What's new

Can't access LAN device from VPN when device set to block Internet access

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

chrish16

New Around Here
I have a ASUS RT-AC68R with Asuswrt-Merlin on firmware 384.7_2

I have a IP cam I have blocked Internet access using the button on the Network Map page.
I would like to VPN in from my phone using OpenVPN (which is set up and working) and use the IP cam app on my phone to access the IP cam.
I'm guessing when toggling the button for Block Internet Access on a client on the network map it blocks traffic out of the local LAN rather than blocking traffic over the WAN interface?
Can I set a static route so that the 10.8.0.0 network can get to the 192.168.1.x network or to the static ip of the IP Cam which is 192.168.1.137 even though the IP cam has Internet Access Blocked toggle switch toggled on.
 
I have a ASUS RT-AC68R with Asuswrt-Merlin on firmware 384.7_2

I have a IP cam I have blocked Internet access using the button on the Network Map page.
I would like to VPN in from my phone using OpenVPN (which is set up and working) and use the IP cam app on my phone to access the IP cam.
I'm guessing when toggling the button for Block Internet Access on a client on the network map it blocks traffic out of the local LAN rather than blocking traffic over the WAN interface?
Can I set a static route so that the 10.8.0.0 network can get to the 192.168.1.x network or to the static ip of the IP Cam which is 192.168.1.137 even though the IP cam has Internet Access Blocked toggle switch toggled on.

If you're not on your LAN then clearly you must be on the Internet? (or technically, NOT on the 'br0' interface) when initiating the inbound connection to your OpenVPN server.

The 'Block Internet Access' does exactly that....computers only do what you tell them, not necessarily what you want them to do!:p

i.e. the following blocking rule is added:
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)

num   pkts bytes target     prot opt in     out     source               destination 
1        0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC xx:xx:xx:xx:xx:xx
2     3681 2061K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
You need to allow outbound access via the OpenVPN Server interfaces 'tun2+' for the IP Camera (by MAC address)
i.e. Relax the Total block by fixing the incorrect rule applied by the GUI:
Code:
iptables -R FORWARD $(iptables --line -nvL FORWARD | grep "xx:xx:xx:xx:xx:xx" | cut -d' ' -f1) -i br0 ! -o tun2+ -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)

num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 DROP       all  --  br0    !tun2+    0.0.0.0/0            0.0.0.0/0            MAC xx:xx:xx:xx:xx:xx
2     3681 2061K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED


Obviously the fix will be lost every time you reboot, so you would use a simple script IPCamsBlock.sh ;)
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top