately the access restriction options in Tomato (or at least my version, probably not the latest) don’t seem to cover this.

      You can block all HTTPS access by going to Access Restriction and from the Port / Application section setting TCP/UDP | Destination Port | 443 to be blocked, but if you need to use HTTPS for legitimate non-facebook reasons this isn’t a great solution.

      If you’re in a work environment and don’t really need HTTPS then you could block all HTTPS access using the above method and then unblock over the lunch hour or something… Or as you say, just use the hosts file ;)

      Hope this helps.

  6. Is there a way to block access to all numeric IP addresses? My 14-year old has discovered that she can ping sites, and then use the numeric IP to get around keyword blocking. At this point, she’s built up a nice directory for herself.

    The same applies to external proxy servers…can access to those be blocked?

    1. Haha, sneaky kids :)

      There are always options, and I’m in a similar kind of boat with my own kids at the moment as they too are finding out the joys of proxy servers and such. The problem is that Tomato isn’t really built as a comprehensive access control mechanism, so our options are limited.

      But here are a few (non-perfect) suggestions of things which could be done:

      • You could change your router to use OpenDNS which comes with filtering options, although I don’t know if you have to pay for the functionality you need. Also, you can log all web URLs visited and have a look through occasionally.
      • If you control root access to your daughters PC you can redirect her list of IPs to localhost through the hosts file (but if she has root access, she can simply revert the change, or change the filename while she wants free access, then change the filename back when she thinks you might check on her). You could redirect the list through the use of a script on the router similar to this, but it would likely get quite technical quite quickly…
      • You could add the IPs to the blocklist, as well as adding the following (each on a separate line) proxy, block, unblock
        So the above will block all web sites or URLs with the words proxy, block or unblock anywhere in the URL, but again, you might be able to use IPs and link-shrinkers to get around this.
      • You could redirect your server logs to a remote machine and turn on outgoing request logging. This would give you the IPs of all contacted machines, which you could then run through a log parser like WallWatcher which I believe will do reverse look-ups to translate the IPs to URLs, this way you know which sites are being visited which would make adding the URL and IP address to the blocklist easier
      • You could switch from Tomato to Gargoyle firmware – which will log URLs for you, as well as provide per-device bandwidth caps and whitelist functionality (i.e. block all sites except x, y, z etc.)

      It’s quite a jumble, huh?

      I actually wrote a post about logging Tomato to a remote machine and parsing the router logs yesterday, but I’m still trying to find the nicest way to parse the logs before publishing it – so I’ll probably tart that up and post soon.

      But I’m also genuinely thinking about switching to Gargoyle and giving our daughter a bandwidth cap and less restrictions, as the problem I have is more about her using up our monthly bandwidth streaming videos and tat, and so many new video sites pop up all the time I really don’t have the time or inclination to play the world’s longest game of whack-a-mole with them…


  7. is there an universal list that can block ads and malicious sites? i tried to compile a hosts list from, but it was too much (over 14000 lines) for the router.

    1. To the best of my knowledge, no =/

      As far as I’m aware you can block ALL https access, but not individual https sites as you can with http. I’ve read that one way of doing this would be to sign up with an OpenDNS account (“basic” would be fine, which is free), then change the routers DNS servers to be the OpenDNS ones, and finally add a blacklist entry for facebook to your OpenDNS account (see

      I’ve never done this myself, so I can’t guarantee that it’ll work – but it should do, and it doesn’t sound like it would take more than 20 minutes to try out.

      If you decide to try it, it’d be great if you dropped a line back about how it worked or didn’t – and if it didn’t work I’ll try to figure out something that does, as I’m in the same boat as you with https blocking.


    2. You could null route and which, if you’re in the US, should prevent access to Facebook via http or https. Tomato -> Advanced -> Routing.

      1. Interesting solution… Unfortunately it’s unlikely to work for me as I’m AU based, but if there are specific routes which will block from one country, then it stands to reason that there could be other specific routes which will block from other countries.

        I guess we’re just looking for the last hop routes to facebook’s data centres in whichever country you’re in…

    3. Hi Joe,

      you can assign a false IP address to

      Advanced -> DHCP/DNS -> Dnsmasq text block


      and Save.
      If you are intercepting DNS port (checkbox enabled) then all access would be rerouted to the local computer, regardless of the protocol.

      1. Clever – clever – clever. Good job, Bruno!

        Unfortunately though, this will apply to all machines connected to the router. I took a look through the dnsmasq man page and I’m still not sure if it’s possible to selectively apply the new lookup to specific mac addresses (i.e. block certain computers). You can certainly tag MAC addresses and do “stuff” with the tags – but I don’t know if it’s possible to use MAC tagging to give one machine a false DNS lookup and allow all others to go and look it up from a “real” DNS server to get the correct address.

        As it stands, what I’ve done to block facebook and stop my daughter-in-law facebook web-camming (or msn webcamming) all day is to have 2 blocks applying to the same MAC address (i.e. her laptop)
        – The first one blocks video sites and stuff so our bandwidth actually lasts for the month, not a few days after she’s spent multiple hours per day streaming HD videos. This block goes 24/7.
        – The second one blocks facebook, all HTTPS (port 443), and all UDP on ports 5004-65535 on weekdays between 7pm and 3:45pm the next day.

        As long as I set that second one to run Monday to Thursday, then she can get home from school, have some time to tidy her room and do any chores, then a few hours on facebook before tea, then it’s blocked till the next day so the temptation isn’t there and she can get her homework done and read and stuff without procrastinating on FB all night.

        It’s not ideal, but it’s not far off. And as much as I feel like a jobsworth in my benevolent dictatorship – she needs a computer to do her homework, and left unchecked she’ll just piss about and not get anything done then fail her classes. So, I’m calling the shots, and when she passes her classes/exams she’ll think she did it despite me, and fair enough too.

        Kids know everything :D

        1. I am using OpenDNS Home for my kids and some non censored DNS-Servers for myself ( – the original page is in german language) :-).
          OpenDNS Home allows custom filtering.
          To update my dynamic IP with OpenDNS I’m using DNS-O-Matic free service (client is already included with Tomato).

          Here is my config (dnsmasq entry):

          # kids net OpenDNS
          # kids comp 1
          # kids comp 2

          So I take a part of my network (201 – 211) and assign it to a “kids” net. Then I use the MAC addresses of my kids devices to assign a IP number out of this network part.
          The dhcp-option with no. 6 assigns two OpenDNS server IPs to the kids network …

          I also have adblock script with pixelserv running on my router (Asus RT-N16).

        1. Good question – but I’ve got no idea. I think your best bet would be to assign user(s) with exceptions to different subnets (recognise users by MAC address), and then have a standard subnet which breaks DNS lookups for a particular domain, say returns, and the other subnet does not override the lookup so works normally.

  8. Get a life Ugh.

    This is a big BAD world that we live in these days and there are some pretty nasty things happening to kids due to facebook these days. Not to mention the lack of productivity that social networking sites cause during work/study times and also the sharing of information to people that wouldn’t ordinarily find out such things.

    If used correctly, facebook could be a wonderful networking tool, however, most people (especially Gen Z and younger Gen Y’s) treat it like a competition of who can have the most friends and then share far too much personal information to them all, most of the time not thinking about just who is able to see it…

    I think blocking access to minors or employees is a right of any parent or boss and i think sites should be accountable for enabling suck blocking to happen, therefore, sites like facebook should be forced to present a quick and easy method to block access to them should one choose that option. setting up a https server is a blatant act of defiance to circumvent the blocking of their sites and should show people the tactics used by these companies in an attempt to gain market penetration and dominance. I think it is despicable.

  9. Is there a way to block all domains/ips from a specific computer except those that you whitelist. In other words I want to block everything except what I explicitely allow on a specific computer.

    1. I don’t think so… But you can kinda bodge it:

      In theory, you could divide your network into two subnets: one for all normal PCs, and one for the specific PC you want to restrict.

      You could then assign a static IP address to the PC you want to restrict so that it ends up in the restricted subnet.

      You could then force all PCs in that restricted subnet to redirect DNS enquires to the on-router DNS service, which you would fill with precisely nothing — except the domains you want to make available.

      This means that all lookups except for the sites specified will fail, but users could (if savvy enough) just go to a site by it’s IP address.

      Sounds like a lot of hassle to me, and a bit rubbish. So I just hit Google up for “tomato firmware whitelist” and found this IPTables script – first hit:

      God bless the Internets ;-)

  10. We run virtual call centers and are hiring agents from throughout the US. I would like to send new employees specific routers to use and preset them to allow only the sites we want them to access during working hours, but it is essential that I can adjust these settings remotely. Can this be done? Would this plan work well?

    1. Can this be done?

      Would this plan work well?
      Hard to say – although you can set up the router to restrict access and remotely administer the router, the user will have physical control of the router – which means that they can just turn it on and hold the reset button for a while to return the router to default settings. You would then know that the router had been tampered with by the fact you can no longer remotely administer it ! ;-)

      Personally, I don’t think it’s a great idea. From my understanding of what you’re up to, I think you’d be better off setting up a VPN for the users to connect into and write a nice clear VPN access guide for them to be able to actually hook in.

  11. Nice examples, thanks!

    I would point out that it doesn’t really use regex, though. As far as I can tell, it only uses the caret (^) and dollar ($) signs, which work as they do in regex, but it doesn’t include anything useful beyond that (which is a shame, because with full regex syntax it would be easy to make this into a whitelist instead of a blacklist).

    1. Some part of your blocking rules must be blocking YouTube – or you’re viewing YouTube through HTTPS, and you’re blocking HTTPS. You can post your blocklist if you like and I’ll take a look – but I can’t guess it, sorry!

        1. DNS operates on port 53, so make sure that’s open for both TCP and UDP, and make sure nothing is triggering a block of the domain names you’re pointing at.

    1. It’ll block any device which communicates through your router, including your Wii.

      To do it you need to create a blocklist, and then either apply it directly to the MAC address of your Wii, or if you’re using static IPs bound to the MAC address of your Wii, you can just apply the blocklist to that static IP.

      To find out the MAC address of your Wii (if you’re unsure), try this:

  12. Good day sir!

    I’ve tried the procedure above using the same router but my tomato firmware ver is 1.25.
    It’s not blocking the websites I specified. I’ve created other restrictions that blocks all
    internet access within a scheduled period and this works. How do I solve this problem?
    Tried restarting the router and still it doesn’t work?



    1. Are the sites that you’re trying to block https? In which case, Tomato can’t block them. The reason being, the destination address is encrypted as part of the https connection and as such Tomato can’t snoop on it to decide to allow or deny access. So, for example, if you try to block this’ll fail because you’re immediately passed through to https.

      Unfortunately, the only way to block https to block the port (443). This has the downside of breaking anything that requires https, like banking or anything Google-related.

      If the sites you’re trying to block really aren’t https (as I’ve assumed) then if you show me some examples of the regex you’re using and what you expect them to do I’ll see if I can spot anything amiss.

  13. Great tips.

    Tomato lets you “monitor” web searches. It provides me with a list, but what I would like to do is use it to limit/filter some web searches. For example I would like to disable all searches that contain the word “torrent”. Since the “Access Restrictions” only works at the URL level and not the URI, I am not sure, how to do it.

    If it cannot be done at the “Access Restrictions” page, can it be done using iptables drop command. If so, how?

    1. Only unencrypted web searches turn up in the router web usage logs – anything HTTPS will not be logged as the router cannot see inside the encrypted connection – and search engines like Google now enforce HTTPS (even if you go to you’ll be redirected to etc.).

      Rather than trying to block searches for the word ‘torrent’, you might be better of using the IPP2P module to block the bittorrent protocol – however, again, this likely won’t work for encrypted bittorrent traffic.

      Not sure about using iptables, sorry.

  14. Does anyone know if there is a fix to be able to setup access restrictions on tomato together when using vpn….can’t find a fix on the web but it seems to be an acknowledged flaw in software.

    1. Unfortunately you can’t filter https connections with this method, only non-encrypted http. You can block ALL https connections from the router, but that’s likely not what you want.

      I think there’s a comment on this post about how to set up a separate subnet for ‘blocked’ machines somewhere in this post – the idea being you identify machines by MAC address, then any machine you want to block gets assigned an IP in a separate subnet, and that subnet is configured to use the a local (i.e. on-router) DNS service, which you must provide a false address for sites you want to block ( or something would be fine).

Leave a Reply

Your email address will not be published.