Block some sources to use WAN2 when in fallback mode

[murat göttendelik]

Hi,

I am using WAN2 as fallback when WAN1 is down.
But in that state I would like to block 3 source IP address to access internet. (my 2 XBOX and Media downloader PC)
Is this possible through GUI features ?
If not, how can I do it using iptables and a script ?

 

[murat göttendelik]

I'm sure this is a very simple task on Asuswrt-Merlin firmware. Can anybody help ?

thanks.

 

[Martineau]

I'm sure this is a very simple task on Asuswrt-Merlin firmware.

It is indeed ….. probably

Can anybody help ?

Show a little patience ....forum members are not necessarily in your time-zone and it is not unusual to not get any response for a couple of days.

Anyway, back in the day when I was on an unstable Primary ADSL connection, I used something like this in

/jffs/scripts/firewall-start

#!/bin/sh

WAN0_ADDR=$(nvram get wan0_ipaddr)
WAN1_ADDR=$(nvram get wan1_ipaddr)

# This should indicate if Primary VDSL or Secondary 3G MODEM is ACTIVE
VDSL_ACTIVE=$(nvram get wan0_primary)

# Allow/Deny Primary WAN (WAN0) access for specified LAN devices
if [ "$VDSL_ACTIVE" = "1" ]; then
   logger -st "($(basename $0))" $$ Allowing Primary WAN (WAN0) access for xxx.xxx.xxx.xxx
   iptables -D FORWARD -i br0 -o eth0 -s xxx.xxx.xxx.xxx -j DROP
else
   logger -st "($(basename $0))" $$ Blocking Secondary WAN (WAN1) access for xxx.xxx.xxx.xxx
   iptables -D FORWARD -i br0 -o eth0 -s xxx.xxx.xxx.xxx -j DROP 2>/dev/null
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -o ??? -s xxx.xxx.xxx.xxx -j DROP
 
fi

Obviously if 'eth0' is not your Primary (WAN0) interface, then substitute the appropriate interface 'vlan2/ppp5' etc to add/remove the block on the secondary WAN interface

Hopefully this should get you started.

 

[mekabe remain]

It is indeed ….. probably

Show a little patience ....forum members are not necessarily in your time-zone and it is not unusual to not get any response for a couple of days.

Anyway, back in the day when I was on an unstable Primary ADSL connection, I used something like this in

/jffs/scripts/firewall-start

#!/bin/sh

WAN0_ADDR=$(nvram get wan0_ipaddr)
WAN1_ADDR=$(nvram get wan1_ipaddr)

# This should indicate if Primary VDSL or Secondary 3G MODEM is ACTIVE
VDSL_ACTIVE=$(nvram get wan0_primary)

# Allow/Deny Primary WAN (WAN0) access for specified LAN devices
if [ "$VDSL_ACTIVE" = "1" ]; then
   logger -st "($(basename $0))" $$ Allowing Primary WAN (WAN0) access for xxx.xxx.xxx.xxx
   iptables -D FORWARD -i br0 -o eth0 -s xxx.xxx.xxx.xxx -j DROP
else
   logger -st "($(basename $0))" $$ Blocking Secondary WAN (WAN1) access for xxx.xxx.xxx.xxx
   iptables -D FORWARD -i br0 -o eth0 -s xxx.xxx.xxx.xxx -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -o ??? -s xxx.xxx.xxx.xxx -j DROP
 
fi

Obviously if 'eth0' is not your Primary (WAN0) interface, then substitute the appropriate interface 'vlan2/ppp5' etc to add/remove the block on the secondary WAN interface

Hopefully this should get you started.

Thanks for your answer. I hope that will help me start. But I have 2 questions;

1.
the exact following line is used for both positive and negative if conditions. Is there a mistake ? (should the first one have ACCEPT instead onf DROP ) :
iptables -D FORWARD -i br0 -o eth0 -s xxx.xxx.xxx.xxx -j DROP

2.
After modifying the script for my needs (changinf interface name) , how shall I use it so that it is run each time connection state changes ?

Thx.

 

[Martineau]

the exact following line is used for both positive and negative if conditions. (should the first one have ACCEPT instead onf DROP ) :

Is there a mistake ?

No, the '-D' means delete the matching DROP rule, and the 'I' means insert the DROP rule (preceded by the prudent delete to prevent unnecessary duplicate rules).

Obviously by default the two Xboxs and Media PC are always allowed access via the ACTIVE WAN interface, so we are simply adding/removing their blocking rules.

2.
After modifying the script for my needs (changinf interface name) , how shall I use it so that it is run each time connection state changes ?

It should be automatic, i.e. every time the firmware detects a WAN UP event it will run two scripts; wan-start and then firewall-start.

 

[mekabe remain]

thanks. still I don't understand. Currently there's nothing under /jffs/scripts
If I create this script, will it run automatically ? Shall I have to make it executable (chmod +x) ?

two more questions;
why do we delete the rules if every firewall start makes a fresh iptables ?
and I use the same interface name (secondary wan ifname) for all the lines (delete and insert rules) ?

my wan0 ifname is ppp0 and wan1 ifname is ppp1

I wrote the script as :

#!/bin/sh
WAN0_ADDR=$(nvram get wan0_ipaddr)
WAN1_ADDR=$(nvram get wan1_ipaddr)
# This should indicate if Primary FIBER or Secondary 3G MODEM is ACTIVE
FIBER_ACTIVE=$(nvram get wan0_primary)
# Allow/Deny Primary WAN (WAN0) access for specified LAN devices
if [ "$FIBER_ACTIVE" = "1" ]; then
   logger -st "($(basename $0))" $$ Allowing Primary WAN (WAN0) access for 192.168.254.199 , 192.168.254.37 , 192.168.254.38 , 192.168.254.20
   iptables -D FORWARD -i br0 -o ppp1 -s 192.168.254.199 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -o ppp1 -s 192.168.254.37 -j DROP 2> /dev/null 
   iptables -D FORWARD -i br0 -o ppp1 -s 192.168.254.38 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -o ppp1 -s 192.168.254.20 -j DROP 2> /dev/null
else
   logger -st "($(basename $0))" $$ Blocking Secondary WAN (WAN1) access for 192.168.254.199 , 192.168.254.37 , 192.168.254.38 , 192.168.254.20
   iptables -D FORWARD -i br0 -o ppp1 -s 192.168.254.199 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -o ppp1 -s 192.168.254.37 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -o ppp1 -s 192.168.254.38 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -o ppp1 -s 192.168.254.20 -j DROP 2>/dev/null
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -o ppp1 -s 192.168.254.199 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -o ppp1 -s 192.168.254.37 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -o ppp1 -s 192.168.254.38 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -o ppp1 -s 192.168.254.20 -j DROP 
fi

is this correct ?

 

[mekabe remain]

I just tried this and it did not add any rules when the wan passed to ppp1
Shall I have to enable following feature under system settings ?
"Enable JFFS custom scripts and configs"

edit:
the problem was on "logger" line , about (WAN0) , shell does not accept this if it is not in quotes.
please ignore this post, but I still need help about my previous post.

 

[Martineau]

Currently there's nothing under /jffs/scripts
If I create this script, will it run automatically ? Shall I have to make it executable (chmod +x) ?

Shall I have to enable following feature under system settings ?
"Enable JFFS custom scripts and configs"

All of your questions are answered in the Wiki links I posted
e.g.

two more questions;
why do we delete the rules if every firewall start makes a fresh iptables ?

Usually it is easier to maintain separate custom scripts rather than imbed the custom firewall rules code directly in-line in firewall-start.
Either way it means that you are able to call the script manually and the delete command prior to the insert allows you to repeat the testing without creating unnecessary duplicates.

I use the same interface name (secondary wan ifname) for all the lines (delete and insert rules) ?

I have never used Dual-Wan Fail-Over (FO) with two PPP interfaces, but I believe the firmware will only maintain one active WAN interface so you want to apply the blocking rules when the Secondary WAN (ppp1) is UP, but if the Primary WAN is UP, you can safely delete the unused Secondary WAN (ppp1) blocking rules.

 

[volatile muckso]

I just realized that my primary and secondary wan interfaces can change between ppp0 and ppp1
for example today , wan0 is using ppp1 , but yesterday it was ppp0

so, I would like to remove the optional parameter "-o" from the rules, meaning they will block the traffic from all outgoing interfaces when the rule is applied.
is this ok ?