Network service filter does not work

[dogf]

Hi,

I user Asus Merlin 386.9 on AC3100, try Network Service Filter to block an Lan address to access a site, but it does not work, I dont know why:

The Lan ip is 192.168.1.103, and the site address is 37.187.205.99, I think the port is 443, TCP. But it does not work.

I even change the port to 1:65000, it still does not work. Pls help.

Thank you!

 

[Justinh]

Did you try leaving the port blank (the router won't care which port is being used)?

 

[PunchCardBoss]

The Lan ip is 192.168.1.103, and the site address is 37.187.205.99

Both WAN IPs resolve to WAN domain names.

Not sure that the "Network Service Filter" will apply if a LAN device is accessing a WAN destination by domain name and not IP. In this case, a FireWall filter with the WAN domain name may be more appropriate.

 

[bennor]

The Lan ip is 192.168.1.103, and the site address is 37.187.205.99, I think the port is 443, TCP. But it does not work.

It appears you are trying to block HTTPS (port 443). If you want to block access to the lichess.org site you may need to include HTTP (port 80) as well. For example the following settings blocks access the lichess.org site (the two IP addresses you listed) for me. Remember to hit apply to save the settings.

 

[Bozdw]

I'm having this problem too.

I only allow a few outgoing ports, yet in the System Log > Connections tab, I can see established connections that should not be possible. I have the latest firmware. I also have Skynet installed.

 

[drinkingbird]

I'm having this problem too.

I only allow a few outgoing ports, yet in the System Log > Connections tab, I can see established connections that should not be possible. I have the latest firmware. I also have Skynet installed.
View attachment 50071

Are those connections from clients or from the router itself? The router can still initiate the connections it needs to (DNS, firmware checks, etc). If they are from clients, are you sure they are successful and not attempts?

 

[drinkingbird]

Hi,

I user Asus Merlin 386.9 on AC3100, try Network Service Filter to block an Lan address to access a site, but it does not work, I dont know why:
View attachment 49028

The Lan ip is 192.168.1.103, and the site address is 37.187.205.99, I think the port is 443, TCP. But it does not work.

I even change the port to 1:65000, it still does not work. Pls help.

Thank you!

As mentioned, leave the port blank. However websites can use many different IPs (once the entry is no longer cached the next lookup can get a different IP, or different clients can get different IPs if they're looking up to DNS directly). You may want to try URL filter instead.

 

[Bozdw]

Are those connections from clients or from the router itself? The router can still initiate the connections it needs to (DNS, firmware checks, etc). If they are from clients, are you sure they are successful and not attempts?

From clients. Like I said, I saw ESTABLISHED connections in the table. I even tested it with netcat. The connection was successful.

 

[drinkingbird]

From clients. Like I said, I saw ESTABLISHED connections in the table. I even tested it with netcat. The connection was successful.

The router can establish connections too, that's why I asked for clarification. Skynet may be interfering with its own rules.

 

[dave14305]

From clients. Like I said, I saw ESTABLISHED connections in the table. I even tested it with netcat. The connection was successful.

Post the output of iptables -nvL FORWARD

 

[Bozdw]

Post the output of iptables -nvL FORWARD

I see my rules in the NSFW chain:

 

[drinkingbird]

View attachment 50092

I see my rules in the NSFW chain:View attachment 50093

Yazfiforward comes before NSFW and seems to be catching the majority of traffic. What is in that chain?

 

[Bozdw]

Yazfiforward comes before NSFW and seems to be catching the majority of traffic. What is in that chain

Yazfiforward only applies to the guest wireless interface.

I should probably post the whole output.

 

[drinkingbird]

I should probably post the whole output.

That yazfi chain is allowing your guests to access the internet and not hit your filters. Basically permits all traffic destined to the WAN from the guest network wl0.1. It won't continue down to hit the NSFW filter once it has matched that. Are the connections you're seeing from the guest network(s)?

In reality they should probably have that 3rd line as RETURN

 

[Bozdw]

Are the connections you're seeing from the guest network(s)?

That was a guest network client I saw at first, but then I tested with a regular client and I could bypass the filters.

Edit: Oh wait... I did the test on the VPN network! I wish the network service filters applied to all.

 

[drinkingbird]

That was a guest network client I saw at first, but then I tested with a regular client and I could bypass the filters.

Edit: Oh wait... I did the test on the VPN network! I wish the network service filters applied to all.

VPN comes before any filters, it can't apply to that. So the two combined are letting a lot of traffic bypass NSF. You could use a firewall script to modify Yazfi, and for VPN you need to do the filtering in the client.

 

[Bozdw]

VPN comes before any filters, it can't apply to that. So the two combined are letting a lot of traffic bypass NSF. You could use a firewall script to modify Yazfi, and for VPN you need to do the filtering in the client.

Why can't I modify the VPN rules on the router?

 

[drinkingbird]

Why can't I modify the VPN rules on the router?

That's what I mean, within the VPN client on the router.

Of course you have to keep in mind, since you're allowing port 443 (which you have to) anyone can fire up an SSL VPN on their PC and bypass all your filtering. Only way to avoid that would be to install a blacklist of known VPN provider IPs and keep it updated. Not sure if one exists but I would assume there must be one somewhere.

 

[Bozdw]

That's what I mean, within the VPN client on the router.

Of course you have to keep in mind, since you're allowing port 443 (which you have to) anyone can fire up an SSL VPN on their PC and bypass all your filtering. Only way to avoid that would be to install a blacklist of known VPN provider IPs and keep it updated. Not sure if one exists but I would assume there must be one somewhere.

I'm talking about editing the router firewall rules directly with iptables. I don't see another way to do what I want via the router GUI if Network Service Filter doesn't work.

I don't worry about people bypassing the service rules. It's only my home network but it does bother me when I see connections to unknow ports.

 

[drinkingbird]

I'm talking about editing the router firewall rules directly with iptables. I don't see another way to do what I want via the router GUI if Network Service Filter doesn't work.

I don't worry about people bypassing the service rules. It's only my home network but it does bother me when I see connections to unknow ports.

I know there are some complexities related to VPN and firewall, not sure if iptables happens before or after the VPN. If iptables does work, in theory all you'd have to do is move up the NSFW rule to above the VPN rule but it may make more sense to configure your VPN firewall directly using the config file or custom options in the GUI.

In fact if you move NSFW above the yazfi and VPN rules, then it should take care of both issues, but you need to check the rules after it to make sure the guest (wl0.1 and/or the subnet associated) are accounted for in those, and that nothing in those will interfere (i.e. blocking DHCP, dns, etc).

Another way, at least for the guest network, is to change the default accept in the yazfi chain to RETURN. However again, you need to check the rules that come after that to make sure they all account for wl0.1 and/or the associated subnet.

You can also look at using EBTABLES to filter stuff as it comes into the bridge interfaces. That may actually be your easiest solution as you can just apply a new policy as the default chains are usually empty (permit any). However without having yazfi I'm not sure how they're assigning interfaces to bridges etc. Should be doable though.