[neilanthonstuckey]

Hello,

I am looking for a solution to enforce DNS servers based on MAC addresses. I am going to apologize in advance as i am not an iptables, networking or DD-WRT expert. I can follow directions fairly well normally.

My setup is this ISP modem Router LAN 192.168.1.1/24 with DMZ running on 192.168.1.18. DDWRT router WAN IP 192.168.1.18 LAN IP 192.168.2.1/24. ISP router DNS is set to automatic. DNS on the DD-WRT router is set to Open DNS. I have static routes set for the networks and i can ping and log into devices from both networks.

I found one of my kids has been visiting sites i have blocked via Open DNS by assigning static DNS (google DNS) on his phone. I have for some time wanted to assign specific DNS for specific devices by the devices MAC address via iptables. This is the script i have cobbled up. I am just wondering what you think or if the DMZ dual router will cause issues with the following DD-WRT firewall rules.

# For my phone, use WAN DNS (i.e., Comcast).
# #############################################################
iptables -t nat -A PREROUTING -i br0 -s 00:A0:96:C7:47:F6 -p tcp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')
iptables -t nat -A PREROUTING -i br0 -s 00:A0:96:C7:47:F6 -p udp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')

# For wifes phone, use WAN DNS (i.e., Comcast).
# #############################################################
iptables -t nat -A PREROUTING -i br0 -s 00:A0:96:C7:47:F6 -p tcp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')
iptables -t nat -A PREROUTING -i br0 -s 00:A0:96:C7:47:F6 -p udp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')

# For the Roku, use WAN DNS (i.e., Comcast).
# #############################################################
iptables -t nat -A PREROUTING -i br0 -s 00:A0:96:C7:47:F6 -p tcp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')
iptables -t nat -A PREROUTING -i br0 -s 00:A0:96:C7:47:F6 -p udp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')

# For every other client, use Open DNS.
# #############################################################
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

[mrjcd]

Why not restrict by network.
You should see if you can bridge your ISP modem/router and let dd-wrt do everything.
But even regardless of that the modem/router apparently does not have you locked to a specific DNS.
So --- if your dd-wrt unit is using a recent build and has
'Forced DNS Redirection' enabled
'No DNS Rebind' enabled
You have 3 valid IPs set for the DNS you want to use there is really no way around it.
or
Set the DNS you want to use as main network.
Create a VAP (guest network for WiFi) restricted from main and set 'Target DNS' let say to OpenDNS Family Shield
If your kids only have password to the restricted WiFi then they will be forced to use only the DNS you allow.
I have tested this several times over last few months --- no problem.
If you have some local devices, printers, other servers, you want to allow the restricted
network to access you can always set simple firewall rules for this.
or
If you are talking about other wired connections then you should be able to create VLANs using the same priniciple.

[neilanthonstuckey]

The ISP router cannot be bridged thats what I wanted to do. Best thing I found was the 2nd ddwrt router placed on the 1st router dmz.

My ddwrt router is a Linksys wrt54gl running DD-WRT v24-sp2 (08/07/10) std
(SVN revision 14896. I think that's the latest build ?

I was really hoping to avoid any more networks or vlans since I have less than 10 devices. I assumed that filtering by MAC would be a little easier.