In this chapter, the router will be configured to help realize the goal of whole house every device parental controls. At the end of this chapter, the router will get the WAN from the main router, the LAN will be configured as a separate and secure subnet that uses OpenDNS, the router will block ads, and the router will force the US Google domain to safe search.
The following steps will be performed:
Step One: WAN Settings
In Tomato, go to the Basic/Network menu and look at the settings under WAN/Internet. Change the WAN IP type to static and set the IP address to something outside the DHCP range of the main router.
For FIOS routers, set the IP Address to 192.168.1.151 with a Gateway value of 192.168.1.1.
For Comcast routers, set the IP Address to 10.0.0.51 with a Gateway value of 10.0.0.1.
The RT now has a static address on the main router and uses the primary router as the Internet source.
Step Two: LAN Settings (For Primary, skip this step)
In Tomato, go to the Basic/Network menu and look at the settings under LAN. Change the IP address of the RT to 192.168.2.1 with a range of 2-51. Set the static DNS to 192.168.2.1. That just means that the RT will look for the DNS server IP addresses only on the RT (on itself). Then change the primary and secondary DNS to OpenDNS . The IP addresses are shown on the screen capture below.
Your LAN settings window should now look like the above screen shot. The RT now is configured with a safe and secure subnet that is completely removed from the main router network, and uses OpenDNS as the only DNS.
Since you’re already on the Tomato screen with the wireless security settings, go ahead and change the SSID and security to whatever you like. Just don’t make the SSID the same as the primary router.
Lastly, to make sure that the OpenDNS settings cannot be overridden, go to the Tomato menu labeled “Advanced”, then click on DHCP/DNS. Make sure to check the field labeled “Intercept DNS port (UDP 53)”. It’s the fourth item in the dialog box. See screen shot below. Don’t change anything else.
This prevents the filtered user from entering another DNS server in Windows (by modifying Device TCP-IP properties). Otherwise that DNS would override the RT DNS specifications.
At this point, connect the WAN port of the RT to one of the four Ethernet ports on the primary router using an Ethernet cable. Disable the wireless on your laptop. Shut down both routers, restart them and test to make sure that you have an Internet connection on your PC and that you can surf the web. Also test your wireless settings to make sure you can connect, either with the PC you’re using for this setup, or another wireless device.
Step Three: Ad Blocking
Install a UNIX shell script that starts at router boot and blocks advertisements at the host file level. On the Tomato menu, click on Administration, then on Scripts. Click on the WAN up tab, and insert the following script.
echo "127.0.0.1 adwords.google.com" >> /etc/hosts
echo "127.0.0.1 pagead.googlesyndication.com" >> /etc/hosts
echo "127.0.0.1 pagead2.googlesyndication.com #[Google AdWords]" >> /etc/hosts
echo "127.0.0.1 syndicate.googlesyndication.com" >> /etc/hosts
echo "127.0.0.1 syndicate2.googlesyndication.com" >> /etc/hosts
echo "127.0.0.1 googlesyndication.com" >> /etc/hosts
echo "127.0.0.1 adservices.google.com" >> /etc/hosts
echo "127.0.0.1 syndicate.google.com" >> /etc/hosts
echo "127.0.0.1 syndicate2.google.com" >> /etc/hosts
echo "127.0.0.1 ssl.google-analytics.com" >> /etc/hosts
echo "127.0.0.1 http://www.google-analytics.com #[Google Analytics]" >> /etc/hosts
echo "127.0.0.1 google-analytics.com" >> /etc/hosts
echo "127.0.0.1 imageads.googleadservices.com" >> /etc/hosts
echo "127.0.0.1 imageads1.googleadservices.com" >> /etc/hosts
echo "127.0.0.1 imageads2.googleadservices.com" >> /etc/hosts
echo "127.0.0.1 imageads3.googleadservices.com" >> /etc/hosts
echo "127.0.0.1 imageads4.googleadservices.com" >> /etc/hosts
echo "127.0.0.1 imageads5.googleadservices.com" >> /etc/hosts
echo "127.0.0.1 imageads6.googleadservices.com" >> /etc/hosts
echo "127.0.0.1 imageads7.googleadservices.com" >> /etc/hosts
echo "127.0.0.1 imageads8.googleadservices.com" >> /etc/hosts
echo "127.0.0.1 imageads9.googleadservices.com" >> /etc/hosts
echo "127.0.0.1 http://www.googleadservices.com" >> /etc/hosts
echo "127.0.0.1 attl.staticjs.net" >> /etc/hosts
# echo "22.214.171.124 http://www.google.com" >> /etc/hosts
killall -1 dnsmasq
logger DOWNLOADED PETER Extra entries
Scroll to the bottom of the Scripts page, and click on Save. Then power down the router, and reboot it. To test ad blocking, now go to any web page loaded with ads and see if the ads still appear.
If all you wanted was ad-blocking, you’re done! Nothing below or in chapter three applies to you. Connect to your new router and enjoy an ad-free web surfing experience on all your devices.
Step Four: Force Google Safe Search
When you configure OpenDNS in the next chapter it will block all global Google domain names except the US based http://www.google.com. That has to be forced to a safe search mode. That requires a simple one line entry in the WAN script file. In fact, it’s already in the script file shown above but is commented out with a # character. That’s because for simple ad blocking, the typical user would not want to also force a Google safe search.
If the goal is to implement parental controls, then that one line has to be uncommented so it will be executed. The line begins with “# echo 216”. It should not be hard to find. Remove the # character (which is used to comment a UNIX shell script) and the space right after it. Then be sure to scroll to the bottom of the page and click on the Save button. Then reboot the router.
Now you can test your router to the extent that it is set up. All Google searches should default to safe search. All non-US Google domains and all other search engines will be blocked by OpenDNS (which has not yet been set up so you won’t see that happen yet). Type some nasty keywords into the Google search engine and image search engine, and see what happens. You should not see any bad results. Also remember that ad blocking is now enabled. Test using some ad heavy sites and see if the ads are blocked. There should be plenty of white space on the pages where the ads would have appeared.
This finishes setting up the RT-N16 router. The next chapter describes the required OpenDNS configuration and how it works together with the router.