I am a noob and appreciate any advice I can get on this. I'm trying to force users on my guest wifi network to use OpenDNS (this network is for my son and his friends and will use OpenDNS filtering and blocking), while users on my main home network (wired and wifi) use the internal DNS (or any other DNS that is not filtered/blocked). I've got an RT-N66U running Shibby Tomato v115. I setup a guest wifi network using this article. I can connect to the network and browse the internet just fine. I then followed this post to try and force the guest wifi to use OpenDNS. I was also able to get Tomoato's DDNS updating OpenDNS with the router's IP address. My Administration>Scripts>Firewall looks like this: Code: iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 220.127.116.11 iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 18.104.22.168 iptables -P FORWARD DROP iptables -A FORWARD -i eth0 -o br0 -j ACCEPT iptables -A FORWARD -i br0 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o br1 -j ACCEPT iptables -A FORWARD -i br1 -o eth0 -j ACCEPT The first two lines are taken from the post about forcing OpenDNS on the guest network. The last five lines are taken from the article about setting up the guest network and are supposed to prevent users on the guest network from accessing the main home network. I also tried it with the two OpenDNS lines at the bottom, in case it was a sequencing issue but I get the same results. When I am connected to the guest network via a Windows 7 laptop and do an "ipconfig /all" it reports the DNS IP as 192.168.2.1, which is the IP of the guest network, and no website blocking is happening. Can anyone offer advice on how to get it so that the guest users are forced to use OpenDNS while the home network users still use the internal DNS? A few other specific questions came up while I was working on this: 1. Do I need to check the "Use as DNS" box for OpenDNS on the DDNS configuration page in order to enable it, or will that enable it for all networks? 2. Can I check the "Intercept DNS Port" option to prevent any users on the guest network from entering a client-side DNS server? If so, I assume this would apply to the home network as well, correct? Do I need to enter anything into dnsmasq to make it work? If selecting "Intercept DNS Port" will negatively impact the main network, is there something I can enter into Scripts or dnsmasq that can accomplish the same thing for only the guest network? 3. How can I test to make sure that users on the guest network can't access the home network?