1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Network Services Filter: how can I block internet access only at specific times?

Discussion in 'Asuswrt-Merlin' started by anoukaimee, Oct 14, 2016.

  1. anoukaimee

    anoukaimee Occasional Visitor

    Joined:
    Jul 24, 2016
    Messages:
    43
    Forgive me if this has been addressed elsewhere, but I've searched everywhere in this subforum and found nothing (current, at least) that has helped me fix this.

    My goal is to block only internet on one device from TIME 1 to TIME 2 (ideally, 10p to 6p, but I'm not sure if that's possible given that times need to be entered for the day; 0:00-18:00 would be okay if not). I want to be able to access the LAN and seed torrents on a private tracker during that time.

    This is the post most on point, but it is from two years ago and I haven't seen anything that I can interpret, either on Merlin's wiki or here, saying that the firmware has been changed.

    Following those steps to the best of my ability (I am really a newbie), I still can't get it to work. Someone more recently said it didn't work, but then added that she power cycled her router or something and then got it working. Neither method worked for me.

    I turned off the parental controls because of what was reported to be an inability to use both that service and the services filter (is that still the case?). I first tried it as described in the post above: client ip entered correctly, next two boxes blank (port range and destination IP), and then 80 for port range, with two separate entries for TCP and UDP.

    config 1.PNG

    That didn't work, so I tried putting in two more entries for port 8080:

    config 1.PNG

    URL, keyword, and IPv6 firewalls all disabled, too, but main firewall enabled:
    merlin main firewall page.PNG

    Two notes: I am having problems setting the time on the router using us.ntp.pool.org. I tried leaving it alone, entering in us.ntp.pool.org, entering in different server addresses on Pacific Time (where I am), and even looked at this page for guidance (the site suggests that if you have a time server from your ISP, none of this is necessary...???) But in any case, it doesn't work at any time during the desired block time, not just the start or end, or begin early or late.

    Also, I am using HGG's fork (v. 380.59.1_HGG-FINAL), so I don't know if that has anything to do with it. And I have an RT56ACU.

    Anyone???? Know nothing of building scripts or Linux in general (though I'd be glad to take a stab if need be). Thank you!
     

    Attached Files:

  2. Nullity

    Nullity Very Senior Member

    Joined:
    Jul 17, 2014
    Messages:
    1,639
    Location:
    Appalachia
    Does the torrent client not support scheduling? I think rtorrent has that feature.
     
  3. anoukaimee

    anoukaimee Occasional Visitor

    Joined:
    Jul 24, 2016
    Messages:
    43
    Oh, it absolutely does. But the other part of my goal is blocking the internet during that period. My torrent client can't help with that :)
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,776
    Location:
    UK
    In your screenshots you have "Enable Network Services Filter" set to "No".:confused: You have to turn it on to use it.
     
  5. anoukaimee

    anoukaimee Occasional Visitor

    Joined:
    Jul 24, 2016
    Messages:
    43
    Yes, sorry, it was actually on when I was using it. I did a "recreation" of the way it was set, since the client device is my laptop and I don't have another computer.

    Didn't think it could be that easy :) Sorry.
     
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,776
    Location:
    UK
    @anoukaimee

    Regarding the NSF/Parental Control bug. John fixed that very recently in his fork but I don't know whether anyone else picked that up, so it's best to assume that it hasn't been fixed in your firmware.

    If you want to block "internet" (i.e. web or www) access that usually means port 80 (http) and port 443 (https). Try blocking 443 as well as 80.
     
  7. anoukaimee

    anoukaimee Occasional Visitor

    Joined:
    Jul 24, 2016
    Messages:
    43
    Thanks @ColinTaylor. I tried your suggestion last night; please see the screenshot. I think I have everything as per your instruction.

    ASUS Wireless Router RT-AC56U - Network Services Filter.png

    It still didn't work.

    Note too that I have two devices that I'm trying to block now: my laptop (192.168.1.23) and the range extender I use (192.168.1.250). My best friend in the upstairs apartment is letting me use his internet (he's using my ASUS RT-AC56U above), and I'm using a Netgear EX6200 to get a decent signal downstairs. But I can get a signal, albeit weaker, without the range extender, so I am applying these rules to both.

    Could this have something to do with a need to clear the NVRAM or something? I rebooted, power-cycled, everything, and it just isn't taking.

    I've also been using the Google-made Data Saver plug in
    , which is some sort of proxy, see here. Could that mess things up? Or could there be other ports in operation here? I'm at a total loss.

    Also, would you suggest setting a static address for my pc? If not, just ignore the following.

    I've done it before, but really need to bone up on how to do it system-wide (you need to for all devices for it to work optimally, right?) because I don't want to impact my friend's access to the internet. But I have tried setting up static ips (didn't keep because didn't have time to research thoroughly how to implement systemwide) and manually assigning the pc an address through the router. Here's how the DHCP page currently looks (without anything assigned, but with it enabled). Are any of the settings off?

    ASUS Wireless Router RT-AC56U - DHCP Server.png

    I compiled a list of the IP addresses of my pc and there have been at least three different ones assigned. And the ASUS Merlin build I'm using currently perceives my laptop to be a Sony Playstation 2; it was an xbox before, and had no configuration set before (is a common Toshiba Satellite). Moreover, the MAC address has changed three times. Note it AGAIN changed today, but the test was the night before. And I just set the network services filter to add blocking UDP/TCP on 80 and 443 for this new 192.168.1.221 and it still doesn't work. Sigh.

    See the attached table if you think this might be part of the issue.

    configured jesspc ip addresses etc.PNG

    Thank you for taking the time, really.

    AH: just read that MAC address can change when you update your adapter. Which I did. Is that what is making my IP address change, too (in addition to all the fiddling with static/assigned/etc. configurations)?
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,776
    Location:
    UK
    Could this have something to do with a need to clear the NVRAM or something? - No you should be fine.

    I've also been using the Google-made Data Saver plug in - As far as I can tell this is a proxy for port 80 so I think it should be OK

    Also, would you suggest setting a static address for my pc? - Yes definitely. You don't need to set up fixed IP's for everything, only the devices you are interested in. Everything else can just be left to sort themselves out. Each hardware network interface has it's own globally unique MAC address that doesn't change. If you change the network card in your PC that card will have its own different MAC address.

    That said, it's possible that when you connect through the Netgear the router is seeing the Netgear's MAC address instead of the client device. The first thing you must do is determine if this is the case. If it is then you won't be able to do what you want.

    Look at the "network properties" for the wireless network card on one of your PCs. You should see its MAC address. Now disconnect and reconnect this device to the range extender. Now look at the syslog on the Asus. You should see an entry for it asking for a DHCP address. Note the MAC address in the syslog. Is it the same as the one you found earlier?

    Edit: Also remember that if your device has both a wired and a wireless adapter they will have different MAC addresses and therefore DHCP will give each of them a different IP address.
     
    Last edited: Oct 19, 2016
    anoukaimee likes this.
  9. anoukaimee

    anoukaimee Occasional Visitor

    Joined:
    Jul 24, 2016
    Messages:
    43

    Jeez, so sorry for getting back late. Lots of stuff going on, but inconsiderate, sorry!

    I did what you asked and yes, you are right:

    When I'm connected via wifi to the main SSID, my jesspc laptop reflects the correct MAC address (32:02:86:68:A9:C5). When I'm connected via wifi to the S5 range extender, I have a different MAC address entirely (range extender is 02:0F:B5:96:76:F2; jesspc client is 02:OF:B5:68:A9:C5). Same deal with connected to range extender via ethernet.

    I set up static ips for the jesspc client on for both wifi and ethernet, and made sure all was good. But like you said, the static ips now will have two MAC addresses. Argh.

    But since Network Services Filter acts on the Client IP address, not the MAC, should this matter? In other words, if I have it enabled on both my range extender and my (now static ip) laptop, does the MAC matter?

    If so, is there any way to get around this using IP tables or something? Or would it be advisable to change to a different firmware? This is kind of a sine que non for me: some "internet addiction issues," if you will, and need to be able to totally turn off late at night etc.

    Thanks, Colin. If you don't mind still helping me out with this would be lovely.
     
    Last edited: Nov 1, 2016
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,776
    Location:
    UK
    OK, this is just a guess but looking at the MAC addresses it appears that devices connected through the range extender have their first 3 octets replaced with 02:0F:B5. So in your case 32:02:86:68:A9:C5 becomes 02:0F:B5:68:A9:C5.

    So what you need to do (if you haven't already) is create 2 DHCP reservations with different IP addresses, one for 32:02:86:68:A9:C5 and one for 02:0F:B5:68:A9:C5. Say, 192.168.1.100 and 192.168.1.101.

    Having done that, then check that the laptop is getting the correct IP addresses by first powering off/on the laptop and connecting to each access point in turn. Check the syslog on the router to confirm the IP address.

    If all is well then you should be able to create your NSF rules as normal but duplicating everything for the second IP address.
     
  11. anoukaimee

    anoukaimee Occasional Visitor

    Joined:
    Jul 24, 2016
    Messages:
    43
    Yes, I think you are absolutely right. In fact, looked at the Netgear site and they pretty much said that ("virtual MAC address"?).

    Ok; want to make sure I'm understanding the terminology.

    Go into LAN>DHCP SERVER and then "Manually Assigned IP around the DHCP list." Then choose unassigned IP addresses, one for each of these MAC addresses:

    actual MAC for WiFi (32:02:86:68:A9:C5)
    virtual MAC for WiFi (02:0F:B5:68:A9:C5)
    actual MAC for Ethernet
    virtual MAC for Ethernet

    and then enter those all into network services filter...

    Right?

    One quick one: will entering the two static addresses (the actuals for Wifi/Ethernet) into the "manually assigned" list mess anything else? Should I revert to dynamic?

    Thanks!
     
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,776
    Location:
    UK
    Yeah, I just found that stuff about "virtual" MAC addresses on the NetGear site :rolleyes:.

    Yes you are correct about setting up the DHCP server.

    Although I'm not sure what the "Ethernet" connection is you refer to. Presumably it's a wired connection to the NetGear? Does that get a virtual MAC address in the same format as well?

    I'm guessing that you can't get a wired connection direct to the Asus in which case the Asus will never see the "real" MAC address (so you don't need to create an entry for that).

    Sorry, you've lost me. You can have up to 128 static addresses. Just make sure that each MAC address is assigned a different IP address, then there are no conflicts. The router is clever enough to not give out those reserved addresses to any other DHCP clients on you network.
     
  13. anoukaimee

    anoukaimee Occasional Visitor

    Joined:
    Jul 24, 2016
    Messages:
    43
    Ok great. The problem here, of course, is that a static ip address is going to have a different MAC address depending on whether it is going to the router via my range extender or a direct connection (like we talked about). So the So, for instance, my pc (192.168.1.221) is picked up with that IP address whether I'm connected directly to the router (when the true MAC of 34:02:86:68:A9:C5 is picked up), AND when I connect via the range extender (virtual--34:02:86:68:A9:C5). So if I am using a static address and I try to enter it in twice (even renaming them, e.g., "pcrealmac" and "pcvirtualmac") with the same IP, the DCHP reservation thing won't let me re-enter it.

    So would it be better to just go dynamic? That's going to screw up my port forwarding (for p2p) but if it's necessary, so be it.

    But if it is just a means to an end to let me put the damn MAC in the port firewall, that's cool--I'll just make up an IP address. Assuming that the filter will recognize it based on the MAC and not the IP...

    So what I'm saying is that I either have to change my IP config for my laptop to dynamic to enter in the two MAC ports, or the filter needs to operate just on the MAC address, not the IP. Do you know if the Network Services Filter goes solely by MAC; if the wrong IP is associated with it (in the DHCP routing table) will things be screwed up?

    And yes, a wired connection to the range extender gets a virtual MAC, too. :)

    Why oh why must we have these virtual MACS (that's rhetorical: I really don't want to know lol).
     
  14. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,776
    Location:
    UK
    OK I get it now.

    Yes, you must change the network interfaces on your clients to be dynamic to do what we've been talking about. TBH I'd assumed they were already. Sorry, it never occurred to me that someone would want to manually set each network interface (wired and wireless) on each client. But yes, that would avoid the need to create DHCP reservations (but you might have a problem with local name resolution).

    IMHO The only things I would normally consider not using DHCP for are servers.

    No, the NSF doesn't work with MAC addresses, only IP addresses. That is why it's so important to get the reservations set up correctly in DHCP. If a client ends up with a different IP address it will bypass the NSF.

    UPDATE: Whilst it is sometimes possible to setup two different interfaces (wired and wireless) on the same computer with the same IP address I would strongly suggest you don't. It can lead to all sorts of other problems in the future.
     
    Last edited: Nov 1, 2016
  15. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,776
    Location:
    UK
    Just to clarify something;

    You said earlier "Also, would you suggest setting a static address for my pc?", to which I answered Yes.

    I'm afraid I confused you there. :( I had mistakenly believed you were using the term "static" incorrectly, as most people do on this forum:rolleyes:. They refer to the reservation of IP addresses on the router as "static addresses" (which is misleading). But it looks like you have manually configured the network interfaces on your PC which is the proper definition of "static".

    My original answer was suggesting that you use the router to create "reserved" IP addresses based on the PC's MAC addresses. But as we just discussed, either way is valid. Either reserve IP addresses on the router for DHCP clients, or configure each clients network interface manually (static).

    Sorry for the confusion.
     
    anoukaimee likes this.
  16. anoukaimee

    anoukaimee Occasional Visitor

    Joined:
    Jul 24, 2016
    Messages:
    43

    Hey Colin! You are a GOD! It's working yay!

    What a cluster*#$% with the effing range extender, though. There are tons of posts on Netgear about this; many, many people are not happy with their implementation of these virtual MACs. It has utility, I guess, but causes problems, too. Other than that, I am really, really happy with the performance, tho.

    Ok, well hopefully won't have to keep bugging you about this every ten days or so :) Thanks so much. Really do appreciate it.

    And I didn't even know that there was another "take" on static ips. I mean, I do all my research on my own, and every site basically walks you through the steps on how to do 'em, and it's the "real way" that you describe.

    Anyway, thanks again.
     
  17. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,776
    Location:
    UK
    Congratulations on getting it working. :cool::)

    Yes the confusion about the word "static" probably only applies to Asus users. I think it stems from the term appearing incorrectly in the GUI in the past.

    I was surprised to see NetGear using virtual MAC addresses, but then I haven't used their access points before. It is actually quite a clever solution to an inherent problem with access points. So whilst it is confusing, it does serve a useful purpose.;)