Openvpn connect LAN host that is blocked in Time Scheduling

[B3V4C]

I blocked certain MAC devices from accessing Internet via AiProtection - Time Scheduling. Then I connect the LAN via OpenVPN. But I cannot access these devices. I can access other devices that are not listed in the blocking list. My guess is that any WAN related traffic through these devices is dropped due to the block rule, and VPN traffic is through WAN thus these traffic are dropped.

How can I achieve both? Block these devices from WAN but can still be accessed under VPN.

Thanks

 

[eibgrad]

AiProtection is doing exactly what you told it to do; deny internet access. So much so, even remote access is denied. That's just the way most GUI based blocking is implemented, and why I usually configure my own rules that block attempts by devices to initiate outbound connections, but can still reply to remote access requests.

One way to get around the problem is to add a firewall rule that allows forwarding from the private network (br0) to the tunnel before any AiProtection rules are triggered.

iptables -I FORWARD -i br0 -o tun2+ -j ACCEPT

You can test using the shell (ssh). If it works, create a firewall-start script to make it permanent.

 

[B3V4C]

One way to get around the problem is to add a firewall rule that allows forwarding from the private network (br0) to the tunnel before any AiProtection rules are triggered.

Thanks, it works. Any side effect or potential security issues of having this forward?

 

[eibgrad]

Thanks, it works. Any side effect or potential security issues of having this forward?

The private network *could* initiate connections to the OpenVPN client and not just respond (reply) to it. And so if you wanted to be uber careful, you could further qualify the rule.

iptables -I FORWARD -i br0 -o tun2+ -m state --state ESTABLISHED -j ACCEPT

But whether it's required/desireable is up to you given it's your OpenVPN client. In the case of the WAN, you probably have no idea who the local device may be attempting to talk to, so you block access to it as a precaution.

 

[ThelostIcon]

AiProtection is doing exactly what you told it to do; deny internet access. So much so, even remote access is denied. That's just the way most GUI based blocking is implemented, and why I usually configure my own rules that block attempts by devices to initiate outbound connections, but can still reply to remote access requests.

One way to get around the problem is to add a firewall rule that allows forwarding from the private network (br0) to the tunnel before any AiProtection rules are triggered.

iptables -I FORWARD -i br0 -o tun2+ -j ACCEPT

You can test using the shell (ssh). If it works, create a firewall-start script to make it permanent.

sorry to dig up an old thread, any way to accomplish this thru ui instead of script?

 

[eibgrad]

sorry to dig up an old thread, any way to accomplish this thru ui instead of script?

AFAIK, all built-in firewall protection is UNCONDITIONAL. It never takes into account the need to block internet access *except* when replying to inbound requests from remote access. When you tell it to block a local IP's access to the internet, it's total. No exceptions.

As I said before, that's why I rarely use the GUI for such purposes. The GUI can be a great tool, a time saver, help hide messy details, etc. And it makes certain assumptions that work 95% of the time. But that other 5% (like you), that's when it tends to breakdown, and you have to resort to scripting.

 

[ThelostIcon]

thanks for your time, guess i avoided delving into this script business long enough...time to start reading