Hello:

I'm trying to use a DNS filter to stop access to social media sites Facebook and twitter.
I have the UCF filters for the non-https version working Ok (after a lot of wrestling)
So I followed the knowledgebase article for setting up a UCF and DNS filter for Facebook, but every time I activate the DNS filter it kills the web management interface to my router from both internal and internet networks. The only way to get back in is to use a Telnet connection to turn the filter back off again. Annoyingly the websites in question remain unaffected!
I have re-checked the settings lots of times but cannot see anything wrong.

Any ideas much appreciated.

firewall>>filtersetup>>edit filter set
Blocksocial (UCF - filter)
direction: lan/DMZ/VPN >WAN
source ip: any
destination ip: any
service: any
fragments: don't care
Application
Filter : pass immediately
dns filter: 1-DNSBlockSocial (CSM DNS filter profile)
(everything else on default)

CSM>>DNS filter profile>>DNS filter
DNS filter: (profile 1 i.e not local filter setting)
name: DNSblocksocial
syslog: block
WCF: none
UCF: Blocksocial ( UCF - filter name))

CSM>>URL content Filter Profile
Blocksocial
name: Bloacksocial
priority either: url access control first
URL access control
enable WRL access control: checked
prevent web access from IP address: checked
action: block
wordlist: facebook twitter snapchat

In the URL Content Filter profiles, try unchecking "Tick Prevent web access from IP address"

The idea of this tick box is to prevent access to http://x.x.x.x where x.x.x.x is an IP. Sounds like it's catching your router access.

If that's not it then the next step would be either send the cfg to support and see if they can reproduce the results or enable syslog everywhere and see what rule syslog reports being triggered.

You'd need to enable syslog in:

CSM > URL Content Filter Profile
CSM > DNS Filter
CSM > DNS Filter Local Setting
Filter Set > Rule x (in each rule you've got tick syslog)
System Maintenance > Syslog > Syslog Server (I guess the usually useful web syslog isn't going to help in this case!)

Have you checked this page
http://www.draytek.com/index.php?option=com_k2&view=item&id=5280&Itemid=293&lang=en

Also quick and dirty:

When you say it kills management of the router - what happens when you try to access the router when it's got the DNS filter enabled?

If you're accessing the router using a hostname, the DNS filter does have that effect, in which case, this article covers it: http://www.draytek.com/index.php?option=com_k2&view=item&id=5657:how-to-access-the-router-by-domain-name-when-dns-filter-is-enabled?&lang=en

When testing the DNS filter - make sure your PC isn't caching the DNS results by entering "ipconfig /flushdns" or try with a different device as well.
If your LAN clients are using the router IP for DNS, you need to use the DNS filter local setting profile instead of the firewall.

All:

Thanks for the responses, I've now sorted this, I just took off the check to stop web access via IP address and the problem went away - as suggested by Macavity.

Thanks very much for the help.

Apparently I spoke to early, and gave a false positive!
The problem has not gone way, it just didn't present straight away when I enabled the DNS filter - or I didn't clock the OK button to actually make the changes.

but now the situation has changed a bit: Whatever the reason, turning on my DNS filter stops access to my web management from inside my network and from the internet - I get an error from my router saying "the requested web page from (*ip*) to (*my domain*) is categorized with [blacklist] and has been blocked my (*my router*).

Interestingly, the PC I normally connect from on the internet still allows me to connect to the web management page. but if I try to connect from a different internet IP, I get the error message.