There’re many ways of doing this. The scenario and configuration is flexible enough, depending on what you want to achieve.

The easy way

My review: Provide the simplest method, poisoned DNS record will be redirected to Longer page load due to no content served in (wait until connection timeout). However this script let you manually control on white list and black list domain.

My review: The script will attempt to create another interface alias and run pixelserv (simple webserver serving 1×1 pixel transparent gif) on that interface. However, you’ll not be able to manually control on white/black list as previous script.

My method

Again, this might not be the best way, but it served my requirements. I’ll be using the same script except that i tweaked it to suit my environment.

Step 1: Create interface alias
I need my pixelserv to run in different ip address (let say my LAN ip is i want pixelserv to run on so that my uhttpd can listen on for LuCI. Add below interface to /etc/config/network

#nano /etc/config/network
config interface 'lan2'
	option ifname 	'eth0'
	option proto	'static'
	option ipaddr 	''
	option netmask	''

Restart network interfaces
#/etc/init.d/network restart

Verify new interface alias created

[email protected]:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 08:00:27:9A:88:DD
          inet addr:  Bcast:  Mask:
          RX packets:629 errors:0 dropped:0 overruns:0 frame:0
          TX packets:661 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:73752 (72.0 KiB)  TX bytes:393608 (384.3 KiB)

eth0      Link encap:Ethernet  HWaddr 08:00:27:9A:88:DD
          inet addr:  Bcast:  Mask:
          RX packets:633 errors:0 dropped:0 overruns:0 frame:0
          TX packets:769 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:82836 (80.8 KiB)  TX bytes:528224 (515.8 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:9C:1E:FF
          inet addr:  Bcast:  Mask:
          RX packets:157 errors:0 dropped:0 overruns:0 frame:0
          TX packets:138 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:15482 (15.1 KiB)  TX bytes:13962 (13.6 KiB)

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1648 (1.6 KiB)  TX bytes:1648 (1.6 KiB)

[email protected]:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 eth1        *        U     0      0        0 eth1     *        U     0      0        0 br-lan    *        U     0      0        0 eth0

Step 2: Pixelserv setup
We already have a web server installed on the router (serving LuCI), we just need to configure a new uHTTPd server instance.

mkdir /www_pixelserv
wget -O /www_pixelserv/blank.gif

Edit /etc/config/uhttpd

config uhttpd 'main'
list listen_http ''
list listen_https ''
option home '/www'

config uhttpd 'pixelserv'
list listen_http ''
option home '/www_pixelserv'
option error_page '/blank.gif'

Restart uhttpd

/etc/init.d/uhttpd restart

Step 3: Adblock for dnsmasq
Follow installation instruction at
For, add following lines to with

#Download and process the files needed to make the lists (add more, if you want)
wget -qO- ""|grep "^" >> /tmp/

#Replace with
sed -i 's/' /tmp/
#Add black list, if non-empty
[ -s "/etc/black.list" ] && sed -e 's/^/\t/g' /etc/black.list >> /tmp/


Above mentioned method (creating interface alias) is valid for interface that do not have vlan tagging. For my case, eth0 is tagged with vlan500 and vlan600 (eth0.500 and eth0.600) and I cannot find any documentation for creating alias for tagged interfaces. As workaround, I’ve changed the pixelserv uhttpd to listen to, while for router web ui (LuCI) listened to port 443.

This is my modified

#Put in /etc/

#Script to grab and sort a list of adservers and malware

#Delete the old block.hosts to make room for the updates
rm -f /etc/block.hosts

#Download and process the files needed to make the lists (add more, if you want)
wget -qO-| sed 's/' |grep "^" > /tmp/
wget -qO-|grep "^" >> /tmp/
wget -qO- "\ad_servers.txt"|grep "^" >> /tmp/
wget -qO- ""|grep "^" >> /tmp/

#Replace with
sed -i 's/' /tmp/
#Add black list, if non-empty
[ -s "/etc/black.list" ] && sed -e 's/^/\t/g' /etc/black.list >> /tmp/

#Sort the download/black lists
sed -e 's/\r//g' -e 's/^[ ]\+/\t/g' /tmp/|sort|uniq > /tmp/

if [ -s "/etc/white.list" ]
    #Filter the blacklist, supressing whitelist matches
    sed -e 's/\r//g' /etc/white.list > /tmp/white.list
    grep -vf /tmp/white.list /tmp/ > /etc/block.hosts
    rm -f /tmp/white.list
    cat /tmp/ > /etc/block.hosts

#Delete files used to build list to free up the limited space
rm -f /tmp/



Incoming search terms:

  • openwrt adblock
  • 192 168 88 1
  • luci-app-vnstat
  • adblock openwrt
  • 192 168 88
  • gargoyle pixelserv
  • openwrt simple-adblock howto
  • que es pixerserv g!

AUTHOR: [email protected]

Install ‘curl’ package:

# opkg update
# opkg install curl

Next create a script and call it /root/ :


/usr/bin/curl -4 -k -u username:password ""

Make the script executable:

# chmod +x /root/

Next create another script and call it /etc/hotplug.d/iface/100-opendns :


if [ "$ACTION" = ifup ]; then
/root/ > /dev/null 2>&1

This will update your IP with OpenDNS whenever you reboot or reconnect.

One of the benefits of using OpenDNS is their web content filter. Login to your account on OpenDNS
and start configuring the content filter for your network. Choose Custom and select the categories
you want the content filter to apply too for your home/office network.

Click Apply and wait for roughly 5 minutes for it to take effect. Your network is now protected.


Mission: The example below illustrates a dynamic tunnel configuration for the Hurricane Electric broker with dynamic IP update enabled. The local IPv4 address is automatically determined and tunnelid, username and password are provided for IP update.
Requirements: ipv6 tunnel, OpenWRT Backfire

Get your v6 tunnel
Go to and register. Once registered, click on “Create Regular Tunnel” link. Select your nearest v6 tunnel server and click create.


Based on above info we know that: is the remote IPv4 address (the other side of the tunnel)
2001:470:23:9c::1/64 is the remote IPv6 tunnel endpoint is the local IPv4 router address (assigned by ISP)
2001:470:23:9c::2/64 is the local IPv6 tunnel endpoint (labeled “Client IPv6 Address” on the Tunnel Details page in your HE account)
2001:470:24:9c::/64 is our allocated subnet/segment

Install required package and dependencies
opkg update
opkg install 6in4 ip ip6tables kmod-sit kmod-iptunnel6 radvd

Configure tunnel
uci set network.henet=interface
uci set network.henet.proto=6in4
uci set network.henet.peeraddr=
uci set network.henet.ip6addr='2001:470:23:9c::2/64'
uci set network.henet.tunnelid=210081
uci set network.henet.username='YOUR_HASHED_USERNAME'
uci set network.henet.password='YOUR_PASSWORD'
uci commit network

Set firewall zone
uci set [email protected][1].network='wan henet'
uci commit firewall

Bring up the interface
ifup henet
/etc/init.d/firewall restart

You can check new interface is created from LuCI2

To apply IPv6 firewall rules to the tunnel interface, add it to the “wan” zone in /etc/config/firewall:
config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'masq' '1'
option 'mtu_fix' '1'
option 'forward' 'ACCEPT'
option 'network' 'wan henet'

To allow 6in4 traffic to always reach your tunnel endpoint, it may be necessary to pass IPv4 protocol 41 traffic with the following firewall configuration stanza:
config 'rule'
option 'target' 'ACCEPT'
option 'name' '6to4'
option 'src' 'wan'
option 'proto' '41'
option '_name' '6to4'

To enable routing of IPv6 traffic through the tunnel, add a static IPv6 address in a valid routed subnet to the local-facing interface (LAN). Edit /etc/config/network file and add the last option (‘ip6addr’).

config ‘interface’ ‘lan’
option ‘ifname’ ‘eth0.1’
option ‘type’ ‘bridge’
option ‘proto’ ‘static’
option ‘ipaddr’ ‘’
option ‘netmask’ ‘’
option ‘ip6addr’ ‘2001:470:24:9c:964:387b:8888:8888’

Enable Routing in Backfire
To forward packets between interfaces, a kernel-level setting must be enabled. To enable packet forwarding, edit /etc/sysctl.conf. Uncomment following line:
# net.ipv6.conf.all.forwarding=1 to

Restart sysctl to apply the new setting
/etc/init.d/sysctl restart

Clients that auto-configure using SLAAC (stateless address auto-configuration) will need to know our routed prefix. To broadcast the prefix to clients on the local network, we use radvd.


Verify your tunnel is working




Another method to collect your OpenWRT statistics

opkg update
opkg install luci-app-vnstat vnstat vnstati


Advance configuration
1) Vnstat Luci configuration script located at /etc/config/vnstat

[email protected]:/# cat /etc/config/vnstat
config 'vnstat'

list 'interface' 'br-lan'
list 'interface' 'eth0'
list 'interface' 'eth0.1'
list 'interface' 'eth0.500'
list 'interface' 'eth0.600'
list 'interface' 'wlan0'

2) Core vnstat configuration file located at /etc/vnstat.conf. Default graph is stored in /var/lib/vnstat folder, I changed my graph location to usb

# location of the database directory
DatabaseDir "/mnt/usb/var/vnstat"


Incoming search terms:

  • openwrt vnstat
  • cat /etc/config
  • luci app pbx
  • OpenWrt theme mod
  • vnstat openwrt hilang

A minimalist Luci theme


opkg install luci-theme-bootstrap_1-1_all.ipk

This should give you an option ‘Bootstrap’ in the System/System -> Language and Style page.


Update: 17 February 2014
This theme is now included in the openwrt 12.09 and trunk repos and should be downloaded from there, and search for luci-theme-bootstrap. Or the easy way, install from standard software installation.

Incoming search terms:

  • openwrt luci
  • opkg install /luci-theme-material* ipk

Change default http port

The listening port is defined in /etc/config/uhttpd file.

[email protected]:/etc/config# cat uhttpd 
# HTTP listen addresses, multiple allowed
list listen_http

Securing LuCI

[email protected]:/etc/config# cat uhttpd 
# HTTP listen addresses, multiple allowed
list listen_http

Enable SSL

1. For a full LuCI installation with HTTPS support
opkg install luci-ssl

2. For upgrading from HTTP to HTTPS
opkg install uhttpd-mod-tls luci-ssl
Private key and certificate will be generated on next hardware reboot.

Out of the box, OpenWRT can show you real-time statistics, however it will not store the data for historical view. I’m looking for similar graphing function as seen on DD-Wrt.

To have a nice historical data graphs for router (interfaces bandwidth utilization, cpu load, uptime)

Options we have:
-Use SNMP and graph it using cacti

This tutorial will be using luci-app-statistics and collectd.

1. Update package
opkg update
2. Install luci-app-statistics
opkg install luci-app-statistics
3. List out supported plugins for collectd
opkg list | grep collectd-mod
4. Install desired plugins
opkg install collectd-mod-cpu collectd-mod-interface collectd-mod-memory collectd-mod-ping collectd-mod-rrdtool collectd-mod-wireless
5. Enable init script
/etc/init.d/luci_statistics enable
/etc/init.d/collectd enable

6. Change RRDTool output folder (optional)
/mnt/sda5 is my external USB drive attached to the router.


monitor3 monitor4 monitor5 monitor6

Incoming search terms:

  • openwrt collectd
  • openwrt cacti
  • collectd openwrt USB stick
  • openwrt firewall logs luci
  • openwrt Statistics
  • wifi monitor openwrt

DDNS stands for Dynamic DNS. Simply put, using this service gives a name to your ip. So if you’re hosting something on your line, people wouldn’t have to bother typing your IP. They can just type in your domain name! It also helps when your ip changes. Users won’t need to discover what your new ip is, they can simply type your domain name. Continue reading

Incoming search terms:

  • ddns openwrt
  • openwrt ddns noip com

UPnP is used to replace manual port forwarding. Some gaming box (XBOX, PS3) will need UPnP feature to connect to their respective server. Enabling it in OpenWRT Backfire is relatively easy. Continue reading

Incoming search terms:

  • openwrt upnp
  • openwrt
  • upnp openwrt
  • NULL
  • openwrt upnp luci install