RandomUser777
Regular Contributor
FWIW,
I am just starting to dabble in scripting with ASUS routers. Many thanks to everyone who has made such AWESOME contributions (RMerlin, everyone behind AMTM, DualWanFailover, Diversion, etc).
In my trials to set up different types of wan access (failover, load balancing, etc), and running into issues with certain addons or native functions (AdGuard, DDNS) not behaving in certain dual-wan configs, I came up with a potential solution and tried to write a small script to do the following (as the subject says).
My main WAN is gigabit cable. My secondary is cellular LTE using ethernet (usually under 10mbps).
Whenever we are on cable, all devices can access the WAN.
Whenever on cell, I only want certain devices (voip adapter, home assistant box, security, a couple laptops, etc) to be able to use internet. Everything else (FireTV, kids devices, IoT) needs to be blocked to conserve bandwidth and data caps.
I found two ways to do this (probably many more exist).
When I use the DualWanFailover script (AWESOME WORK!!!!) to manage internet connectivity, I modify the firewall-start script to block WAN2 (eth0) from guests and devices with addresses above x.15.
#block LAN devices .16 to .255 from using WAN2 ETH0
iptables -I OUTPUT -s 192.168.50.16/28 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.16/28 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.50.32/27 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.32/27 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.50.64/26 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.64/26 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.50.128/25 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.128/25 -o eth0 -j DROP
block guest network from WAN2 ETH0
iptables -I OUTPUT -s 192.168.101.0/24 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.101.0/24 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.102.0/24 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.102.0/24 -o eth0 -j DROP
---
However, I wanted to see if I could use the automatic failover capability of my LTE device. In this mode, the 2.5gb WAN port (eth5) from my AX86U-Pro is connected to the LAN port of the LTE modem. I connect my cable modem to the LTE modem WAN port, which can be set up to use cellular when the cable connection is down.
The problem with this is that no fixed iptables or routing can restrict device access like I mentioned above.
I needed to detect if the WAN hostname was from my cable company, or the cell carrier, and then disable or enable iptable rules accordingly.
The following is what I kludged together.
I created a main script testcellip.sh that runs every two minutes via the command cru a testcell "*/2 * * * * cd /jffs/scripts && /jffs/scripts/testcellip.sh"
This relies on a text file (banwanstat.txt) to track what the last run status/detection was.
Operation is simple. Detect if the hostname is from the cable provider, allow LAN devices if so (or do nothing if no change), otherwise block devices from WAN if they have not already been blocked.
I also created two scripts (allowcellip.sh and bancellip.sh) to manually override conditions.
allowcellip.sh
bancellip.sh
Posted if this helps anyone, and if there is a better way to do this.
I am just starting to dabble in scripting with ASUS routers. Many thanks to everyone who has made such AWESOME contributions (RMerlin, everyone behind AMTM, DualWanFailover, Diversion, etc).
In my trials to set up different types of wan access (failover, load balancing, etc), and running into issues with certain addons or native functions (AdGuard, DDNS) not behaving in certain dual-wan configs, I came up with a potential solution and tried to write a small script to do the following (as the subject says).
My main WAN is gigabit cable. My secondary is cellular LTE using ethernet (usually under 10mbps).
Whenever we are on cable, all devices can access the WAN.
Whenever on cell, I only want certain devices (voip adapter, home assistant box, security, a couple laptops, etc) to be able to use internet. Everything else (FireTV, kids devices, IoT) needs to be blocked to conserve bandwidth and data caps.
I found two ways to do this (probably many more exist).
When I use the DualWanFailover script (AWESOME WORK!!!!) to manage internet connectivity, I modify the firewall-start script to block WAN2 (eth0) from guests and devices with addresses above x.15.
#block LAN devices .16 to .255 from using WAN2 ETH0
iptables -I OUTPUT -s 192.168.50.16/28 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.16/28 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.50.32/27 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.32/27 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.50.64/26 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.64/26 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.50.128/25 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.128/25 -o eth0 -j DROP
block guest network from WAN2 ETH0
iptables -I OUTPUT -s 192.168.101.0/24 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.101.0/24 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.102.0/24 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.102.0/24 -o eth0 -j DROP
---
However, I wanted to see if I could use the automatic failover capability of my LTE device. In this mode, the 2.5gb WAN port (eth5) from my AX86U-Pro is connected to the LAN port of the LTE modem. I connect my cable modem to the LTE modem WAN port, which can be set up to use cellular when the cable connection is down.
The problem with this is that no fixed iptables or routing can restrict device access like I mentioned above.
I needed to detect if the WAN hostname was from my cable company, or the cell carrier, and then disable or enable iptable rules accordingly.
The following is what I kludged together.
I created a main script testcellip.sh that runs every two minutes via the command cru a testcell "*/2 * * * * cd /jffs/scripts && /jffs/scripts/testcellip.sh"
This relies on a text file (banwanstat.txt) to track what the last run status/detection was.
Bash:
#!/bin/sh
wanhostname="$(curl --silent http://whatismyhostname.com/raw/hostname/)"
banwanstat="$(cat < banwanstat.txt)"
if ((echo "$wanhostname" | grep -q -E "atlanticbb"));
then
if (( echo "$banwanstat" | grep -q -E "cable"));
then
echo "$wanhostname"
echo "WAN on breezeline, devices ALREADY ALLOWED"
else
iptables -I OUTPUT -s 192.168.50.16/28 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.16/28 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.50.32/27 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.32/27 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.50.64/26 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.64/26 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.50.128/25 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.128/25 -o eth5 -j ACCEPT
#block guest network
iptables -I OUTPUT -s 192.168.101.0/24 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.101.0/24 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.102.0/24 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.102.0/24 -o eth5 -j ACCEPT
#reset conntrack
conntrack -D -s 192.168.50.16/28
conntrack -D -s 192.168.50.32/27
conntrack -D -s 192.168.50.64/26
conntrack -D -s 192.168.50.128/25
conntrack -D -s 192.168.101.0/24
conntrack -D -s 192.168.102.0/24
echo "$wanhostname"
echo "WAN on CABLE"
echo "devices RESTORED"
echo "cable" > banwanstat.txt
fi
else if ((echo "$banwanstat" | grep -q -E "cell"));
then
echo "$wanhostname"
echo "WAN on CELL, devices ALREADY PROHIBITED"
else
echo "$wanhostname"
echo "WAN on CELL, devices WILL NOW PROBIBITED"
iptables -I OUTPUT -s 192.168.50.16/28 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.16/28 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.50.32/27 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.32/27 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.50.64/26 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.64/26 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.50.128/25 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.128/25 -o eth5 -j DROP
#block guest network
iptables -I OUTPUT -s 192.168.101.0/24 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.101.0/24 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.102.0/24 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.102.0/24 -o eth5 -j DROP
conntrack -D -s 192.168.50.16/28
conntrack -D -s 192.168.50.32/27
conntrack -D -s 192.168.50.64/26
conntrack -D -s 192.168.50.128/25
conntrack -D -s 192.168.101.0/24
conntrack -D -s 192.168.102.0/24
echo "Devices blocked from CELL"
echo "cell" > banwanstat.txt
fi
fi
logger -s "testcellip has run"
Operation is simple. Detect if the hostname is from the cable provider, allow LAN devices if so (or do nothing if no change), otherwise block devices from WAN if they have not already been blocked.
I also created two scripts (allowcellip.sh and bancellip.sh) to manually override conditions.
allowcellip.sh
Bash:
#!/bin/sh
iptables -I OUTPUT -s 192.168.50.16/28 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.16/28 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.50.32/27 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.32/27 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.50.64/26 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.64/26 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.50.128/25 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.128/25 -o eth5 -j ACCEPT
#block guest network
iptables -I OUTPUT -s 192.168.101.0/24 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.101.0/24 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.102.0/24 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.102.0/24 -o eth5 -j ACCEPT
#reset conntrack
conntrack -D -s 192.168.50.16/28
conntrack -D -s 192.168.50.32/27
conntrack -D -s 192.168.50.64/26
conntrack -D -s 192.168.50.128/25
conntrack -D -s 192.168.101.0/24
conntrack -D -s 192.168.102.0/24
echo "cable" > banwanstat.txt
bancellip.sh
Bash:
#!/bin/sh
iptables -I OUTPUT -s 192.168.50.16/28 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.16/28 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.50.32/27 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.32/27 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.50.64/26 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.64/26 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.50.128/25 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.128/25 -o eth5 -j DROP
#block guest network
iptables -I OUTPUT -s 192.168.101.0/24 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.101.0/24 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.102.0/24 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.102.0/24 -o eth5 -j DROP
conntrack -D -s 192.168.50.16/28
conntrack -D -s 192.168.50.32/27
conntrack -D -s 192.168.50.64/26
conntrack -D -s 192.168.50.128/25
conntrack -D -s 192.168.101.0/24
conntrack -D -s 192.168.102.0/24
echo "cell" > banwanstat.txt
echo "Devices blocked from CELL"
Posted if this helps anyone, and if there is a better way to do this.