1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Force OpenDNS on Guest WiFi

Discussion in 'Tomato Firmware' started by Miltos, Apr 30, 2014.

  1. Miltos

    Miltos Network Newbie Member

    I am a noob and appreciate any advice I can get on this. I'm trying to force users on my guest wifi network to use OpenDNS (this network is for my son and his friends and will use OpenDNS filtering and blocking), while users on my main home network (wired and wifi) use the internal DNS (or any other DNS that is not filtered/blocked).

    I've got an RT-N66U running Shibby Tomato v115.

    I setup a guest wifi network using this article. I can connect to the network and browse the internet just fine.

    I then followed this post to try and force the guest wifi to use OpenDNS.

    I was also able to get Tomoato's DDNS updating OpenDNS with the router's IP address.

    My Administration>Scripts>Firewall looks like this:

    iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to
    iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to
    iptables -P FORWARD DROP
    iptables -A FORWARD -i eth0 -o br0 -j ACCEPT
    iptables -A FORWARD -i br0 -o eth0 -j ACCEPT
    iptables -A FORWARD -i eth0 -o br1 -j ACCEPT
    iptables -A FORWARD -i br1 -o eth0 -j ACCEPT
    The first two lines are taken from the post about forcing OpenDNS on the guest network. The last five lines are taken from the article about setting up the guest network and are supposed to prevent users on the guest network from accessing the main home network. I also tried it with the two OpenDNS lines at the bottom, in case it was a sequencing issue but I get the same results.

    When I am connected to the guest network via a Windows 7 laptop and do an "ipconfig /all" it reports the DNS IP as, which is the IP of the guest network, and no website blocking is happening.

    Can anyone offer advice on how to get it so that the guest users are forced to use OpenDNS while the home network users still use the internal DNS? A few other specific questions came up while I was working on this:

    1. Do I need to check the "Use as DNS" box for OpenDNS on the DDNS configuration page in order to enable it, or will that enable it for all networks?

    2. Can I check the "Intercept DNS Port" option to prevent any users on the guest network from entering a client-side DNS server? If so, I assume this would apply to the home network as well, correct? Do I need to enter anything into dnsmasq to make it work? If selecting "Intercept DNS Port" will negatively impact the main network, is there something I can enter into Scripts or dnsmasq that can accomplish the same thing for only the guest network?

    3. How can I test to make sure that users on the guest network can't access the home network?
  2. PeterT

    PeterT Network Guru Member

    Remember that the rule you have added is just meant to intercept the DNS requests and forward them to OpenDNS; the PC itself will still show the DNS server IP address it was a signed, either statically via the IP configuration of Windows, or dynamically via DHCP.
  3. zavar

    zavar Networkin' Nut Member

    There are alot of people on the forums with way more expertise than me, but I have a similar setup, in my case I have assigned a specific DNS to an IP range. To do this I'm not using any IPTABLES code, just Dnsmasq custom configuration in the Advanced - DHCP/DNS settings. I think a similar setup would work in your situation. My Dnsmasq configuration has this:

    # Tag and Set the IP range for alternate DNS to be used

    # Set Alternate DNS for the Tagged Range

    With the above, you still need to setup your main DNS via the standard configuration options in Tomato, and you also need to be using DHCP.

    For your specific questions:
    1. I also have OpenDNS in my DDNS configuration, however I have the "Use as DNS" box unchecked. I believe that if the box is checked it will be enabled for all networks.

    2. Intercept DNS Port cannot be enabled, as it will redirect all DNS requests to your main DNS servers, so the Guest DNS settings wouldn't work. There may be a way to ensure folks are using the DNS settings pushed out via DHCP and disable any client side settings, but I'm not sure of the best approach on this. In my case, if the guests are that knowledgeable to be able to bypass the pushed DHCP configuration, then I figure they are on their own from there.

    3. For the testing, again, not an expert, but a simple way would be to see if you can ping a host in the home network from the guest network, or via a share or similar.

    Hope this helps a bit.
    Last edited: May 2, 2014
    darkknight93 likes this.
  4. Miltos

    Miltos Network Newbie Member

    Thank you PeterT and zavar! zavar, I will try your setup as soon as I have some free time and report back.
  5. Miltos

    Miltos Network Newbie Member

    zavar, I tried your configuration but it forced all users to use OpenDNS, not just the guest wifi users. I made sure to delete my iptables code, inserted my own IP ranges and I rebooted the router, but all users were still forced to use OpenDNS.

    In your code above it looks like you are defining an IP range and then assigning OpenDNS to it. and .220.220 are the OpenDNS IPs. But in your description it sounded like you had OpenDNS configured in Basic>DDNS, but were using dnsmasq to assign a different DNS to a specific IP range.

    I actually tried your code first, and then tried altering it to assign Google DNS to the home network IP range, but the result was the same ... all users are forced to use OpenDNS.

    Any other ideas on how I can get this working? Both the home and guest networks work fine, and OpenDNS works when I enable it, I just can't get it to use the internal DNS for the home network and OpenDNS for the guest network.

    In case any of the details are helpful:

    In Basic>DDNS I have the following settings:

    Dynamic DNS
    IP Address: "Use WAN IP Address"
    Auto-Refresh Every: 28 days

    Dynamic DNS 1
    Service: OpenDNS
    Use as DNS: Checked
    Force Next Update: Not Checked

    Dynamic DNS 2
    Service: None

    In Advanced>DHCP/DNS

    Use internal DNS: Checked
  6. david3

    david3 Addicted to LI Member

    I'm doing something like this:

    iptables -t nat -A PREROUTING -i br0 -s -p udp --dport 53 -j DNAT --to
    iptables -t nat -A PREROUTING -i br0 -s -p tcp --dport 53 -j DNAT --to
    Replace the with whatever net range you want to force to use OpenDNS.
  7. david3

    david3 Addicted to LI Member

    I should add that I'm using static DHCP for my regular systems with addresses outside of the OpenDNS range if I want to use regular DNS.

    The DHCP default IP address range in the Basic Network settings I'm using falls in the OpenDNS range so guests get that by default unless I setup static DHCP for them outside the range.
  8. kthaddock

    kthaddock Network Guru Member

    Then you have to make sure "Intercept DNS port (UDP 53)" is turned OFF.
    That generates same rules to firewall on ALL bridges.

    Did you put Zavars suggestions in "Dnsmasq Custom configuration" box?
    Last edited: May 2, 2014
  9. zavar

    zavar Networkin' Nut Member

    I'm really sorry, there was a typo in my original post (I will fix it). Try unchecked the "Use as DNS" option in the DDNS Configuration. Also make sure that you have DNS entered in the Basic Network setup (unless you are assigned it via your ISP DHCP).
    Last edited: May 2, 2014
  10. Miltos

    Miltos Network Newbie Member

    Thank you all for the help and suggestions. I still can't get it working. I can only get one DNS to work for all users, either my ISPs DNS (Comcast) or OpenDNS. I can't get it to use my ISPs DNS for the home network and OpenDNS for the guest network.

    Since I have tried dnsmasq and admin>scripts codes that each of you has said is working for you, I'm thinking that I have some configuration wrong - probably a checkbox somewhere or not having the static DNS setup properly. If anyone is motivated, here are screenshots of the configuration screens that I think are relevant.





    I don't have any other code in Adminstration>Scripts other than what I show here. Are there any other configuration screens that could be at play here?
    Last edited: May 2, 2014
  11. zavar

    zavar Networkin' Nut Member

    Not sure why it is not working. Are you using IP6 at all? If not try unchecking it on the advanced/dns settings page. Also, maybe try replacing the 3rd DNS entry on the Basic/Network page with

    You could also try disabling the IPTABLES entries until you get the DNS working and then try adding them back in.
  12. Miltos

    Miltos Network Newbie Member

    Thank you zavar and all for your suggestions. Unfortunately I still can't get it working. I unchecked the IP6 option, as I'm not using that. I replaced the 3rd DNS entry with and I deleted all code from Admin>Scripts. No luck. I even went back through and retried every suggestion here, including the iptables code from david 3, but no luck.

    Unless there are any other suggestions, is there a place (website) that I could try to hire someone to help me with this? Or maybe anyone around here that would want to earn a little extra? I can't pay a lot, but I can't imagine it would take someone knowledgeable very long to figure it out. I would really like to get this working, and ideally understand why I haven't been able to get it working so I can learn something in the process.
  13. zavar

    zavar Networkin' Nut Member

    Hi Miltos. Sorry this isn't working as easily as it should. There is alot of information on different setups out there, so you shouldn't have to pay someone to figure it out, though a donation to the active Tomato developers is always a good idea!

    My setup is definitely different, I think the problem may be that DNSMasq doesn't know how to apply the DHCP settings to the second network, since it was initialized in the Basic Network page. Sorry that I missed that, my previous way should work if you disable DHCP on the basic network page, but the way you have it setup is better. I haven't tried this myself, but try in the DNSMasq Custom Configuration delete the settings that I advised earlier and try just replacing it with:

    # Setup Alternate DNS for Guest Network

    I'll keep my fingers crossed for you!
  14. zavar

    zavar Networkin' Nut Member

    Well, I just tried this myself, to match your setup and cannot get it to work. It looks like a while ago DNSMasq was updated and some of the custom configuration options do not work. The method that David3 suggested might be the only option to go with.
  15. koitsu

    koitsu Network Guru Member

    This looks more like it has to do with incorrect syntax being used by you and not dnsmasq changes; please don't say things like "something was updated thus that's why this doesn't work" unless you have hard evidence (i.e. please don't be speculative, it just causes confusion for other people who find this thread and try to get answers). The dnsmasq changelog is well-documented.

    The syntax used in this post doesn't match what was given as an example in this post. Rephrased:

    1. I see no dhcp-range line that uses set: to assign a tag to a specific IP range. Other configuration directives, such as dhcp-host and dhcp-mac amongst many others, can be used as well. However, the tag may automatically be set by dnsmasq itself (keep reading -- I say "may" because the documentation is questionable in this regard),

    2. I see no tag: referenced in your dhcp-option line. Syntactically the line you provided is wrong/will not do what you want. The syntax is flat out wrong (you're trying to reference an interface name "magically" in the config line, and that doesn't work (nor has ever) -- it does not match what the documentation states).

    Now, about the "automatic tag set" If you search the documentation for the phrase "The tag system works as follows", you'll find this explanation. I've underlined the part that is confusing:

    This paragraph/sentence is phrased very badly and can be interpreted multiple ways (English is horrible in this regard). BOOTP isn't relevant here, but the use of comma (and lack of period between sentences) adds a huge amount of ambiguity to this. Someone may want to contact Simon Kelley (dnsmasq author) and ask him to rewrite that.

    So, depending on how one interprets that piece of the documentation, this may or may not work for you:

    # Setup Alternate DNS for Guest Network
    Note the difference between that and what you have.

    If that doesn't work, then your only solution is to use either dhcp-range or dhcp-host to set a tag (it doesn't have to be br1) for the devices you want to use those DNS servers for, and then reference that tag in your dhcp-option like (like above).

    I'll use this opportunity to also repeat something I've said in the past: for dnsmasq configuration questions, you should contact Simon or ask on the dnsmasq mailing list. Don't be afraid; Simon is awesome and the list is super helpful.
    Last edited: May 4, 2014
    M-a-x and Miltos like this.
  16. Miltos

    Miltos Network Newbie Member

    Thank you very much, koitsu. This appears to be working and I really appreciate it. I will do further testing and report back if I find any problems. Thank you so much for the correct code and for the links so I can dig deeper and learn more. I started with iptables code, but in the future if dnsmasq comes up I will move the query over to the dnsmasq list.

    zavar, thank you very much for your time and effort to help me as well. I really appreciate it.
  17. koitsu

    koitsu Network Guru Member

    I had a feeling this would happen, sigh... My reply was actually intended for @zavar, not you. :)
  18. zavar

    zavar Networkin' Nut Member

    Thanks koitsu. Sorry I didn't mean to confuse things. I had read several posts that used the interface without the tag portion. I then came across a post that in Dnsmasq the way the configuration file was read had changed in 2.66 and it would not allow options to be changed if the interface had already been initiated. The post had the same example that we were working through here and I didn't see any further information to show how to make it work.

    So yes, I did assume from that post that it was no longer possible. My mistake. Thanks again for straightening things out.
  19. Miltos

    Miltos Network Newbie Member

    koitsu, it was clear that you were addressing zavar, but your code worked for me so I am very thankful nonetheless :)

Share This Page