Firewall and Parental control on AC68 broken

[CoolDuckie]

Hi all,

I am using the Merlin 374.42 FW on an AC68 router. Very happy with Merlins FWs- thanks a lot, Merlin!

I believe there is a common, very long-lasting bug in Asus' firmwares: Open, established connections are not closed by the firewall or the Parental Control feature. It works by preventing new connections. I discovered this when my youngest daughter started playing online Minecraft all the time. I tried to block access after 23:00, to ensure that her sleep isn't disrupted. However, she soon discovered that if she just kept playing on the same server, the connection did not close.

The same happens with the firewall network services filter. Perhaps the parental control uses the same code? Is this a known bug and has Asus plans to fix it? Can it be circumvented?

CD

 

[RMerlin]

Try disabling HW acceleration. I took a look at the PControl code last year, and don't understand why established connections wouldn't be terminated since that's what the firewall rules should be doing based on how they are implemented. The only theory left would be this is a side-effect of HW acceleration, in which case there's nothing that could be done.

 

[lbradio]

Hi all,

I am using the Merlin 374.42 FW on an AC68 router. Very happy with Merlins FWs- thanks a lot, Merlin!

I believe there is a common, very long-lasting bug in Asus' firmwares: Open, established connections are not closed by the firewall or the Parental Control feature. It works by preventing new connections. I discovered this when my youngest daughter started playing online Minecraft all the time. I tried to block access after 23:00, to ensure that her sleep isn't disrupted. However, she soon discovered that if she just kept playing on the same server, the connection did not close.

The same happens with the firewall network services filter. Perhaps the parental control uses the same code? Is this a known bug and has Asus plans to fix it? Can it be circumvented?

CD

However forumusers can't replicate my issue, I can reproduce it on several (4x) RT-AC68U routers.
After blocking access to the internet, it is still possible to (for a short period) use the internet. Time enough to send/receive a Whatsapp message.

Just switch off WIFI on the Phone (tested it with an iPhone), and switch WIFI back on. Now there's a timewindow of 30 seconds in which Whatsapp IS connected to the server.

I don't believe there will ever be a fix for it, just be aware of this feature.
http://forums.smallnetbuilder.com/showthread.php?t=17337
http://www.smallnetbuilder.com/forums/showpost.php?p=122682&postcount=404

 

[doggod]

Im not sure that its an asus issue. ive run a couple of routers over the last few years and all seem to have this issue that if a connection has been made prior to the cut off point, it remains valid especially udp connections.

I wonder if it would be possible to integrate a DHCP release with the parental control so that if a mac address is to be blocked at a certain time that its address is released at the same time or a minute after. This would kill all current connections and the parental control would block any new connections on the renewed ip.

 

[RMerlin]

I wonder if it would be possible to integrate a DHCP release with the parental control so that if a mac address is to be blocked at a certain time that its address is released at the same time or a minute after. This would kill all current connections and the parental control would block any new connections on the renewed ip.

A DHCP lease cannot be released by a server, only by a client.

My last suggestion still stands - try disabling Hardware Acceleration, as this functionality causes the network traffic to bypass parts of IPtables.

 

[doggod]

A DHCP lease cannot be released by a server, only by a client.

My last suggestion still stands - try disabling Hardware Acceleration, as this functionality causes the network traffic to bypass parts of IPtables.

Didnt realise that the router couldn't initiate a release to the ip. Learn something new every day
Hope you don't mind a second question or a pointer to the info.

Client requests ip
Dhcp server gives them one for a set amount of time that a router owner can specify.

Is this part of the specs of dhcp servers or can if be set up so that all the ips it gives to different clients at different times during the day all end at the same time. Currently if you set it for a 1000 minutes its a 1000 minute countdown from when the client gets the ip till it looks for a new one.

The question is because i'm curious , the threat week off the network I find is a fairly effective firewall in my house.

 

[RMerlin]

Didnt realise that the router couldn't initiate a release to the ip. Learn something new every day
Hope you don't mind a second question or a pointer to the info.

Client requests ip
Dhcp server gives them one for a set amount of time that a router owner can specify.

Is this part of the specs of dhcp servers or can if be set up so that all the ips it gives to different clients at different times during the day all end at the same time. Currently if you set it for a 1000 minutes its a 1000 minute countdown from when the client gets the ip till it looks for a new one.

The question is because i'm curious , the threat week off the network I find is a fairly effective firewall in my house.

The lease duration begins from the moment a given client obtains a lease. So if you have lease duration set to 24 hours, a PC that got its lease at 9am will see its lease expire at 9am the next day, while the other one that only got turned on at 10am will expire at 10 am the next day. This is a global value set on the DHCP server.