AC88U - 386.1_2 fw block internet issue

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

mekabe remain

Regular Contributor
Hi,

I am using the recent Merlin firmware on AC88U
I don't usually use the blocking feature for clients. Today I needed to use it.
So from the mobile client I blocked internet for a client.
However, the client was still able to access internet.
Then I created a family member and added that device to that family member. Blocked the member.
But it was still accessing internet.

Basically block internet feature seems to be not working.

I have restarted the router and tried again but it did not help at all.

Since I am not using this feature frequently, I am not sure after which firmware update I lost this feature.
It might be in this condition with 386 release.

Any ideas ?
is this a known problem ?
 

ColinTaylor

Part of the Furniture
Are you using the VPN client on the router? If so try testing with it disabled.
 

ColinTaylor

Part of the Furniture
You mean by "disabled = not active" , right ?
Correct.

Have you tried blocking the device using the router's GUI rather than the mobile app?

Check that the MAC address of the client hasn't changed as it is now common for mobile devices to do that.
 

mekabe remain

Regular Contributor
I could not find block feature on router GUI. Where is it ?

MAC address (or IP) has not changed because it is a Windows PC and has a static IP address.
 

ColinTaylor

Part of the Furniture
I don't have the same firmware as you but I believe you go to Network Map, click on the "Clients:" button to open the "Client status" tab on the right. Then click on the desired client:

Untitled.png
 

NoKlu

New Around Here
ok. found it.
but blocking there does not work as well.
Am I the only one with this problem ?
Are you sure, if you're trying to block a phone need to be sure its not using mobile data. Test it on a device you know for sure doesn't have an alternate way of connecting. (you'd be surprised how many items use its own vpn without you're knowledge)
 
Last edited:

mekabe remain

Regular Contributor
it is not a phone. I wrote above , it is a Windows PC and connected through ethernet cable. Wifi is disabled on this device and it has a static IP address.
Besides, if the command from GUI had worked, I would see the difference in "iptables -L -n" output, right ?
I don't see any difference in iptables after the GUI command. (same with mobile app command)
 

ColinTaylor

Part of the Furniture
Besides, if the command from GUI had worked, I would see the difference in "iptables -L -n" output, right ?
I don't see any difference in iptables after the GUI command. (same with mobile app command)
That command only shows some of the rules, use this command:

iptables-save
 
Last edited:

mekabe remain

Regular Contributor
with this command , there are some changes but none of them are directly related to blocking internet of my host (192.168.254.20)
 

pattiri

Senior Member
Just tried it with my AC-88U with 386.1_2 it worked. Make sure you see this icon after blocking.

EaxR7ZS4KI.png
 

eibgrad

Very Senior Member
I don't have a clue what the problem is, but fwiw, blocking clients is pretty easy. You just need to add firewall rules based on source IP or MAC. Not a big deal (unless having this work via the GUI is vital for some reason).

Code:
iptables -I FORWARD -s 192.168.1.100 -o $(nvram get wan0_ifname) -j REJECT
iptables -I FORWARD -m mac --mac-source 00:01:02:03:04:05 -o $(nvram get wan0_ifname) -j REJECT
 

dave14305

Part of the Furniture
I blocked a device and the MAC address was saved in the nvram variable MULTIFILTER_MAC. Check the content while the device is blocked:
Code:
nvram get MULTIFILTER_MAC
iptables -S FORWARD
ip6tables -S FORWARD
The first time I blocked it while IPv6 was disabled, the iptables rule was by IP instead of MAC. After enabling IPv6 and rebooting, the rule was created in both iptables and ip6tables with the MAC address. Not sure exactly why it was different, but the device was blocked either way.

Do you use IPv6? Are there any other access points or AiMesh nodes in your network?
 

mekabe remain

Regular Contributor
I don't have a clue what the problem is, but fwiw, blocking clients is pretty easy. You just need to add firewall rules based on source IP or MAC. Not a big deal (unless having this work via the GUI is vital for some reason).

Code:
iptables -I FORWARD -s 192.168.1.100 -o $(nvram get wan0_ifname) -j REJECT
iptables -I FORWARD -m mac --mac-source 00:01:02:03:04:05 -o $(nvram get wan0_ifname) -j REJECT

I know that I can manually block a client using iptables.
working with UI is not vital but it is easy to use if you need a quick action.
 

mekabe remain

Regular Contributor
I blocked a device and the MAC address was saved in the nvram variable MULTIFILTER_MAC. Check the content while the device is blocked:
Code:
nvram get MULTIFILTER_MAC
iptables -S FORWARD
ip6tables -S FORWARD
The first time I blocked it while IPv6 was disabled, the iptables rule was by IP instead of MAC. After enabling IPv6 and rebooting, the rule was created in both iptables and ip6tables with the MAC address. Not sure exactly why it was different, but the device was blocked either way.

Do you use IPv6? Are there any other access points or AiMesh nodes in your network?

thanks.
before blocking , outputs are:

Code:
[email protected]:/tmp/home/root# nvram get MULTIFILTER_MAC
3C:97:0E:3A:7F:D3
[email protected]:/tmp/home/root# iptables -S FORWARD
-P FORWARD DROP
-A FORWARD -o br0 -j ipttolan
-A FORWARD -i br0 -j iptfromlan
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD -i br1 -o ppp0 -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j other2wan
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i ppp0 -j SECURITY
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -j logdrop
[email protected]:/tmp/home/root# ip6tables  -S FORWARD
-P FORWARD DROP

after blocking:

Code:
[email protected]:/tmp/home/root# nvram get MULTIFILTER_MAC
3C:97:0E:3A:7F:D3>90:70:65:1E:F3:46
 iptables -S FORWARD
-P FORWARD DROP
-A FORWARD -o br0 -j ipttolan
-A FORWARD -i br0 -j iptfromlan
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -s 192.168.254.195/32 -i br0 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD -i br1 -o ppp0 -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j other2wan
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i ppp0 -j SECURITY
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -j logdrop
[email protected]:/tmp/home/root# ip6tables  -S FORWARD
-P FORWARD DROP

>> Do you use IPv6? Are there any other access points or AiMesh nodes in your network?

no , I don't use IPV6 but I can try by enabling. How do you enable it ?
I have AiMesh nodes (4 of them) in my network. Why is it important ? (they are not in routing mode, only nodes)

Btw, why do I have one mac address in my MULTIFILTER_MAC , when there is no block ?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top