How it started
I was always annoyed about ad's in mobile apps. As I'm an iPone user and I don't like Safari there are no adblock apps on the iPhone working for me. Also at the desktop at home, the ads bother me surfing news websites.I heard a lot about PiHole. A kind of DNS keeper of your network. All DNS traffic is routed through and matched against several blacklists. If there is a hit, the request will be blocked. Therefore the ad cannot be loaded it's not using network bandwith and it's not bothering me.
So I tried running PiHole inside a Docker container on my Synology NAS. It worked pretty well, but every other day DNS responses got slow or the Docker container hangs. For me not really usable. I don't like restarting containers before watching Netflix ... you know.
Some day I stumbled over the possibility to add external block lists to a Fortigate firewall. As I'm using such a box at home, there was new hope for me :-)
So here's the: How to use a Fortigate box to block annoying ads in your network.
- Add external filter lists
- Set up a DNS filter, block the external filter lists
- Set up a DNS server on the Fortigate with the DNS filter enabled
How it's done
This is all done on a Fortigate firewall with firmware 6.2.5
External lists
First we add the external lists. I currently use 8 lists, which are a mix of advertisers and trackers.
Connect to you box using SSH. At the CLI you can paste this:
config system external-resource
edit "Disconnect-Ad-Filter"
set type domain
set category 194
set resource "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
set refresh-rate 60
next
edit "AdGuard"
set type domain
set category 192
set resource "https://v.firebog.net/hosts/AdguardDNS.txt"
set refresh-rate 60
next
edit "Firebog"
set type domain
set category 193
set resource "https://v.firebog.net/hosts/Easylist.txt"
set refresh-rate 60
next
edit "Firebog-Privacy"
set type domain
set category 195
set resource "https://v.firebog.net/hosts/Easyprivacy.txt"
set refresh-rate 60
next
edit "Fireblog-Admiral"
set type domain
set category 196
set resource "https://v.firebog.net/hosts/Admiral.txt"
set refresh-rate 60
next
edit "Fireblog-Privacy-2"
set type domain
set category 197
set resource "https://v.firebog.net/hosts/Prigent-Ads.txt"
set refresh-rate 60
next
edit "OISD"
set type domain
set category 198
set resource "https://dbl.oisd.nl/"
set refresh-rate 60
next
edit "OISD-IP"
set type address
set resource "https://hosts.oisd.nl/"
set refresh-rate 60
next
end
config system dns-server
end
DNS Filter
Next we add a DNS filter. You can do this under the 'Security Profiles' tab in the GUI of the Fortigate. Enable the option FortiGuard Category Based FilterIn the category filter list you can see an entry called 'Remote Categories'. Open this entry, you will find seven of the external entries we added before. Set all of them to 'Redirect to Block Portal'.
At the bottom of the menu you find the option External IP Block lists. Click at the + sign and select the entry 'OSID-IP'.
Now, all eight lists are active in this DNS filter profile.
Set up a DNS Server
Setting up a DNS server is most easy done by CLI (like most of things). Paste this code to your CLI to setup the server. Change the dnsfilter-profile to the name of your DNS profile. edit "internal"
set mode forward-only
set dnsfilter-profile "Your-DNS-Filter"
next
set mode forward-only
set dnsfilter-profile "Your-DNS-Filter"
next
After setting up your DNS server, don't forget to publish it with your DHCP.
That's it
Now you should notice much less ad bothering. Either by web browser or by app on your mobile.With these simple steps you can get rid of most ads. YouTube ads cannot be blocked this way.
It works great thanks!!!
ReplyDeleteI do get an error: The external resource contains more entries than is supported. The maximum amount of entries per-resource is 131,072
ReplyDeletenot an issue at yours?