Network Services Filter - rules don't persist?

[DeejUK]

Hi folks,

Should I be able to add Network Service Filter rules when I've got Parental Controls enabled?

I've got a GT-AX11000 running 3004.388.4_0_rog. I've got Parental Controls enabled to stop one machine being able to access adult content and instant messaging stuff, and then disallowing all access after a certain time (a child's 'homework' laptop). I'd like to be able to restrict to Hikvision CCTV cameras from establishing any outbound connections, as I don't trust them not to have backdoors in. I figured that I could use Network Services Filter for this.

Whenever I try adding rules to Network Services Filter, I can add them using the little + button, but when I click apply the rules have disappeared on the refreshed page. I don't see anything in the System Log page.

I've also got Diversion and Skynet running, so I don't know if they're incompatible with Network Services Filter?

Any suggestions on how to debug or achieve equivalent outcomes would be most gratefully received.

 

[ColinTaylor]

Are you using CIDR notation in the rule?

Release - Asuswrt-Merlin 3004.388.4 is now available

Did a fresh and clean install (Hard & Factory reset) on my RT-AX86U. All my devices and even the printer works again good. I use SC. What mean SC?

www.snbforums.com

 

[bennor]

Whenever I try adding rules to Network Services Filter, I can add them using the little + button, but when I click apply the rules have disappeared on the refreshed page. I don't see anything in the System Log page

There are a number of past discussions about Network Services Filter not working properly. For the latest few posts about the issue see Colin's link above where there is talk about CIDR.

Search results for query: network services filter

www.snbforums.com

A few past discussions:

Solved - Network services filter issue - AX86U Pro - ASUSWRT

I hope I am in the right subforum - if not let me know I have an issue with a brand new Asus AX86U Pro. I come from a good old AC68U that has been rock steady for almost a decade. I had that same setup on that with no issue. What I try to achieve: I have a Synology NAS that is configured to...

www.snbforums.com

Unable to edit Firewall - Network Services Filter Table on RT-AX88U Pro (fw. 388.3)

Hello! Unable to edit Firewall - Network Services Filter Table on RT-AX88U Pro (fw. 388.3). Trying delete existing record inside Firewall - Network Services Filter Table, (when Apply buttons, after Applying Settings...) but nothing happen, deleted record still in the table. No error messages...

www.snbforums.com

 

[DeejUK]

Thanks folks. I am indeed trying to enter a CIDR for the destination range.

Any idea how I could check whether changes are actually persisted and it's a UI issue, or that they're definitely not getting saved? IE, where on the router filesystem does this config live?

Apologies for not seeing the prior threads. I did try a quick search, but didn't find those ones.

 

[ColinTaylor]

I'm pretty sure the changes aren't being applied at all due to a GUI bug. You can verify that with the following command:

nvram get filter_lwlist

Until there's an updated firmware I suggest you enter the addresses individually.

 

[DeejUK]

I tried a rule without CIDRs and that worked fine, so it looks like I'm being hit by the same bug as others.

 

[DeejUK]

Until there's an updated firmware I suggest you enter the addresses individually.

Thanks for the pointer on that command. I want to block _all_ outbound connections for only two devices, so that might take a long time if I need to do it individually Is there any other way I could skin this particular feline do you think?

 

[ColinTaylor]

I want to block _all_ outbound connections for only two devices...

So two devices = two rules? What am I missing?

Perhaps if you posted a screenshot of the whole of the Network Services Filter page including the rule you're trying to add just before you apply it, it would be more clear.

 

[DeejUK]

Sorry, maybe I'm being thick. I want to ban two devices from _all_ outbound connections. If I can't use CIDRs, wouldn't I need one rule for every possible destination IP address? Or can I just leave that field empty? Again, sorry for newbidity.

 

[ColinTaylor]

I'm assuming you're using a Deny List. Leaving an address or port field empty is the equivalent of "all".

 

[DeejUK]

I'm assuming you're using a Deny List. Leaving an address or port field empty is the equivalent of "all".

Yay! That's exactly what I was hoping for. The help text at the top kinda hints at this, but is very poorly worded (eg: "if you do not want the device to use the Internet service, key in 80 in the destination port" ).

 

[mgr]

Alternatively, you can exclusively define _all_ services (i.e. all ports) by putting 1:65535 . But leaving empty should be the same.

 

[parkuozi]

As of today 12/31/2023 the "Network services Filter" Tab is now fixed in the Firmware and is now working.

I downloaded Firmware Version: 3.0.0.4.388_24231 on my RT-AX86U and the Network Service Screen is now working thanks to all who researched this and reached out to the ASUS Team to report the issue. A big thanks to the ASUS team for fixing this. Hope you keep monitoring these Boards and fix this sooner in the future.

BTW I had to force update the router as a normal pull failed to retrieve the new version. I also noticed ASUS RT-AC68U is on Firmware version 3.0.0.4.386_51668. Not sure if this would break my RT-AX86U
https://www.asus.com/us/networking-...ters/rtac68u/helpdesk_bios?model2Name=RTAC68U.


I do have the Original Factory Firmware and many of the suggestions above are specific to Merlin and do not work on the Factory Firmware. or I am not aware of how to make it work.

Happy New year to all.

 

[L&LD]

Note that Asus does NOT monitor these forums.