0

I have a setup at home as follow:

DHCP clients  -----> (wifi)(nat) Openwrt -----> (eth)Main Router

DHCP clients get ip from 192.168.42.0/24 subnet.

The device I'm using is TPlink MR3020 with Barrier Breaker. I'm using an older version because after installing newer version I cannot install packages that'll enable to use USB HDD - device space shortage.

The configuration is like this:

DANSGUARDIAN:

# specify each IP on an individual filterip line.
filterip = 192.168.42.1
# the port that DansGuardian listens to.
filterport = 8888
# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 192.168.42.1
# the port DansGuardian connects to proxy on
proxyport = 3128

PRIVOXY

confdir /etc/privoxy
logdir /var/log
filterfile default.filter
logfile privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action   # Main actions file
#actionsfile user.action      # User customizations
listen-address  192.168.42.1:3128
toggle  1
enable-remote-toggle  1
enable-remote-http-toggle  0
enable-edit-actions 1
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries  0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 300
socket-timeout 300
permit-access  192.168.42.0/24
debug   1    # show each GET/POST/CONNECT request
debug   4096 # Startup banner and warnings
debug   8192 # Errors - *we highly recommended enabling this*

FIREWALL:

config redirect
    option _name 'dansguardian'
    option proto 'tcp'
    option src 'lan'
    option dest_port '8888'
    option src_dport '80'
    option src_dip '!192.168.42.1'
    option dest_ip '192.168.42.1'

I need couple of advices regarding my internet speed and DG performance:

  1. The performance and speed is generally good. With a few setbacks though, especially when DG is actively filters more than one clients, I experience small delays.
  2. When someone texts the clients via iPhone iMessages, the message doesn't show up. If I connect to a wifi other than OpenWRT, it works.
  3. I know for the fact there is not a %100 solution to this but I want to know whether there any OpenWRT-specific solution to HTTPS filtering using DG? I'm using url and ip filtering for famous websites (like Facebook), but it is static.

Any suggestions?

0xmtn
  • 360
  • 3
  • 15
  • for #2, you double nat as i see it ? your main router cant have a separate wifi vlan to prevent that ? – yagmoth555 Mar 07 '16 at 11:56
  • It has a separate wifi, but how does it prevent the message from being arrived? – 0xmtn Mar 07 '16 at 12:08
  • double nat kill a lot of app communication, like skype too. search imessage & double nat on google.. – yagmoth555 Mar 07 '16 at 12:23
  • most modern router have 'guest wifi' feature to prevent that btw – yagmoth555 Mar 07 '16 at 12:24
  • In my case, the clients connect directly to Openwrt router. And the router connects to the main router via ethernet. How will guest wifi solve this since clients do not connect to it directly? I'm thinking of deleting double nat structure and creating an arp spoofing middleware to get all the traffic onto OpenWRT and then filter. Is there any other way to accomplish this without arp spoof? – 0xmtn Mar 07 '16 at 12:32
  • Can you use a simple wifi access point? – yagmoth555 Mar 07 '16 at 12:46
  • For the wifi guest comment, its because it isolate the wifi client in a separate wlan addressing, but the NAT'ing happen only one time directly at the router. If the client are too far from the router, what I see is a vlan port created on the main router with dhcp, and a wifi accesspoint wired where needed. – yagmoth555 Mar 07 '16 at 12:52
  • If I use openwrt router as access point, then it means that clients will connect to the router in bridge mode. But in bridge mode how can I redirect traffic to dansguardian? is it possible? – 0xmtn Mar 07 '16 at 14:01
  • in bridge mode the client would get an ip from your main router, thus it's like the client stand in the lan. the dansguardien forward in the wifi when it see packet for them in big. – yagmoth555 Mar 07 '16 at 14:08
  • So in summary: `clients(br) ---> DG --> privoxy -> internet` will work? Iptables will forward the packet to DG port on prerouting and then DG will redirect to privoxy and it to the internet? I haven't tried this scenario, if this is your suggestion lemme try it first then get back to you? – 0xmtn Mar 07 '16 at 14:17
  • If I modify your initial plan my thougth is that; DHCP clients -----> Openwrt (bridge) -----> (eth)Main Router (we can chat later on if needed, right now I can't, from safari on my phone :) ) – yagmoth555 Mar 07 '16 at 14:22
  • :) Ok @yagmoth555. I'm trying this scenario right now, i'll reply to you from here, if you will available we can chat. Thanks for the help! – 0xmtn Mar 07 '16 at 14:26

0 Answers0