I have a question about how to setup certain access restriction rule onTomatoUSB which I have otherwise successfully been able to setup on other routers, e.g. pfSense, Zyxel USG100 and Zyxel Zywall 5. Let me explain….
I have subscribed to OpenDNS VIP (Safe Home browsing) service which gives me couple of DNS servers to use and additionally, allows me to setup custom restricted content categories which I can set using their control panel. I have setup these DNS servers as static DNS on WAN setting page and have it served as a part of DHCP request from LAN clients, and even use my router IP e.g. 192.168.1.1 as DNS proxy. That part all works good.
Here is what I have done additionally. I have setup content filter exempt list in which I have set up custom DNS servers e.g. google public DNS which will allow them to bypass the OpenDNS servers served up through DNS proxy. Here comes the challenge. I am trying to setup access restriction rule with which I can control which local IPs can do DNS queries on port 53 to other DNS servers vs the safe DNS already defines as static DNS. In other words, I am looking for a way to setup the rule which will allow DNS queries to any DNS server using port 53 ONLY if the local IPs are on the Applies To list otherwise block the traffic. The idea here is, if my kid or guests try to override this OpenDNS setting and decide to use their own DNS server setting in the hope of circumventing my content filter mechanism, the traffic is blocked.
On the other routers I have mentioned above, I used to be able to setup a rule explicitely allowing port 53 to any IP on the CF exempt list, followed by a rule to allow port 53 for any local IP to the OpenDNS servers folled by blocking port 53 for any other condition. I am not sure how to replicate this on TomatoUSB. I would appreciate some help in helping answer my question.
Disclaimer: Before anyone mentions that this above mechanism is not a full proof method of implementing content filter and that someone can use straight IPs to circumvent it, I am fully aware of it but want to put it in place anyway for those folks who are not very IT literate.