NOOB Access Restriction question

Discussion in 'Tomato Firmware' started by DomDis, Mar 2, 2018.

  1. DomDis

    DomDis Network Newbie Member

    I'd like to add some rules to block outboud DNS request

    So allow output TCP/UDp on port 53 to OpenDNS DNS Servers,
    Then I'd like to allow LAN ip to use any External DNS server like Google

    I'm used to seeing Inbound/Outbound firewall rules

    Do I do this in Advanced Settings, Access Restrictions (3 Rules)
    More Important will this work - So all IP are forced to only used the DHCP SUPPLIED DNS server and that one IP can use any DNS SERVER.

    I know that Tomato has the "Intercept DNS port (UDP 53)" in the DNS config area but I don't want to lock out all IPs
  2. ruggerof

    ruggerof Network Guru Member

  3. DomDis

    DomDis Network Newbie Member

  4. Yim Sonny

    Yim Sonny Serious Server Member

    What do you mean by "lock out all IPs" ? You seem to be contradicting yourself. Do you, or do you not want to force everybody to use the DNS server of your designation ?
  5. Yim Sonny

    Yim Sonny Serious Server Member

    Access restrictions can be used to block IP addresses if you can decide what it is that you want to block.
  6. DomDis

    DomDis Network Newbie Member

    The firewall I'm used to using have rules and they are applied in order so :

    If I want to allow only IP to be allowed to perform a DNS query through the firewall and force every one else to use say OpenDNS I would the following

    DHCP assigns IP and set DNS to, (OpenDNS)
    Then I would create a two rules

    RULE 1: LAN IP TCP/UDP Port 53 is allowed to access WAN to ANY destination IP
    RULE 2: Any LAN IP TCP/UDP Port 53 is allowed to access WANT to IPs,

    On device I can then set DNS to what ever IP I want and the firewall RULE 1 would allow it through. Rule 2 allows allother IPs through if the destination is,

    Its kind of opening up Port Forwarding all traffic, specifying sources and destinations. You would have to create a "AnyWAN" and "AnyLAN" (you can do this by subnet block or interface ...) identity

    Something like
    Last edited: Mar 5, 2018
  7. DomDis

    DomDis Network Newbie Member

    Can it be something like

    Attached Files:

  8. Yim Sonny

    Yim Sonny Serious Server Member

    Yes, I see that now in your original post. Don't know if you edited it or if I was reading too fast the first time. I'm guessing that you can make a firewall rule with IPtables that inserts itself at the top of the chain. With that you could specify the source and destination IP or Port that you wish to allow. I haven't the horsepower to brew up such a command but you might want to review DD-WRT's White List script for some ideas. The IPtables rule(s) would be pasted into Tomato's "Administration" - "Scripts" - "FireWall" section.

    That is more like access permissions, not access restrictions. I use access restrictions to allow access to only certain destinations or blocks of IP space by blocking the entire internet IP space and then creating exceptions for the destinations to permit. I don't see a way for the restrictions page to do what you are needing.
  9. DomDis

    DomDis Network Newbie Member

    OK So this can not be done from the GUI

    I thought this was pretty typical of firewalling - I think of it like the traffic police, directing traffic both allowing and denying traffic to flow (or not).

    I saw a thread, back in 2016 ( where @michael.sanos seemed to be asking something similar. Michael was showing a Zyxel. I actually have an older non-wifi one of those. It does allow for a lot more control from the GUI. I'm not sure if it reports live stats like Tomato. My ZyXel doesn't have wifi so that's why I went with an ASUS & Tomato.

    I guess I have to either learn how to putz in IPTAPES or get a WiFi ZyXel or even one of those newer routers mentioned in that post that does firewalling from the GUI
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice