Blocking Samsung TV firmware updates using Zyxel's 'Eircom f1000' VMG8324-B10A

[dusf]

Please note I have previously unbranded this router to remove the Eircom firmware and it now runs the latest (at least at the time) Zyxel officially released stable firmware.

On my new Samsung J series TV I cannot let it update from factory firmware or I will not be able to sideload apps from USB, which would restrict me to having only apps from one country installed at a time, basically it is Irish RTÉ, TG4, 3Player OR British iPlayer, All4, ITVHub - not both sets.

Samsung made a change in this series of television so that disabling updates from the normal and service menus does not stop updates fully, and the firmware will still update. The only way around this is to block updates at the network level.

The domains I need to block are the following:
 

msecnd.netsamsungotn.net

I am testing for success by attempting to block just the first domain, first on my PC, which has the hostname roadrunner and the MAC address you will see in the screenshot. I have been testing by trying to load this link in a new browser tab:

https://az833301.vo.msecnd.net/

What I have tried so far:

1. Using Security >> Parental Control.





Just in case the settins were phrased badly, I tried sliding the bar so that no access was from '00:00 - 24:00' but this made no difference. Also, I am not able to select '00:01 - 24:00', the earliest next available is '00:30 - 24:00'.



I tried with an without a network service setting configured as above. The input box for site/URL keyword would not accept the asterisk when I tried to enter *.mscend.net.

2. Using Security >> Firewall.



The IP below was in the output of ping msecnd.net yesterday, but now there is no reply, even from other devices on the network. Also, blocking by IP may be risky - if the TV is configured to look for updates by host@Domain16, and they change the IP, it will update.



I know it says destination IP address below, but just in case I tried entering msecnd.net but it would not accept it. It also would not let me enter a port range 1-65535, so I left it without a port setting.





Definition of the 247 scheduler rule. I experimented with changing the time from '00:00 - 00:00' to '00:00 - 23:59' but this made no difference:



--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Neither of my two attempts above to block access to the domain msecnd.net worked, although when I experimented with the ACL set to ICMP instead of TCP/UDP - it did stop ping replies from the IP before I removed it.

Please advise, am I missing something in my settings or is the config on this Zyxel just bugged or not able to block domains? Is there anything I can do? I really want to hook the new TV up to the network so I can stop using the Roku 3 for on demand media!

[dusf]

Update:

 

3. Bogus DNS entry

In Network Setting >> DNS >> DNS Entry I selected add new DNS entry, and then entered msecnd.net as the host and the IP 10.0.0.1.

When I try to ping msecnd.net in now attempts to ping 10.0.0.1, but when I load the test website https://az833301.vo.msecnd.net/ in a new tab in Firefox it is still loading. I tried entering ipconfig /flushdns into the command prompt but this made no difference, the website still loads. I then tried entering another DNS entry as wildcard *.msecnd.net with the IP 10.0.0.2 but the router would not accept this. Instead, just in case it worked, I entered .msecnd.net 10.0.0.2. Router rebooted, PC rebooted, DNS flushed - no change, website loads fine. I read online this may only work if the router is set up as the DNS server for the PC, so in the LAN config on Windows 10 I changed DNS automatically detect to preferred to 192.168.1.1 (Router's IP) and alternate to 192.168.1.2 as I had to enter something. Everything rebooted again, DNS flushed, no change. I also read that Chrome has its own DNS settings, so it does not use the Windows set DNS - I have been testing with Firefox and IE, so unless they also have their own DNS settings this is not working.


 

If it matters I have Unotelly DNS (to get around geoblocking) configured in Network Settings >> Broadband >> VDSL >> preferred and alternate. I mention this as there appears to be other places it can be entered. To be honest I wish I could just load OpenWRT, tomato, or DD-WRT firmware onto this router but as far as I am aware this is not possible.

Perhaps the domain could be blocked with a static route or some other routing settings? For instance, there are options as below. I messed around with it but it did not help. I was thinking, as I am able to create interfaces, perhaps I could attempt to route traffic from the domain out some bogus interface. Along with that I also tried routing it out the 3G (currently dongleless) interface but it still loaded the website, perhaps because it falls back to some other interface, because configured it wrong, or because here it also will not catch anything *.msecnd.net with msecnd.net as the parameter.