Firewall URL filter bypassed by guest networks with disabled intranet access

[Climber]

RT-AX86U on Merlin 3004.388.9_2
Guest networks with intranet access disabled seem to bypass the firewall URL filter.
On the main network the blocking works fine.
If I enable the intranet access on the guest network the blocking works fine too.
I used the GUI to add the URLs and they show up under the INPUT and FORWARD chains of iptables. So, that would mean all those rules are probably bypassed too.
Test is DNS lookup and pinging.
I disabled my own custom firewall scripts, but didn't make a difference.

I have just upgraded from 3004.388.8_4 to 9_2, but wasn't using the URL block then, so can't say if it's due to the upgrade. Haven't updated AMTM yet.
Tried searching on SNB.
Before I try a downgrade I was curious to see if someone else knows about this.

Cheers,
Peter

 

[dave14305]

Which Guest Networks? The first Guest Network of each band behaves differently than the other 2. What did the INPUT and FORWARD rules look like, specifically? Were they only for br0 interface? Is your guest network using an interface other than br0?

 

[Climber]

It was on Guest Network #1. I know #1 behaves different and gets a separate bridge and subnet. Since I used the 5GHz it goes to br2.
However, I didn't think that would have been a reason to bypass an outgoing firewall.
I did some more testing and GN #3 doesn't have this problem, so it seems that only br0 goes through the URL filter and br1 and br2 bypass it.
The first several lines of the associated iptables chains are below and contain the URL filter. Only have www.yahoo.com and obihai in there.
The rules don't seem explicitly linked to only br0.

Wondering if it is related to ebtables.

I don't want to use a different GN since I use br2 to also isolate some of the ethernet ports from the rest of the network. I move them from br0 to br2 and they become part of that GN.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
INPUT_PING  icmp --  anywhere             anywhere             icmp echo-request
DROP       udp  --  anywhere             AX86U.secnet         udp dpt:domain STRING match  "obihai" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             AX86U.secnet         udp dpt:domain STRING match  "|057961686f6f03636f6d|" ALGO name bm TO 65535 ICASE
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere             udp dpt:domain STRING match  "|057961686f6f03636f6d|" ALGO name bm TO 65535 ICASE
REJECT     tcp  --  anywhere             anywhere            WEBSTR match url www.yahoo.com  reject-with tcp-reset
DROP       udp  --  anywhere             anywhere             udp dpt:domain STRING match  "obihai" ALGO name bm TO 65535 ICASE
REJECT     tcp  --  anywhere             anywhere            WEBSTR match url obihai  reject-with tcp-reset
DROP       udp  --  anywhere             anywhere             udp dpt:1701
DROP       gre  --  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere             tcp dpt:1723
IPSEC_DROP_SUBNET_ICMP  all  --  anywhere             anywhere
IPSEC_STRONGSWAN  all  --  anywhere             anywhere

 

[dave14305]

Use the command iptables -nvL to show the interface columns.