Script to detect backup wan and disable certain devices from internet access

RandomUser777 · Jan 24, 2024

FWIW,

I am just starting to dabble in scripting with ASUS routers. Many thanks to everyone who has made such AWESOME contributions (RMerlin, everyone behind AMTM, DualWanFailover, Diversion, etc).

In my trials to set up different types of wan access (failover, load balancing, etc), and running into issues with certain addons or native functions (AdGuard, DDNS) not behaving in certain dual-wan configs, I came up with a potential solution and tried to write a small script to do the following (as the subject says).

My main WAN is gigabit cable. My secondary is cellular LTE using ethernet (usually under 10mbps).

Whenever we are on cable, all devices can access the WAN.

Whenever on cell, I only want certain devices (voip adapter, home assistant box, security, a couple laptops, etc) to be able to use internet. Everything else (FireTV, kids devices, IoT) needs to be blocked to conserve bandwidth and data caps.

I found two ways to do this (probably many more exist).

When I use the DualWanFailover script (AWESOME WORK!!!!) to manage internet connectivity, I modify the firewall-start script to block WAN2 (eth0) from guests and devices with addresses above x.15.

#block LAN devices .16 to .255 from using WAN2 ETH0
iptables -I OUTPUT -s 192.168.50.16/28 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.16/28 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.50.32/27 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.32/27 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.50.64/26 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.64/26 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.50.128/25 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.128/25 -o eth0 -j DROP

block guest network from WAN2 ETH0
iptables -I OUTPUT -s 192.168.101.0/24 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.101.0/24 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.102.0/24 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.102.0/24 -o eth0 -j DROP

---

However, I wanted to see if I could use the automatic failover capability of my LTE device. In this mode, the 2.5gb WAN port (eth5) from my AX86U-Pro is connected to the LAN port of the LTE modem. I connect my cable modem to the LTE modem WAN port, which can be set up to use cellular when the cable connection is down.

The problem with this is that no fixed iptables or routing can restrict device access like I mentioned above.

I needed to detect if the WAN hostname was from my cable company, or the cell carrier, and then disable or enable iptable rules accordingly.

The following is what I kludged together.

I created a main script testcellip.sh that runs every two minutes via the command cru a testcell "*/2 * * * * cd /jffs/scripts && /jffs/scripts/testcellip.sh"
This relies on a text file (banwanstat.txt) to track what the last run status/detection was.

Bash:

#!/bin/sh

wanhostname="$(curl --silent http://whatismyhostname.com/raw/hostname/)"
banwanstat="$(cat < banwanstat.txt)"

if ((echo "$wanhostname" | grep -q -E "atlanticbb"));
        then
            if (( echo "$banwanstat" | grep -q -E "cable"));
            then
            echo "$wanhostname"
            echo "WAN on breezeline, devices ALREADY ALLOWED"
            else
                
                iptables -I OUTPUT -s 192.168.50.16/28 -o eth5 -j ACCEPT
                iptables -I FORWARD -s 192.168.50.16/28 -o eth5 -j ACCEPT
                iptables -I OUTPUT -s 192.168.50.32/27 -o eth5 -j ACCEPT
                iptables -I FORWARD -s 192.168.50.32/27 -o eth5 -j ACCEPT
                iptables -I OUTPUT -s 192.168.50.64/26 -o eth5 -j ACCEPT
                iptables -I FORWARD -s 192.168.50.64/26 -o eth5 -j ACCEPT
                iptables -I OUTPUT -s 192.168.50.128/25 -o eth5 -j ACCEPT
                iptables -I FORWARD -s 192.168.50.128/25 -o eth5 -j ACCEPT

                #block guest network
                iptables -I OUTPUT -s 192.168.101.0/24 -o eth5 -j ACCEPT
                iptables -I FORWARD -s 192.168.101.0/24 -o eth5 -j ACCEPT
                iptables -I OUTPUT -s 192.168.102.0/24 -o eth5 -j ACCEPT
                iptables -I FORWARD -s 192.168.102.0/24 -o eth5 -j ACCEPT

                #reset conntrack
                conntrack -D -s 192.168.50.16/28
                conntrack -D -s 192.168.50.32/27
                conntrack -D -s 192.168.50.64/26
                conntrack -D -s 192.168.50.128/25
                conntrack -D -s 192.168.101.0/24
                conntrack -D -s 192.168.102.0/24
                echo "$wanhostname"
                echo "WAN on CABLE"
                echo "devices RESTORED"
            echo "cable" > banwanstat.txt
        fi
else if ((echo "$banwanstat" | grep -q -E "cell"));
            then
                echo "$wanhostname"
                echo "WAN on CELL, devices ALREADY PROHIBITED"
        else
            
            echo "$wanhostname"
            echo "WAN on CELL, devices WILL NOW PROBIBITED"
            
            iptables -I OUTPUT -s 192.168.50.16/28 -o eth5 -j DROP
            iptables -I FORWARD -s 192.168.50.16/28 -o eth5 -j DROP

            iptables -I OUTPUT -s 192.168.50.32/27 -o eth5 -j DROP
            iptables -I FORWARD -s 192.168.50.32/27 -o eth5 -j DROP
            iptables -I OUTPUT -s 192.168.50.64/26 -o eth5 -j DROP
            iptables -I FORWARD -s 192.168.50.64/26 -o eth5 -j DROP
            iptables -I OUTPUT -s 192.168.50.128/25 -o eth5 -j DROP
            iptables -I FORWARD -s 192.168.50.128/25 -o eth5 -j DROP

            #block guest network
            iptables -I OUTPUT -s 192.168.101.0/24 -o eth5 -j DROP
            iptables -I FORWARD -s 192.168.101.0/24 -o eth5 -j DROP
            iptables -I OUTPUT -s 192.168.102.0/24 -o eth5 -j DROP
            iptables -I FORWARD -s 192.168.102.0/24 -o eth5 -j DROP
            conntrack -D -s 192.168.50.16/28
            conntrack -D -s 192.168.50.32/27
            conntrack -D -s 192.168.50.64/26
            conntrack -D -s 192.168.50.128/25
            conntrack -D -s 192.168.101.0/24
            conntrack -D -s 192.168.102.0/24

echo "Devices blocked from CELL"
            echo "cell" > banwanstat.txt
            fi
fi
logger -s  "testcellip has run"

Operation is simple. Detect if the hostname is from the cable provider, allow LAN devices if so (or do nothing if no change), otherwise block devices from WAN if they have not already been blocked.

I also created two scripts (allowcellip.sh and bancellip.sh) to manually override conditions.

allowcellip.sh

Bash:

#!/bin/sh
iptables -I OUTPUT -s 192.168.50.16/28 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.16/28 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.50.32/27 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.32/27 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.50.64/26 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.64/26 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.50.128/25 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.128/25 -o eth5 -j ACCEPT

#block guest network
iptables -I OUTPUT -s 192.168.101.0/24 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.101.0/24 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.102.0/24 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.102.0/24 -o eth5 -j ACCEPT

#reset conntrack
conntrack -D -s 192.168.50.16/28
conntrack -D -s 192.168.50.32/27
conntrack -D -s 192.168.50.64/26
conntrack -D -s 192.168.50.128/25
conntrack -D -s 192.168.101.0/24
conntrack -D -s 192.168.102.0/24

echo "cable" > banwanstat.txt

bancellip.sh

Bash:

#!/bin/sh

iptables -I OUTPUT -s 192.168.50.16/28 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.16/28 -o eth5 -j DROP

iptables -I OUTPUT -s 192.168.50.32/27 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.32/27 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.50.64/26 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.64/26 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.50.128/25 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.128/25 -o eth5 -j DROP

#block guest network
iptables -I OUTPUT -s 192.168.101.0/24 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.101.0/24 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.102.0/24 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.102.0/24 -o eth5 -j DROP
conntrack -D -s 192.168.50.16/28
conntrack -D -s 192.168.50.32/27
conntrack -D -s 192.168.50.64/26
conntrack -D -s 192.168.50.128/25
conntrack -D -s 192.168.101.0/24
conntrack -D -s 192.168.102.0/24

echo "cell" > banwanstat.txt

echo "Devices blocked from CELL"

Posted if this helps anyone, and if there is a better way to do this.

Thread starter	Title	Forum	Replies	Date
S	script to use AC86U's WakeOnLan	Asuswrt-Merlin	8	Monday at 12:29 PM
M	deSEC DDNS update script	Asuswrt-Merlin	0	Apr 12, 2024
B	Network map script	Asuswrt-Merlin	25	Apr 11, 2024
I	arping script to fix WAN drops	Asuswrt-Merlin	10	Jan 28, 2024
	Solved bash executable script problems when executed through a cron job	Asuswrt-Merlin	20	Jan 26, 2024
	[RT-AC88U][386.12_4] "backup_jffs.tar Failed - Virus detected" Error saving JFFS partition: Trojan:Script/Wacatac.B!ml	Asuswrt-Merlin	11	Dec 27, 2023
H	Correct Script To Use For Changing Routes?	Asuswrt-Merlin	1	Oct 31, 2023
H	Get VPN DNS Server(s) In Script?	Asuswrt-Merlin	0	Oct 30, 2023
H	Does firewall-start Script Ever Run Twice With Same iptables Rules?	Asuswrt-Merlin	13	Oct 18, 2023
H	Changing WireGuard Interface Address From wgclient.postconf Script?	Asuswrt-Merlin	4	Oct 13, 2023

Search

Search

Script to detect backup wan and disable certain devices from internet access

RandomUser777

Regular Contributor

Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Members online