How To: Block Access To Specific Websites from your Router using Tomato Firmware
r3dux | December 17, 2009Tomato firmware is a free, downloadable firmware for the Linksys WRT series and some Buffalo and Asus routers which provides vastly improved functionality over the stock firmware. One of the nice things about Tomato, assuming you have a router which it’ll run on, is that it provides a very configurable method of selectively blocking access to the net in general, specific applications or protocols, or even specific websites. So if you have youngish kids who have (largely) unsupervised access to a computer with a net connection, you can keep them away from social networking sites like facebook, myspace, habbo etc. pretty easily. Here’s how:
1.) Go to you routers web interface (http://192.168.1.1 on my setup) and click on Access Restriction
2.) Click on Add to create a new rule
3.) Untick Block All Internet Access to display the full options list, and set it up something like this:
In the above example I’m only blocking selected machines (so the wife still has access to facebook etc.) – the PC the kids have access to is 192.168.1.105, and my IP is 101 (so I can test the blocks on my machine before removing myself from the block list).
The blocklist uses regex sub-string matching to decide which sites to block as follows:
- Regular words on their own are blocked if they occur anywhere in the site URL, so for example, having the word facebook in there will block sites such as: http://facebook.com, http://www.facebook.com, http://facebook.com.au, anything.facebook.anything-else
- Words with a dollar sign at the end of them will block domains ending with what you’ve specified, that is, putting: .com$ would block ALL sites ending with .com, so putting slashdot.org$ would block slashdot.org, linux.slashdot.org, games.slashdot.org, hardware.slashdot.org etc. etc.
- Words starting with a caret (^) block all domains starting with what you’ve specied, that is, putting: ^chat will block sites like http://chatworld.com, http://chat.parachat.com but not http://www.chatworld.com or http://www.parachat.com
- Words starting with a caret and ending with a dollar sign blocks that exact address, i.e. ^www.r3dux.org$ would block http://www.r3dux.org, but not http://r3dux.org or http://www.r3dux.org?p=1407 (i.e.this page)
You can also block specific protocols (BitTorrent, eDonkey, LimeWire etc.) using the built-in IPP2P module, or via Layer 7 (Application Layer) deep packet inspection, which can detect and block traffic of specific types (World of Warcraft, FTP, Flash etc. etc.) regardless of what port they’re running on. Which is both amazingly awesome and slightly depressing at the same time.
I’m a firm believer in preparing the child for the world, and not the world for the child – but sometimes it can make life easier to restrict the amount of mischief they can get up to, hence the social networking blockage. Now all you need to do is make sure you’ve got a strong password on your router (which isn’t stored on a post-it note under your keyboard) and you can keep the little darlings out of harms way with a few clicks… Until they discover pr0n, where you’re going to probably going to have to take a whitelist rather than a blacklist approach like this.
Once you’ve started, where does it end, eh?
Anyways – Happy Benevolent Dictatorship!
No related posts.
Hello. Thanks for the great article. I see so many of these types of articles allude to protection of the children and how this method should not be used to shelter the children. That’s fine. I’m all for preparing my children for the mean streets. However, I am using these methods to block sites so my children don’t hog every available MB of bandwidth flowing into the house with youtube, farmville facespace, pandora, last.fm, etc. I can tell them not to youtube, not to pandora, but if I am in the middle of a WebEx with a client, and my clients are demonstrating issues live that I see 20 seconds later, as the sysadmin of my household, I am going to draconianishly (my new word) block their access to sites I know suck up all of the bandwidth to the detriment of other network users. My kids are pretty good kids. They make good grades, don’t get into trouble, they are smart kids….But they don’t always do what I tell them to do. I’ll pick my battles of will. Blocking access to websites is something I am just not going to argue about. It’s not a moral issue. It’s not an issue with much value to be learned. When they go to college, their administrators are going to cap their use of PTP and social media and sharing sites. When they graduate from school and get their own places to live, they can get internet and go hog wild. Thanks again, and thanks for not being too smug about censorship, etc. Some of us have legitimate reasons to block (I know all about QoS, etc., I’m just not going to deal with it in my house. On weekends, I can shut off access restrictions.)
Great comment – and I absolutely concur that sometimes you have to pick your battles with the young ‘uns.
Glad you found the article of use – I guess that’s why I write ‘em
Cheers!
Tomato firmware also has qos. If bandwidth priority is your issue, then you can specify what ports or app types get priority. Maybe even set bandwidth limits by ip or connection type. Tomato is very flexible.
Hi r3dux,
I came across your article while surfing web for solution to restrict internet access.
Your method is useful, but it will be very troublesome for me to setup the rules.
I am in a office environment, and I want staff to access only certain webpages that will be relevant to work.
I learned how to block certain site or block all from you, but you also mentioned a white list at the end of your article.
I am thinking of placing two rules, one is to restrict any access to internet, and set another rule to allow access of specified website.
However, I am stuck on how to set up a “allow” rule. Do you happen to know how to set up such?
thanx in advance.
Harry
Hi Harry,
If you’re not going to block from the router, then you have to block from the system, for which you could use the system’s hosts file.
You can set up a whitelist (where only the websites you want allowed can be accessed) by reading this guide, however, if the system users have administrator access, they can modify the hosts file to circumvent the block.
However, If I were in your shoes – I wouldn’t block access at all; I’d advise the staff that the computers are for work use during work hours, and only during specified lunch or tea breaks can they be used for personal use (browsing, banking, facebook etc).
If you make that policy clear to them, then they shouldn’t waste time messing about on the net when they should be working (and if they continue to mess around in work time, you can take any disciplinary steps you may consider necessary).
The other benefit of not blocking sites is morale. Blocking websites is a workplace frustration that can lead to lowered morale, as the whitelist you provide will invariably not contain all the sites which might be required for the staff to perform their roles to the best of their abilities. If you give them free reign, with a recognised, clearly explained and enforced policy, then your workforce will be happier and more productive without the need for any blocking, and the associated problems that it can introduce.
Just my two-cents…
Regards,
r3dux
Thank you for your prompt reply.
I too agree with you that not blocking sites could allow staff to access information they need easier.
However, our work environment does not require them to spend much time obtaining information from sites.
total access to internet is available at specific station, which is free to use at all times.
I have allowed them to freely access internet before, but result is they bring in virus and eventually crash all my data, that is not a risk I would like to take again.
So I searched the web again, http://www.linksysinfo.org/forums/showthread.php?t=50831&page=3 and it seems that tomato firmware does not have a built in whitelist filter. Guess I have to try other approach. Your info is helpful. Thank you
Thank you for this article. Funny I didn’t need it for my kid but my wife!!! LOL
I used your guide to keep my wife off of MSN, which will work out well for both of us, because she won’t find articles that undermine her self-esteem and prey on female insecurities, and I will save hours of time each week, hell, probably days a year, possibly even a year or two of my life, as I’ll no longer have to re-explain to her that she’s not fat and I’m not straying.
Cheers!
Thanks, this just saved me some grief. I saw the screen but didn’t know how to use it. Totally agree with your approach. the more I use Tomato, the move I love it!
I use OpenDNS to do the white list/blacklist thing, and then use these router rules to specifically block activities. For example, I have internet access blocked (except for the PC in the kitchen area) for 90 minutes after my daughter comes home, so she can do homework, etc. Strangely she never wants to use the unblocked PC …
Facebook is the big issue, she will sign in “just for a moment!” that seems to stretch. Now I can let her use the PC, but not Facebook. Awesome.
Ive been using http://www.timedoctor.com .
It uses a better procedure than blocking social media sites because it only monitors websites during production hours. People/Employees still have the option to use it for a breather or during breaks really . Sometimes they use it for work too .
I set this up per your article, however I’ve noticed a problem. I have it set to block facebook among some other sites, but if the sites (namely facebook) are accessed through an HTTPS request the connection is still made instead of blocked. Is there a way to get past this? I am using the most current tomato firmware on a WRT54GL. Would the hosts file be a better option? I don’t normally have to block traffic but it’s getting out of hand as of recently.
Hi Jack, unfortunately the access restriction options in Tomato (or at least my version, probably not the latest) don’t seem to cover this.
You can block all HTTPS access by going to Access Restriction and from the Port / Application section setting TCP/UDP | Destination Port | 443 to be blocked, but if you need to use HTTPS for legitimate non-facebook reasons this isn’t a great solution.
If you’re in a work environment and don’t really need HTTPS then you could block all HTTPS access using the above method and then unblock over the lunch hour or something… Or as you say, just use the hosts file
Hope this helps.
[...] all internet I blocked all sites with "playstation or ps3" in them using this guide How To: Block Access To Specific Websites from your Router using Tomato Firmware | r3dux.org. I also blocked ports. TCP/UDP, port 3478 TCP/UDP, port 3479 TCP/UDP, port 5223 TCP/UDP, port 443 [...]
Is there a way to block access to all numeric IP addresses? My 14-year old has discovered that she can ping sites, and then use the numeric IP to get around keyword blocking. At this point, she’s built up a nice directory for herself.
The same applies to external proxy servers…can access to those be blocked?
Haha, sneaky kids
There are always options, and I’m in a similar kind of boat with my own kids at the moment as they too are finding out the joys of proxy servers and such. The problem is that Tomato isn’t really built as a comprehensive access control mechanism, so our options are limited.
But here are a few (non-perfect) suggestions of things which could be done:
So the above will block all web sites or URLs with the words proxy, block or unblock anywhere in the URL, but again, you might be able to use IPs and link-shrinkers to get around this.
It’s quite a jumble, huh?
I actually wrote a post about logging Tomato to a remote machine and parsing the router logs yesterday, but I’m still trying to find the nicest way to parse the logs before publishing it – so I’ll probably tart that up and post soon.
But I’m also genuinely thinking about switching to Gargoyle and giving our daughter a bandwidth cap and less restrictions, as the problem I have is more about her using up our monthly bandwidth streaming videos and tat, and so many new video sites pop up all the time I really don’t have the time or inclination to play the world’s longest game of whack-a-mole with them…
Thoughts?
Is there a way to control Ultrasurf from bypassing the Tomato firmware access restriction? If yes, can someone share, thanks!
is there an universal list that can block ads and malicious sites? i tried to compile a hosts list from mvps.org/winhelp2002, but it was too much (over 14000 lines) for the router.
Can we block https://facebook.com with tomatoe?
Note https (s)
thanks,
Joe
To the best of my knowledge, no =/
As far as I’m aware you can block ALL https access, but not individual https sites as you can with http. I’ve read that one way of doing this would be to sign up with an OpenDNS account (“basic” would be fine, which is free), then change the routers DNS servers to be the OpenDNS ones, and finally add a blacklist entry for facebook to your OpenDNS account (see http://www.opendns.com/support/article/65).
I’ve never done this myself, so I can’t guarantee that it’ll work – but it should do, and it doesn’t sound like it would take more than 20 minutes to try out.
If you decide to try it, it’d be great if you dropped a line back about how it worked or didn’t – and if it didn’t work I’ll try to figure out something that does, as I’m in the same boat as you with https blocking.
Cheers!
You could null route 69.171.224.0/19 and 66.220.144.0/20 which, if you’re in the US, should prevent access to Facebook via http or https. Tomato -> Advanced -> Routing.
Interesting solution… Unfortunately it’s unlikely to work for me as I’m AU based, but if there are specific routes which will block from one country, then it stands to reason that there could be other specific routes which will block from other countries.
I guess we’re just looking for the last hop routes to facebook’s data centres in whichever country you’re in…
Hi Joe,
you can assign a false IP address to facebook.com
Advanced -> DHCP/DNS -> Dnsmasq text block
enter
address=/facebook.com/127.0.0.1
address=/fb.com/127.0.0.1
and Save.
If you are intercepting DNS port (checkbox enabled) then all facebook.com access would be rerouted to the local computer, regardless of the protocol.
Clever – clever – clever. Good job, Bruno!
Unfortunately though, this will apply to all machines connected to the router. I took a look through the dnsmasq man page and I’m still not sure if it’s possible to selectively apply the new lookup to specific mac addresses (i.e. block certain computers). You can certainly tag MAC addresses and do “stuff” with the tags – but I don’t know if it’s possible to use MAC tagging to give one machine a false DNS lookup and allow all others to go and look it up from a “real” DNS server to get the correct address.
As it stands, what I’ve done to block facebook and stop my daughter-in-law facebook web-camming (or msn webcamming) all day is to have 2 blocks applying to the same MAC address (i.e. her laptop)
- The first one blocks video sites and stuff so our bandwidth actually lasts for the month, not a few days after she’s spent multiple hours per day streaming HD videos. This block goes 24/7.
- The second one blocks facebook, all HTTPS (port 443), and all UDP on ports 5004-65535 on weekdays between 7pm and 3:45pm the next day.
As long as I set that second one to run Monday to Thursday, then she can get home from school, have some time to tidy her room and do any chores, then a few hours on facebook before tea, then it’s blocked till the next day so the temptation isn’t there and she can get her homework done and read and stuff without procrastinating on FB all night.
It’s not ideal, but it’s not far off. And as much as I feel like a jobsworth in my benevolent dictatorship – she needs a computer to do her homework, and left unchecked she’ll just piss about and not get anything done then fail her classes. So, I’m calling the shots, and when she passes her classes/exams she’ll think she did it despite me, and fair enough too.
Kids know everything
I am using OpenDNS Home for my kids and some non censored DNS-Servers for myself (http://translate.google.com/translate?sl=de&tl=en&u=http%3A%2F%2Fwww.privacyfoundation.ch%2F – the original page is in german language)
.
OpenDNS Home allows custom filtering.
To update my dynamic IP with OpenDNS I’m using DNS-O-Matic free service (client is already included with Tomato).
Here is my config (dnsmasq entry):
dhcp-range=net:kids,10.100.100.201,10.100.100.211,255.255.255.0
# kids net OpenDNS
dhcp-option=kids,6,208.67.222.222,208.67.220.220
# kids comp 1
dhcp-host=00:XY:XY:XY:XY:4D,net:kids,compname1,10.100.100.201,1440m
# kids comp 2
dhcp-host=00:XY:XY:XY:XY:4D,net:kids,compname2,10.100.100.202,1440m
So I take a part of my network (201 – 211) and assign it to a “kids” net. Then I use the MAC addresses of my kids devices to assign a IP number out of this network part.
The dhcp-option with no. 6 assigns two OpenDNS server IPs to the kids network …
I also have adblock script with pixelserv running on my router (Asus RT-N16).
Great solution – thanks for taking the time to share =D
I’m glad none of you creeps were my parents. I hope your kids develop normally.
Get a life Ugh.
This is a big BAD world that we live in these days and there are some pretty nasty things happening to kids due to facebook these days. Not to mention the lack of productivity that social networking sites cause during work/study times and also the sharing of information to people that wouldn’t ordinarily find out such things.
If used correctly, facebook could be a wonderful networking tool, however, most people (especially Gen Z and younger Gen Y’s) treat it like a competition of who can have the most friends and then share far too much personal information to them all, most of the time not thinking about just who is able to see it…
I think blocking access to minors or employees is a right of any parent or boss and i think sites should be accountable for enabling suck blocking to happen, therefore, sites like facebook should be forced to present a quick and easy method to block access to them should one choose that option. setting up a https server is a blatant act of defiance to circumvent the blocking of their sites and should show people the tactics used by these companies in an attempt to gain market penetration and dominance. I think it is despicable.