Block internet access, BUT allow VPN access

[onesnark]

SO - - - A question;

I have a device that can't be trusted to have internet access. I want to block all internet access to this thing from the router.

BUT. . . I want to access the unit via a VPN connection (from the other side of the planet).

I have set up OpenVPN, and I can successfully dial into my network. Without restrictions in place, I can access the "Device that I don't trust".
However, if I use Network Services Filter to block this device (using it's IP address) OR if I do "Block Internet Access" from the "Client Status Page" (under network map); The VPN connection is also blocked.
I suspect the block is caused by the fact that the VPN'd computer has a 10.8.x.x assigned address; rather than the 192.168.x.x address assigned to "Device that I don't trust".

Any idea how to work around this?
For one device, filter ALL traffic, except from two subnets? (i.e. 192.168.x.x and 10.8.x.x)

PS: I did find one way to cheat: Once I VPN into the network, I can access the router configuration page. I can then remove the internet block from the "Device I don't trust". But. . .this sounds kinda like something I don't want to do

Thanks for any advice!

 

[eibgrad]

I don't use the OEM firmware, so I don't know what options you have available. But when using Merlin's firmware, my suggestion would be to NOT use the GUI to block the device. The GUI blocks routing to *ALL* possible network interfaces, be it the WAN, VPN, etc. But you can create your own firewall rule(s) to confine the blocking to just the WAN.

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -m mac --mac-source 00:01:02:03:04:05 -o $WAN_IF -j REJECT

 

[onesnark]

gah. . . . . .ok. . . . . .that looks like I am going to have to SSH into the device.

Is there a primer on how to proceed and where to stick that piece of code?
Will the code remain resident after a reboot?

(I prefer to remain with stock firmware; and only tweak as necessary. . . the firmware in *general* does what I want it to

Also - - - I presume I can find out the meaning of these commands using SirGoogle?

I am a bit of a noob on Linux. . . . .so be gentle. I just SSH'd into the router using putty. . .so at least I can start at square one.

 

[eibgrad]

I'm not an expert on the OEM firmware. But I do know most ASUS OEM firmware has some VERY limited options for customization. The following might help.

RT-AX92U how to enable JFFS

I have a single RT-AX92U in wireless router mode running latest 386_45934. I want to customize the dnsmasq.conf to advertise more than one DNS server (my primary and backup pihole). But I don't see any options to enable JFFS in the GUI similar to many articles online or like my old N66U with...

www.snbforums.com

But the truth is, without Merlin, your options are severely limited.

P.S. Might just be easier to continue doing what you're presently doing!

 

[onesnark]

gah.

I hear you. What I do now is. . .hokey.

I leave the "device I don't trust" with internet access blocked - - -and just gave up on remote VPN access.

TBH: It's worse than that: I took the device (actually, there are three) and put them on a SEPERATE cheap router without internet access. I figured if I can't get VPN access. . .may as well be fully secure and have the WAN unplugged.

But I was recently encouraged to "try again". Like I posted originally. . . I want to block the WAN; but leave access to a SPECIFIC subnet (the one the VPN PC is on) besides the subnet the device is on.

 

[eibgrad]

FYI. I was playing around w/ the Network Services Filter page, and noticed that at least w/ Merlin, it *only* blocks the WAN.

admin@lab-merlin1:/tmp/home/root# iptables -vnL NSFW
Chain NSFW (1 references)
pkts bytes target     prot opt in     out     source               destination  
...
    0     0 DROP       tcp  --  br0    eth0    192.168.1.100        0.0.0.0/0
...

eth0 is the WAN. This is unlike the Client Status Page which blocks everything (*).

admin@lab-merlin1:/tmp/home/root# iptables -vnL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination  
...
    0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC B8:70:F4:B3:4D:6A
...

A lot of these features are part of the base ASUS code, so they should be the same regardless if OEM or Merlin. Merlin only adds certain enhancements. Seems odd to me the OEM firmware would block everything w/ the Network Services Filter, but Merlin only the WAN. I seriously doubt he makes changes in this area.

That got me to thinking if maybe when you tested the Network Services Filter feature, that maybe you had failed to disable the blocking of the Client Status Page. If so, it would hit the latter before the former (at least according to the way the FORWARD chain on my router is configured).

IOW, at least on my router, use of the Network Services Filter should still make the client accessible from the VPN.

 

[onesnark]

OK. . . I did some playing with this.

- - -I think you are correct. If I block with "Client status page"; VPN and WAN is blocked. HOWEVER - - on the Network Services Filter page. . .if I block it (correctly), I seem to block the WAN but not VPN. I suspect I may had been doing this incorrectly previously.

- - -Testing was done by verifying SSH access into the various network components (The device I don't trust; and the Router itself); both on and off the network.


Two odd things:
1) On the Netework Services Filter page; I had to specify "Source IP" and "Port Range". . .if I let port range be blank; the WAN was not blocked. I blocked the WAN by specifying port range 1:65000 (I was not expecting this)

2) In playing with my router (Router with stock current version firmware); it does not appear that enither the SUDO or IPTABLES command was present as valid commands. Is that possible? (I was logged in as user "Fred" (i.e. I changed the default "Admin" to "Fred" for normal access to Router GUI.

Thank you very much for your advice so far.

 

[eibgrad]

1) On the Netework Services Filter page; I had to specify "Source IP" and "Port Range". . .if I let port range be blank; the WAN was not blocked. I blocked the WAN by specifying port range 1:65000 (I was not expecting this)

I assume you mean the "Source" port range.

I can't see how that's possible. I've been dealing w/ iptables for a very long time, and there's no reason you should have to explicitly include the source port range. If NOT specified, then it defaults to ALL ports. Not unless there's something in your firmware that refuses to even insert the rule(s) unless a source port range is provided (again, that would be odd). As you can see from my own dump of the NSFW chain in the filter table below, that rule does NOT include a source port range, and the source IP 192.168.1.7 now has dropped packets (notice the packet counts, 108 and 23).

admin@lab-merlin1:/tmp/home/root# iptables -vnL NSFW
Chain NSFW (1 references)
pkts bytes target     prot opt in     out     source               destination        
...
  108  5616 DROP       tcp  --  br0    eth0    192.168.1.7          0.0.0.0/0          
   23 29394 DROP       udp  --  br0    eth0    192.168.1.7          0.0.0.0/0          
...

Realize that using Network Services filter can only block TCP and/or UDP. If you test for WAN access using ping (ICMP), for example, that will NOT be blocked. Personally I would have preferred they offered an "all" option, but they didn't for some reason. But for most situations, blocking TCP and UDP is good enough.

2) In playing with my router (Router with stock current version firmware); it does not appear that enither the SUDO or IPTABLES command was present as valid commands. Is that possible? (I was logged in as user "Fred" (i.e. I changed the default "Admin" to "Fred" for normal access to Router GUI.

Again, seems odd. Of course, those should be lowercase (I assume you uppercase'd them for clarity sake).

 

[onesnark]

So. . . .

. . . progress. Or not?

Certainly, I am feeling like a noob at the moment. Sometimes things work. . .sometimes they don't. Odd.

So the progress is that I managed to get the IPTABLES command to work (Yes, capitals for emphasis). I now have a table that looks like the attached. . . . .and I can SSH into the "device I do not trust" on IP 192.168.0.214. (I am hotspotting a computer, and then Puttying using my router WAN address, and an external port which I am forwarding to the SSH port on the device.)

I am going to do some methodical experimenation again later. . .involving rebooting the *&$#& router often, rather than just applying changes. Something is definately not right here.

 

[eibgrad]

Use whatever method works for you. I figured if you could get Network Services Filter working, it would make things easier. I know that dealing w/ the router via ssh, iptables, etc., is a major hassle on the OEM firmware. But if you can make it work for you, that's fine.

 

[onesnark]

I appreciate the advice.

I think I am giving up on this branch of the project. . . . I suspect limited firmware capability and I have not even scratched the script / rule persistence issue.

I suspect as a next step I should flash the router with Merlin (the router is supported) and go from there. Unfortunately, my "backup" router is too pedestrian for Merlin.
Might take a bit of time before I start playing with Merlin on my main router - - other priorities - - -and I don't want to knock it out inadvertently during the work week when I have limited time to fool with it.