What's new

AC88U - 386.1_2 fw block internet issue

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

mekabe remain

Regular Contributor
Hi,

I am using the recent Merlin firmware on AC88U
I don't usually use the blocking feature for clients. Today I needed to use it.
So from the mobile client I blocked internet for a client.
However, the client was still able to access internet.
Then I created a family member and added that device to that family member. Blocked the member.
But it was still accessing internet.

Basically block internet feature seems to be not working.

I have restarted the router and tried again but it did not help at all.

Since I am not using this feature frequently, I am not sure after which firmware update I lost this feature.
It might be in this condition with 386 release.

Any ideas ?
is this a known problem ?
 
You mean by "disabled = not active" , right ?
Correct.

Have you tried blocking the device using the router's GUI rather than the mobile app?

Check that the MAC address of the client hasn't changed as it is now common for mobile devices to do that.
 
I could not find block feature on router GUI. Where is it ?

MAC address (or IP) has not changed because it is a Windows PC and has a static IP address.
 
I don't have the same firmware as you but I believe you go to Network Map, click on the "Clients:" button to open the "Client status" tab on the right. Then click on the desired client:

Untitled.png
 
ok. found it.
but blocking there does not work as well.
Am I the only one with this problem ?
Are you sure, if you're trying to block a phone need to be sure its not using mobile data. Test it on a device you know for sure doesn't have an alternate way of connecting. (you'd be surprised how many items use its own vpn without you're knowledge)
 
Last edited:
it is not a phone. I wrote above , it is a Windows PC and connected through ethernet cable. Wifi is disabled on this device and it has a static IP address.
Besides, if the command from GUI had worked, I would see the difference in "iptables -L -n" output, right ?
I don't see any difference in iptables after the GUI command. (same with mobile app command)
 
Besides, if the command from GUI had worked, I would see the difference in "iptables -L -n" output, right ?
I don't see any difference in iptables after the GUI command. (same with mobile app command)
That command only shows some of the rules, use this command:

iptables-save
 
Last edited:
with this command , there are some changes but none of them are directly related to blocking internet of my host (192.168.254.20)
 
Just tried it with my AC-88U with 386.1_2 it worked. Make sure you see this icon after blocking.

EaxR7ZS4KI.png
 
I don't have a clue what the problem is, but fwiw, blocking clients is pretty easy. You just need to add firewall rules based on source IP or MAC. Not a big deal (unless having this work via the GUI is vital for some reason).

Code:
iptables -I FORWARD -s 192.168.1.100 -o $(nvram get wan0_ifname) -j REJECT
iptables -I FORWARD -m mac --mac-source 00:01:02:03:04:05 -o $(nvram get wan0_ifname) -j REJECT
 
I blocked a device and the MAC address was saved in the nvram variable MULTIFILTER_MAC. Check the content while the device is blocked:
Code:
nvram get MULTIFILTER_MAC
iptables -S FORWARD
ip6tables -S FORWARD
The first time I blocked it while IPv6 was disabled, the iptables rule was by IP instead of MAC. After enabling IPv6 and rebooting, the rule was created in both iptables and ip6tables with the MAC address. Not sure exactly why it was different, but the device was blocked either way.

Do you use IPv6? Are there any other access points or AiMesh nodes in your network?
 
I don't have a clue what the problem is, but fwiw, blocking clients is pretty easy. You just need to add firewall rules based on source IP or MAC. Not a big deal (unless having this work via the GUI is vital for some reason).

Code:
iptables -I FORWARD -s 192.168.1.100 -o $(nvram get wan0_ifname) -j REJECT
iptables -I FORWARD -m mac --mac-source 00:01:02:03:04:05 -o $(nvram get wan0_ifname) -j REJECT

I know that I can manually block a client using iptables.
working with UI is not vital but it is easy to use if you need a quick action.
 
I blocked a device and the MAC address was saved in the nvram variable MULTIFILTER_MAC. Check the content while the device is blocked:
Code:
nvram get MULTIFILTER_MAC
iptables -S FORWARD
ip6tables -S FORWARD
The first time I blocked it while IPv6 was disabled, the iptables rule was by IP instead of MAC. After enabling IPv6 and rebooting, the rule was created in both iptables and ip6tables with the MAC address. Not sure exactly why it was different, but the device was blocked either way.

Do you use IPv6? Are there any other access points or AiMesh nodes in your network?

thanks.
before blocking , outputs are:

Code:
admin@RT-AC88U-DF80:/tmp/home/root# nvram get MULTIFILTER_MAC
3C:97:0E:3A:7F:D3
admin@RT-AC88U-DF80:/tmp/home/root# iptables -S FORWARD
-P FORWARD DROP
-A FORWARD -o br0 -j ipttolan
-A FORWARD -i br0 -j iptfromlan
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD -i br1 -o ppp0 -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j other2wan
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i ppp0 -j SECURITY
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -j logdrop
admin@RT-AC88U-DF80:/tmp/home/root# ip6tables  -S FORWARD
-P FORWARD DROP

after blocking:

Code:
admin@RT-AC88U-DF80:/tmp/home/root# nvram get MULTIFILTER_MAC
3C:97:0E:3A:7F:D3>90:70:65:1E:F3:46
 iptables -S FORWARD
-P FORWARD DROP
-A FORWARD -o br0 -j ipttolan
-A FORWARD -i br0 -j iptfromlan
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -s 192.168.254.195/32 -i br0 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD -i br1 -o ppp0 -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j other2wan
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i ppp0 -j SECURITY
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -j logdrop
admin@RT-AC88U-DF80:/tmp/home/root# ip6tables  -S FORWARD
-P FORWARD DROP

>> Do you use IPv6? Are there any other access points or AiMesh nodes in your network?

no , I don't use IPV6 but I can try by enabling. How do you enable it ?
I have AiMesh nodes (4 of them) in my network. Why is it important ? (they are not in routing mode, only nodes)

Btw, why do I have one mac address in my MULTIFILTER_MAC , when there is no block ?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top