Need Help Configuring My TP-Link TL-R470T+ to force opendns address

Comments

9 comments

  • Avatar
    mattwilson9090

    I don't know whether anyone reading this forum knows enough about that particular router and firmware to help you. You might get a faster response if you go to a TP-Link support forum. In this care what you're looking for is nothing special, are you are trying to do is block all port 53 except that going to some specific addresses. That's a pretty common thing, but the syntax for each different model can be different. They might even have examples for using other port/address combinations that you could use as a guide to set this up.

    0
    Comment actions Permalink
  • Avatar
    avs123

    This is the settings page of my roluter for firewall, now please tell how i configure and enter settings in order to force user to use opendns?




    tplink router setting.png
    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Like I've said, you'll probably have better or quicker success if you contact a TP-Link support forum. After all, what you are trying to do is not anything unique to OpenDNS, it's a fairly routine type of task, but I have no idea if this router is truly actually capable of it or not.

    Judging from this screenshot, in addition to following the directions to enable some settings elsewhere in the router you need to create at least two rules. One or more rules would be to allow access to port 53 at the OpenDNS server addresses. To be cautious I'd create a separate rule for each of the OpenDNS addresses you want to allow since they aren't in a consecutive range. I'd do it for UDP and TCP just to cover all bases, though UDP should be sufficient. Another rule would be to deny all port 53 traffic, for UDP and TCP. According to the screenshot you can make it for all internet traffic by leaving the IP address range blank.

    Since I have no idea how your network is configured, including whether or not workstations are configured to directly address OpenDNS, or instead are pointing to the router for DNS resolution, I'm uncertain what to list for LAN IP addresses for any of the rules, especially the ALLOW rules. I'm also uncertain if these rules will apply to internet traffic coming from the router, including DNS traffic. If it were me, with the way my network is configured, for the ALLOW rules I'd want to list only the router's address in the LAN range, and leave the LAN address blank in the blocking rule, which would effectively block all port 53 traffic anywhere on your network to anywhere on the internet., except for port 53 traffic coming from the router itself.

    One of the key things it doesn't list is how this router handles processing multiple rules like this, especially the order they are processed in, and what happens when a rule is processed. Presumably it will stop processing rules when the first condition is processed, so I'd put the block rule last, but without clear guidance from documentation or people with actual experience with this (such as the TP-Link support forums) I'm only speculating, and would have to test all of this make sure it's working properly.

    Again, since this is not a TP-Link support forum, I can't be certain that this will work, or exactly how to configure it. Based on usage here the chance that anyone else here has experience with doing this exact kind of thing with this particular router model and firmware is low, so you will either have to experiment and test various settings unless you visit the TP-Link forums and get input from people who actually have experience with this router and firmware.

    0
    Comment actions Permalink
  • Avatar
    avs123

    It is seriously hard to ask TP-link because it has been 3 days and haven't receive the forum activation email, this is why i can't post in their forum, i have registered 2 email address, both didn't received activation link, this is why i came back here...poor service from TP-Link...all i can do is to ask you or someone else who are registered with TP-Link to ask them for me if possible? i have already seen few users have already bypassed Opendns with Google's in their computer, therefore, the filtering is not working, i actually don't get the idea about the rule i should follow in order to force users to use opendns, in this router, there is the settings which i posted in screenshot of firewall and it is called ip filtering, i dont know if we do it on wan ip or lan ip? lan is private ip and wan is public ip, so do we need to block or allow dns port via wan? another question i have is why do i need to allow and deny 53 port? how does it make sense to create rule to allow it and at the same time create another to deny it?

    0
    Comment actions Permalink
  • Avatar
    avs123

    I think i am understanding a bit now. 53 is actually a dns port, i am sure other public dns also have the same dns port, i am kinda newbee in networking, so this is why i am not choosing to play with it because it is running network, and bad settings may cost network to stop working, because dns services uses the same port, is this the reason why you are advising to create separate rules to allow and deny? and i allow 208.67.220.220-208.67.222.222 with port 53, so what ip range should i enter to deny dns request on port 53? i think this is a valid question?

    0
    Comment actions Permalink
  • Avatar
    avs123

    Only confusion for me is where should i enter it, i will check it by creating rule for both opendns address separetely to allow on port 53, then i will create another rule to deny port 53 leaving ip addresses blank as you recommended, i hope this will work.

    0
    Comment actions Permalink
  • Avatar
    avs123

    UPDATE:I Just created a rule to allow opendns's address on port 53 to allow all via wan, and created another rule by blocking wan port 53 by leaving ip blank as you advised, and it is working, i set google's and my isp's dns address on my computer, and got no internet access, setting to get dns automatically got internet back. Thanks bro for giving me the clue, it helped me understand it, i am still in learning proccess, i got a great new lesson :)

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    I'm sorry that you're having problems getting support from TP-Link, but I've given you as much advice as I can based on my general IT experience. I don't have any experience with that particular model so I can't give you any more specific guidance than the general suggestions of what to explore and try than I already have. I certainly can't answer very specific questions about how to configure or use it.

    I have no idea what you are asking about regarding wan ip or lan ip. The page that you linked to indicates where to fill in LAN and WAN addresses, so you need to fill in those specific fields with the appropriate values. I already told you in general terms how I'd attempt it, but since I have no experience with this router model I'm not certain if that's the proper way to do it or not. I already explained why I'd try allowing traffic to the OpenDNS servers and block it to all other servers for port 53. I don't know any other way to say that it's to block all DNS traffic except to OpenDNS.

    I am not going to tell you exactly what to put in each field since I'm not certain if the approach I'd start with is correct, and I'm not willing to be blamed for it not working for you. That is why I keep telling you that you need to be asking these questions on the TP-Link forum. Just because you can't get registered there doesn't mean that I'll then somehow magically be an expert on your router. The two are completely unrelated.

    And yes, port 53 is the standard port for DNS traffic. It's a well established internet standard and has been that way for more than 25 years. Frankly, if you don't already understand that basic piece of knowledge playing with firewall rules is probably not something that you should be doing.

    You say that you're a newbie with networking, yet you are trying to implement this on a production network by expecting people who do not have experience with your router to tell you how to do it. That is quite simply the wrong mix of experience and knowledge to be doing this.

     

    The fact that no one else has responded here is an indication that other OpenDNS users active on here also don't have that exact knowledge and experience either, and further reinforces my recommendation to ask this on the TP-Link forum, regardless of how long that might take.

    0
    Comment actions Permalink
  • Avatar
    avs123

    @mattwilson9090 Never mind bro, you have already pushed me good enough to understand the logic behind the rules, which i didn't knew because of lack of knowledge. I Have now set it up and it is working perfectly, no other DNS is giving internet access to users, this is what i was looking for. for other users who may have this load balance router like TL-R470T+, here is how you can force users to use OpenDNS's address:

    1) Go to Security>Firewall and turn it on & ALSO TURN ON "IP Filtering" & select "Allow the packets not specified by any filtering rules to pass through the router"

    2) Go to Security>Firewall>IP Filtering & select "Add New"

    3) Leave LAN Section Blank, and Enter WAN IP Address "208.67.222.222-208.67.222.222", WAN Port 53-53

    4) Set Protocol to "ALL", Set Action to "ALLOW" & Lastly Set Status to "Enabled" & click "Save"

    5) Create another rule and repeat everything like above steps, except you put 2nd DNS "208.67.220-208.67.220.220", WAN Port 53-53, ALLOW it and click "Save"

    6) Lastly Create another rule and leave EVERYTHING BLANK,just Enter WAN Port 53-53, Set Action to "DENY" & Save.

    You're done. Now your users will be forced to use OpenDNS's Address only.

     

     

    Mods can add this to their router configuration tutorial section.

    1
    Comment actions Permalink

Please sign in to leave a comment.