What's new

Script to detect backup wan and disable certain devices from internet access

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RandomUser777

Regular Contributor
FWIW,

I am just starting to dabble in scripting with ASUS routers. Many thanks to everyone who has made such AWESOME contributions (RMerlin, everyone behind AMTM, DualWanFailover, Diversion, etc).

In my trials to set up different types of wan access (failover, load balancing, etc), and running into issues with certain addons or native functions (AdGuard, DDNS) not behaving in certain dual-wan configs, I came up with a potential solution and tried to write a small script to do the following (as the subject says).

My main WAN is gigabit cable. My secondary is cellular LTE using ethernet (usually under 10mbps).

Whenever we are on cable, all devices can access the WAN.

Whenever on cell, I only want certain devices (voip adapter, home assistant box, security, a couple laptops, etc) to be able to use internet. Everything else (FireTV, kids devices, IoT) needs to be blocked to conserve bandwidth and data caps.

I found two ways to do this (probably many more exist).

When I use the DualWanFailover script (AWESOME WORK!!!!) to manage internet connectivity, I modify the firewall-start script to block WAN2 (eth0) from guests and devices with addresses above x.15.

#block LAN devices .16 to .255 from using WAN2 ETH0
iptables -I OUTPUT -s 192.168.50.16/28 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.16/28 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.50.32/27 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.32/27 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.50.64/26 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.64/26 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.50.128/25 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.50.128/25 -o eth0 -j DROP

block guest network from WAN2 ETH0
iptables -I OUTPUT -s 192.168.101.0/24 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.101.0/24 -o eth0 -j DROP
iptables -I OUTPUT -s 192.168.102.0/24 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.102.0/24 -o eth0 -j DROP


---

However, I wanted to see if I could use the automatic failover capability of my LTE device. In this mode, the 2.5gb WAN port (eth5) from my AX86U-Pro is connected to the LAN port of the LTE modem. I connect my cable modem to the LTE modem WAN port, which can be set up to use cellular when the cable connection is down.

The problem with this is that no fixed iptables or routing can restrict device access like I mentioned above.

I needed to detect if the WAN hostname was from my cable company, or the cell carrier, and then disable or enable iptable rules accordingly.

The following is what I kludged together.

I created a main script testcellip.sh that runs every two minutes via the command cru a testcell "*/2 * * * * cd /jffs/scripts && /jffs/scripts/testcellip.sh"
This relies on a text file (banwanstat.txt) to track what the last run status/detection was.

Bash:
#!/bin/sh

wanhostname="$(curl --silent http://whatismyhostname.com/raw/hostname/)"
banwanstat="$(cat < banwanstat.txt)"

if ((echo "$wanhostname" | grep -q -E "atlanticbb"));
        then
            if (( echo "$banwanstat" | grep -q -E "cable"));
            then
            echo "$wanhostname"
            echo "WAN on breezeline, devices ALREADY ALLOWED"
            else
                
                iptables -I OUTPUT -s 192.168.50.16/28 -o eth5 -j ACCEPT
                iptables -I FORWARD -s 192.168.50.16/28 -o eth5 -j ACCEPT
                iptables -I OUTPUT -s 192.168.50.32/27 -o eth5 -j ACCEPT
                iptables -I FORWARD -s 192.168.50.32/27 -o eth5 -j ACCEPT
                iptables -I OUTPUT -s 192.168.50.64/26 -o eth5 -j ACCEPT
                iptables -I FORWARD -s 192.168.50.64/26 -o eth5 -j ACCEPT
                iptables -I OUTPUT -s 192.168.50.128/25 -o eth5 -j ACCEPT
                iptables -I FORWARD -s 192.168.50.128/25 -o eth5 -j ACCEPT

                #block guest network
                iptables -I OUTPUT -s 192.168.101.0/24 -o eth5 -j ACCEPT
                iptables -I FORWARD -s 192.168.101.0/24 -o eth5 -j ACCEPT
                iptables -I OUTPUT -s 192.168.102.0/24 -o eth5 -j ACCEPT
                iptables -I FORWARD -s 192.168.102.0/24 -o eth5 -j ACCEPT

                #reset conntrack
                conntrack -D -s 192.168.50.16/28
                conntrack -D -s 192.168.50.32/27
                conntrack -D -s 192.168.50.64/26
                conntrack -D -s 192.168.50.128/25
                conntrack -D -s 192.168.101.0/24
                conntrack -D -s 192.168.102.0/24
                echo "$wanhostname"
                echo "WAN on CABLE"
                echo "devices RESTORED"
            echo "cable" > banwanstat.txt
        fi
else if ((echo "$banwanstat" | grep -q -E "cell"));
            then
                echo "$wanhostname"
                echo "WAN on CELL, devices ALREADY PROHIBITED"
        else
            
            echo "$wanhostname"
            echo "WAN on CELL, devices WILL NOW PROBIBITED"
            
            iptables -I OUTPUT -s 192.168.50.16/28 -o eth5 -j DROP
            iptables -I FORWARD -s 192.168.50.16/28 -o eth5 -j DROP

            iptables -I OUTPUT -s 192.168.50.32/27 -o eth5 -j DROP
            iptables -I FORWARD -s 192.168.50.32/27 -o eth5 -j DROP
            iptables -I OUTPUT -s 192.168.50.64/26 -o eth5 -j DROP
            iptables -I FORWARD -s 192.168.50.64/26 -o eth5 -j DROP
            iptables -I OUTPUT -s 192.168.50.128/25 -o eth5 -j DROP
            iptables -I FORWARD -s 192.168.50.128/25 -o eth5 -j DROP

            #block guest network
            iptables -I OUTPUT -s 192.168.101.0/24 -o eth5 -j DROP
            iptables -I FORWARD -s 192.168.101.0/24 -o eth5 -j DROP
            iptables -I OUTPUT -s 192.168.102.0/24 -o eth5 -j DROP
            iptables -I FORWARD -s 192.168.102.0/24 -o eth5 -j DROP
            conntrack -D -s 192.168.50.16/28
            conntrack -D -s 192.168.50.32/27
            conntrack -D -s 192.168.50.64/26
            conntrack -D -s 192.168.50.128/25
            conntrack -D -s 192.168.101.0/24
            conntrack -D -s 192.168.102.0/24

echo "Devices blocked from CELL"
            echo "cell" > banwanstat.txt
            fi
fi
logger -s  "testcellip has run"

Operation is simple. Detect if the hostname is from the cable provider, allow LAN devices if so (or do nothing if no change), otherwise block devices from WAN if they have not already been blocked.


I also created two scripts (allowcellip.sh and bancellip.sh) to manually override conditions.

allowcellip.sh
Bash:
#!/bin/sh
iptables -I OUTPUT -s 192.168.50.16/28 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.16/28 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.50.32/27 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.32/27 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.50.64/26 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.64/26 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.50.128/25 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.50.128/25 -o eth5 -j ACCEPT

#block guest network
iptables -I OUTPUT -s 192.168.101.0/24 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.101.0/24 -o eth5 -j ACCEPT
iptables -I OUTPUT -s 192.168.102.0/24 -o eth5 -j ACCEPT
iptables -I FORWARD -s 192.168.102.0/24 -o eth5 -j ACCEPT

#reset conntrack
conntrack -D -s 192.168.50.16/28
conntrack -D -s 192.168.50.32/27
conntrack -D -s 192.168.50.64/26
conntrack -D -s 192.168.50.128/25
conntrack -D -s 192.168.101.0/24
conntrack -D -s 192.168.102.0/24

echo "cable" > banwanstat.txt


bancellip.sh

Bash:
#!/bin/sh

iptables -I OUTPUT -s 192.168.50.16/28 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.16/28 -o eth5 -j DROP

iptables -I OUTPUT -s 192.168.50.32/27 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.32/27 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.50.64/26 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.64/26 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.50.128/25 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.50.128/25 -o eth5 -j DROP

#block guest network
iptables -I OUTPUT -s 192.168.101.0/24 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.101.0/24 -o eth5 -j DROP
iptables -I OUTPUT -s 192.168.102.0/24 -o eth5 -j DROP
iptables -I FORWARD -s 192.168.102.0/24 -o eth5 -j DROP
conntrack -D -s 192.168.50.16/28
conntrack -D -s 192.168.50.32/27
conntrack -D -s 192.168.50.64/26
conntrack -D -s 192.168.50.128/25
conntrack -D -s 192.168.101.0/24
conntrack -D -s 192.168.102.0/24

echo "cell" > banwanstat.txt

echo "Devices blocked from CELL"

Posted if this helps anyone, and if there is a better way to do this.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top