Buy its not working for me (:
For one of the user, in the same subnet i can change DNS server to 8.8.8.8 and can load all porno content.
I would be glad if some one can point me where i am making a mistake.
In dstnat rules, src-address=!208.67.222.123 is useless nonsense, but it doesn’t break anything (dst-address=!208.67.222.123 is not required either, but again doesn’t hurt).
Are you sure about in-interface=!bridge-GF? It means anything not coming from bridge-GF and includes every other interface on router, including WAN. I’d expect that you’d use in-interface=.
Srcnat rules look like some kind of hairpin NAT config, but they won’t do anything useful in combination with above dstnat rules, because there won’t be anything going to 192.168.50.2 (not counting requests from bridge-GF redirected by other dstnat rules you possibly left out).
There’s also one new trouble on the horizon, browsers are starting to enable DNS over HTTPS, which means that what you’re trying to do won’t be possible anymore.
Thank you very much for your valuable feedback!!
I started learning with Mikrotik very recently, sorry for those mistakes.
Can you please suggest any other way to block porn content ? other than OpenDNS
I could block particular websites using TLS-certificates(/ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com)
Internet is made for porn, so it’s tough battle. Trying to block individual sites is waste of time.
What you tried to do is basically correct and it should work for a while. Take your dstnat rules, remove src-address and dst-address options, and review in-interface option, if it’s really what you want (didn’t you mean in-interface=bridge-GF, without “!” which means “not”?). For start, you can remove it too and it will take all DNS requests from anywhere. You don’t want to keep such config, but it’s good as starting point for testing.
As I wrote, browsers with DNS over HTTPS will soon ruin this method. But it’s just starting and it will annoy many people who use special DNS servers for blocking stuff, so I assume there will be some further development. I can hear it already, “I was using OpenDNS to protect my children from porn, and you evil browser makers broke it, how could you?!” I think it has potential to make them re-think some things.
@sabiraslam: If you’re not just spammer interested only in publishing link to your website (in contact), start by opening your own thread, then continue with adding more details, etc..
I completely agree that internet is mostly used for porn “porn sites get more visitors each month than Netflix, Amazon, and Twitter combined”
I mean the rule worked blocking the porn content after some modifications, but the problem is i can manually change DNS to 8.8.8.8 on the PC and unblock all the porn content.
Thanks a ton for correcting my commands!!
people make our lives more complicated by creating new rules, i hope they reconsider browsers with DNS over HTTPS.
I will search more to find a solution, will update here if i can some how manage to block the porn content.
I am grateful for the community in sharing information and being helpful with newbies like me.
Then DNS query sent from LAN to 8.8.8.8 or any other server will be intercepted by router and sent to 208.67.222.123 instead, there’s no escaping that. Apart from mentioned DNS over HTTPS (but AFAIK it’s just starting and it’s not enabled everywhere), the only problem could be with in-interface option, it should be the interface where clients are connected.
So like you mentioned using the rather than the in the firewall nat solved the issue.
I hope DNS over HTTPS, will not be implemented soon for the browsers.
Thanks mate
Trying to block individual sites is waste of time.
