At the end of my tether so mostly a cry for help but you never know.

Trying to set-up a router as a wireless access point (LAN cable from Main HUB to this one). Easy enough to make this work but I want to try and force all devices connected to this access point through a family-friendly OPENDNS.

I’ve managed this fine using IPTABLES firewall rules when the router’s on a different subnet acting as a proper router with DHCP etc but when I do this in Access Point mode (WAN Connection disabled) it seems to just ignore the rules and everything goes through the main hub.

These are the rules which worked on the old set-up.
iptables -t nat -A PREROUTING -i br0 -p udp –dport 53 -j DNAT –to 208.67.222.123
iptables -t nat -A PREROUTING -i br0 -p tcp –dport 53 -j DNAT –to 208.67.222.123
iptables -I FORWARD -p tcp –dport 53 -j DROP

I’ve tried changing PREROUTING to OUTPUT to no avail.
Settings for creating the DDWRT Access Point are Here – see ‘Long Version’

Time to stop banging my head against this brick wall.. any ideas appreciated

I have a DDWRT device at home, not that I’m there now….

So, “bump”, and I’ll take a look tonight if I can.

Thanks GoFaster, any help appreciated

Why not just use the OpenDNS nameservers on the router rather than using the defaults or IPTables? Seems a lot of faff instead of just entering the IP addresses in the setup. It’s how I manage with having one router for local access, one for my DNS-hack that gives me access to UK TV.

Why not just use the OpenDNS nameservers on the router

The family-friendly DNS is too restrictive – blocks things like national lottery and some news sites – so I want the main router to use its usual DNS and only devices coming through the access point to use it.

I don’t know anything about DDWRT, but it looks though like PREROUTING says:

-perform these commands prior to routing

And:

br0- bridge0? ie, the WWAN?

Could it be that you’re not actually routing, so this doesn’t work- it will just switch at this point.

Why not set up DHCP and routing, put another subnet on the device?

EDIT:

Although it may look at the destination IP address, say: not on this subnet, so this should be routed…

Does the switch its connected to support vLANs? I’d create one for the access point, and configure a DHCP server on that segment (or via IP Helper and do some cleverness on the router dhcp server .. might not be possible to assign a different options set) to assign the DNS settings.

Or just hard code the kiddies devices dns settings.

Or set a filtering proxy server on their devices.

Or flip it, set OpenDNS on the dhcp scope as a default, and hard code the DNS on devices you wish to receive Gentlemans Entertainment on.

Could it be that you’re not actually routing, so this doesn’t work- it will just switch at this point.

Feels like this is probably the nub of it. Reason for not having a subnet is that I want everything to be able to see each other – access media on the NAS, access the CCTV cams coming through the access point, see the wireless printer etc.. solution works great when it’s a subnet with DHCP.
Might try setting it up to do DHCP on a subset of the range..

Or flip it, set OpenDNS on the dhcp scope as a default..

Definitely the fallback position, not convinced the BT router will ignore a locally-configured DNS though.

I don’t think I have anything to add beyond what is above.

When I used OpenDNS, you could set up a whitelist. Maybe that would help.

When I used OpenDNS, you could set up a whitelist

Thanks – I abandoned that version of their DNS, it played havoc with things like google mail as it constantly thought the traffic was getting intercepted and reported security attacks.

Your rules are applying on the NAT table and i doubt you are NATing the traffic as it’s not routing to the internet.

Try using the forward table.

edit:

Looking at it this bit (iptables -I FORWARD -p tcp –dport 53 -j DROP) is specifically stopping the router from forwarding from the LAN to anywhere else on port 53 after it has applied the re-write on the NAT table. You’ll probably need to miss that out and just add some rules to the forward table.