What's new
By:

AC88U - 386.1_2 fw block internet issue

Where is the blocked device connected? Main router or a node? Primary WiFi network or guest network?

The blocking is only setup for br0, but not br1 or br2 (Guest Networks #1).

I don’t know how the iptables rules would handle a connection from a node, but as long as it’s from an IP and it sees the traffic on br0 interface it should work.

My thought on IPv6 was whether or not the blocking took effect on IPv6 firewall or not. But if it’s not enabled, no matter.
 
dave14305 said:
Where is the blocked device connected? Main router or a node? Primary WiFi network or guest network?

The blocking is only setup for br0, but not br1 or br2 (Guest Networks #1).

I don’t know how the iptables rules would handle a connection from a node, but as long as it’s from an IP and it sees the traffic on br0 interface it should work.

My thought on IPv6 was whether or not the blocking took effect on IPv6 firewall or not. But if it’s not enabled, no matter.
Click to expand...

I just realized something.
If I block access of 192.168.254.20 , it does not appear in iptables , and it does NOT get blocked.
If I block another IP (192.168.254.195 in my previous post) , it goes into iptables and gets blocked.

What is special with 192.168.254.20 ?
it has some port mappings, but is it related ?

it is connected via ethernet port.
actually while the block is being applied , I check with "İptables -S FORWARD" and I see the IP added to table for a second, then it goes out...
 
any ideas ?
what should I check ?
is there a log for iptables that I could check why it adds 192.168.254.20 to the table and then removes ?
 
You can inspect the /tmp/filter_rules file to see if it looks like the output of iptables -S. If the block is still there in the file, but disappears from iptables later, then something outside of the main firewall code might be removing it. That’s just speculation since I’ve never seen that behavior before, but I also don’t usually block anything either so I’m not a good test case.
 
you are correct. it stays there :

Code: 
admin@RT-AC88U-DF80:/tmp/home/root# cat /tmp/filter_rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:INPUT_PING - [0:0]
:INPUT_ICMP - [0:0]
:FUPNP - [0:0]
:SECURITY - [0:0]
:ACCESS_RESTRICTION - [0:0]
:other2wan - [0:0]
:OVPN - [0:0]
:DNSFILTER_DOT - [0:0]
:NSFW - [0:0]
:PControls - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:PTCSRVWAN - [0:0]
:PTCSRVLAN - [0:0]
:ipttolan - [0:0]
:iptfromlan - [0:0]
-I FORWARD -i br0 -j iptfromlan
-I FORWARD -o br0 -j ipttolan
-A ipttolan -i ppp0 -m account --aaddr 192.168.254.0/255.255.255.0 --aname lan -j RETURN
-A iptfromlan -o ppp0 -m account --aaddr 192.168.254.0/255.255.255.0 --aname lan -j RETURN
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i br0 -s 192.168.254.20 -j DROP
-A INPUT -p icmp --icmp-type 8 -j INPUT_PING
-A INPUT_PING -i ppp0 -p icmp -j logdrop
-A INPUT_PING -i eth0 -p icmp -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -m conntrack --ctstate DNAT -p tcp -m tcp -d 192.168.254.1 --dport 8443 -j ACCEPT
-N SSHBFP
-A SSHBFP -m recent --set --name SSH --rsource
-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j logdrop
-A SSHBFP -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j SSHBFP
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT_ICMP -p icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A INPUT -i br1 -p udp --dport 53 -j ACCEPT
-A INPUT -i br1 -p udp --dport 67 -j ACCEPT
-A INPUT -i br1 -p udp --dport 68 -j ACCEPT
-A INPUT -i br1 -j DROP
-A INPUT -j logdrop
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD -i br1 -o ppp0 -j ACCEPT
-A FORWARD -o ppp0 ! -i br0 -j other2wan
-A FORWARD -o eth0 ! -i br0 -j logdrop
-A other2wan -i tun+ -j RETURN
-A other2wan -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A PControls -i br0 -o br0 -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A PControls -m state --state INVALID -j logdrop
-A FORWARD -i ppp0 -j SECURITY
-A PControls -j NSFW
-A FORWARD -j NSFW
-A PControls -j logdrop
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A SECURITY -p tcp --syn -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --syn -j logdrop
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j logdrop
-A SECURITY -p icmp --icmp-type 8 -m limit --limit 1/s -j RETURN
-A SECURITY -p icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A FORWARD -j logdrop
COMMIT

but not in the chain :

Code: 
admin@RT-AC88U-DF80:/tmp/home/root# iptables -S FORWARD
-P FORWARD DROP
-A FORWARD -o br0 -j ipttolan
-A FORWARD -i br0 -j iptfromlan
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD -i br1 -o ppp0 -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j other2wan
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i ppp0 -j SECURITY
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -j logdrop

so now what ? what should I check ?
 
See where else that IP or MAC might be defined in your settings or custom scripts.
Code: 
nvram show 2>/dev/null | grep -F "192.168.254.20"
grep -F "192.168.254.20" /jffs/scripts/* /jffs/configs/*
If nothing, try the same commands with the MAC address instead of IP.
 
got it. thx.

the IP is in /jffs/scripts/firewall-start script

I don'T remember why I did this but the script deletes DROP lines for 4 IP addresses if the primary WAN is active:

Code: 
# Allow/Deny Primary WAN (WAN0) access for specified LAN devices
if [ "$FIBER_ACTIVE" = "1" ]; then
   logger -st "($(basename $0))" $$ Allowing Primary WAN "(WAN0)" access for 192.168.254.199 , 192.168.254.37 , 192.168.254.38 , 192.168.254.20
   iptables -D FORWARD -i br0 -s 192.168.254.199 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.37 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.38 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.20 -j DROP 2> /dev/null
else
   logger -st "($(basename $0))" $$ Blocking Secondary WAN "(WAN1)" access for 192.168.254.199 , 192.168.254.37 , 192.168.254.38 , 192.168.254.20
   iptables -D FORWARD -i br0 -s 192.168.254.199 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.37 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.38 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.20 -j DROP 2>/dev/null
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.199 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.37 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.38 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.20 -j DROP
fi

I really don't remember why I added this.
and I don't know what the seconf part is doing with this command:
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.20 -j DROP
 
mekabe remain said:
got it. thx.

the IP is in /jffs/scripts/firewall-start script

I don'T remember why I did this but the script deletes DROP lines for 4 IP addresses if the primary WAN is active:

Code: 
# Allow/Deny Primary WAN (WAN0) access for specified LAN devices
if [ "$FIBER_ACTIVE" = "1" ]; then
   logger -st "($(basename $0))" $$ Allowing Primary WAN "(WAN0)" access for 192.168.254.199 , 192.168.254.37 , 192.168.254.38 , 192.168.254.20
   iptables -D FORWARD -i br0 -s 192.168.254.199 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.37 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.38 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.20 -j DROP 2> /dev/null
else
   logger -st "($(basename $0))" $$ Blocking Secondary WAN "(WAN1)" access for 192.168.254.199 , 192.168.254.37 , 192.168.254.38 , 192.168.254.20
   iptables -D FORWARD -i br0 -s 192.168.254.199 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.37 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.38 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.20 -j DROP 2>/dev/null
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.199 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.37 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.38 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.20 -j DROP
fi

I really don't remember why I added this.
and I don't know what the seconf part is doing with this command:
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.20 -j DROP
Click to expand...
The gun doesn’t smoke much more than that.
 
Hi guys, I don't know if you can help me. I just flashed my ac86u yesterday with 386.2 from 384.18. When I click on a client and select the block internet access option, the internet stops working for every device. I have no idea why this is happening when it wasn't the case before. I'm assuming no one is experiencing the same issue? Is there a way I could check what is happening worth iptables commands? Thanks
 
You must log in or register to reply here.

Similar threads

I
block internet access for wifi clients on RT-AX88U Pro
Replies
5
Views
2K
YumeHatsuyuki
YumeHatsuyuki
Y
[RT-BE88U] Kill Switch issue with WireGuard – WAN IP leak
Replies
2
Views
2K
yaya59
Y
R
Addition of Block Internet Access
Replies
5
Views
1K
DJones
D
L
Blocking camera from outside, but enabling with VPN? AX88U
Replies
12
Views
2K
bennor
B
roosta113
Issues with wireless disconnects AT68U / Merlin-WRT FW 386.14_2 on specific activity...
Replies
10
Views
848
degrub
D
Similar threads
Thread starter Title Forum Replies Date
J Hey everyone, I have an ASUS AC88U. Is there any possibility it will be able to use WireGuard? Asuswrt-Merlin 2
B ASUS AC88U Traffic Analyzer statistics doesn't save after 1 day Asuswrt-Merlin 5
P RT-AC88U dissapering/disconnected 5Ghz band Asuswrt-Merlin 0
W RT-AX88U stuck on 386.2_6 Asuswrt-Merlin 12
roosta113 Issues with wireless disconnects AT68U / Merlin-WRT FW 386.14_2 on specific activity... Asuswrt-Merlin 10
P WiFi drops Internet rt-ac86u on 386.14_2 Asuswrt-Merlin 8
J AC-86u vulnerability tracking post-EoL (asuswrt-merlin 386.14_2) Asuswrt-Merlin 8
B Please Help - OpenVPN Site-to-Site and Remote Access Setup – One Client, Two Servers (Asus RT-AC68U, Merlin 386.14_2) Asuswrt-Merlin 0
Natty 386.14_2 Hacked? 'Unrecoverable' Guest network issue Asuswrt-Merlin 49
C 386.14_2 - RT-AC86U - Web UI Inaccessible After Upgrading Asuswrt-Merlin 5

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 5,696 (members: 15, guests: 5,681)
Back
Top