Menu
What's new
By:
Filters Better Search

Un-BlockInternetAccess on non connected nodes

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

JEdu

New Around Here
Hello

1st: congratulations to Eric for this piece of software! Truly awesome.

The question: I have been searching for a while and I am not able to get a solution... (ASUS RT-AC88U, with 380.63 and two previous ones also...)

If I "Block Internet Access", in the pop-up that appears after selecting a client Icon in the "Network Map" -> "Client Status List", I only can unblock it if it is connected...

Is there a way to "unblock the internet access" it from the GUI or the command line if the client is not connected?

Best regards and thank you

Eduardo
 
Last edited:
JEdu said:
If I "Block Internet Access", in the pop-up that appears after selecting a client Icon in the "Network Map" -> "Client Status List", I only can unblock it if it is connected...

Is there a way to "unblock the internet access" it from the GUI or the command line if the client is not connected?
Click to expand...

When Internet access is disabled for a device, it appears it is implemented using modified NVRAM variables and by MAC address - with blocking rules added to three CHAINS.

I suppose the Internet block could therefore be bypasssed if MAC spoofing was used?, and if this is the case, should the blocked MAC device never ever reconnect, then NVRAM used to implement the Internet block is effectively wasted; although on the plus side, should the blocked MAC device ever reconnect in the future then it should still remain blocked - even after a router reboot?

Code: 
e.g. Sample Android device SGS5 which uses MAC DE:AD:DE:AD:DE:AD was blocked by the GUI popup:

admin@RT-AC68U:/jffs/scripts# iptables --line -t filter -nvL FORWARD

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination    
1      175 10484 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC DE:AD:DE:AD:DE:AD
2        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0      
3        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0      
4      614  117K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5        0     0 logdrop    all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0      
6        0     0 logdrop    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID
7       87  6888 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0      
8      183 10926 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0      
9        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT


admin@RT-AC68U:/jffs/scripts# iptables --line -t nat -nvL PREROUTING

Chain PREROUTING (policy ACCEPT 3320 packets, 451K bytes)
num   pkts bytes target     prot opt in     out     source               destination    
1        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
2      178  7768 VSERVER    all  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx  
3      362 29622 PCREDIRECT all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC DE:AD:DE:AD:DE:AD
4      213 13979 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
5       19  1140 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53


admin@RT-AC68U:/jffs/scripts# iptables --line -t nat -nvL PCREDIRECT

Chain PCREDIRECT (1 references)
num   pkts bytes target     prot opt in     out     source               destination    
1       35  2100 DNAT       tcp  --  br0    *       0.0.0.0/0           !10.88.8.0/24         tcp dpt:80 MAC DE:AD:DE:AD:DE:AD to:10.88.8.1:18099

and several (GUI) NVRAM variables were modified....

Code: 
MULTIFILTER_DEVICENAME=SGS5
MULTIFILTER_ENABLE=1
MULTIFILTER_MAC=DE:AD:DE:AD:DE:AD
MULTIFILTER_MACFILTER_DAYTIME=<


So for my example, the following appropriate iptables delete commands 'reinstates' Internet access for the disconnected device (although until it reconnects it can't be proved! :D )

Code: 
admin@RT-AC68U:/jffs/scripts# iptables -t filter -D FORWARD    1
admin@RT-AC68U:/jffs/scripts# iptables -t nat    -D PREROUTING 3
admin@RT-AC68U:/jffs/scripts# iptables -t nat    -D PCREDIRECT 1

and resetting the NVRAM variables should? ensure that the GUI status/icons match the reinstated Internet access:

Code: 
nvram set MULTIFILTER_DEVICENAME=
nvram set MULTIFILTER_ENABLE=
nvram set MULTIFILTER_MAC=
nvram set MULTIFILTER_MACFILTER_DAYTIME=

However, care must be taken if there are multiple devices that are blocked i.e. the NVRAM variables should be updated carefully!

Code: 
MULTIFILTER_DEVICENAME=SGS5>TL-SG2008-1
MULTIFILTER_ENABLE=1>1
MULTIFILTER_MAC=DE:AD:DE:AD:DE:AD>FA:DE:FA:DE:FA:DE
MULTIFILTER_MACFILTER_DAYTIME=<><

if only the disconnected SGS5 device is to be manually removed, the NVRAM variables should be altered as follows:

Code: 
nvram set MULTIFILTER_DEVICENAME=TL-SG2008-2
nvram set MULTIFILTER_ENABLE=1
nvram set MULTIFILTER_MAC=FA:DE:FA:DE:FA:DE
nvram set MULTIFILTER_MACFILTER_DAYTIME=<

EDIT: Eventually I did find how to remove the blocking via the GUI o_O

http://www.snbforums.com/threads/un-blockinternetaccess-on-non-connected-nodes.35617/#post-290012

Regards,
 
Last edited:
Done! Thank you... I think this could be a good addition to the GUI...

Best regars

Eduardo
 
JEdu said:
Done! Thank you... I think this could be a good addition to the GUI...

Best regars

Eduardo
Click to expand...

Err, embarrassingly it already is in the GUI? :oops:

After the disconnected blocked device no longer appears in the Network Map Client Status panel list, navigate to AiProtection->Parental Control->Time Scheduling page.

The blocked device is shown and if you click the icon it shows as 'offline' in the pop-up window.

Subsequently you can click the delete icon and the 3 iptables rules and the NVRAM variables are removed as expected!
 
Last edited:
Martineau said:
Err, embarrassingly it already is in the GUI? :oops:

After the disconnected blocked device no longer appears in the Network Map Client Status panel list, navigate to AiProtection->Parental Control->Time Scheduling page.

The blocked device is shown and if you click the icon it shows as 'offline' in the pop-up window.

Subsequently you can click the delete icon and the 3 iptables rules and the NVRAM variables are removed as expected!
Click to expand...
And so intuitive! ;)
 
Martineau said:
Err, embarrassingly it already is in the GUI? :oops:

After the disconnected blocked device no longer appears in the Network Map Client Status panel list, navigate to AiProtection->Parental Control->Time Scheduling page.
Click to expand...

Well... I didn't think I was actually acting parentally:)

Perhaps an informational note on the Pop-Up indicating this would be very welcome... It could be either in the Title (Block Internet Access - AIP - Parental control) or in the "bubble"

Thank you

Eduardo
 
You must log in or register to reply here.

Similar threads

Wobbo
Configuring USB-Connected HDD for FTP Sharing via NordVPN Dedicated IP on AC86U
Replies
3
Views
455
ColinTaylor
C
E
OpenVPN TAP internet access problem
Replies
0
Views
79
elorimer
E
M
Skynet How to find out if a connected device tries to call any sites/google?
Replies
6
Views
404
Muon
M
M
OpenVPN / site to site with special security/routing constraints
Replies
7
Views
330
elorimer
E
P
Connect OpenVPN server with Client networks
Replies
3
Views
614
L&LD
L&LD
Similar threads
Thread starter Title Forum Replies Date
R Getting rc_service log non-stop Asuswrt-Merlin 14
H Can RT-AX86U Pro Run Non Pro Firmware? Asuswrt-Merlin 21
P Non functioning OpenVPN in TAP mode Asuswrt-Merlin 0
bengalih Need help with OpenVPN server configured in non-routing mode Asuswrt-Merlin 1
H Solved xbox one not able to sign in when connected through router running asuswrt-merlin on an rt-ac5300. Asuswrt-Merlin 5
R Interface Shown As 5G Wifi When Connected To 2.5G Ethernet Asuswrt-Merlin 7
J clients connected to node by ethernet show as connected to main router Asuswrt-Merlin 12
Wobbo Configuring USB-Connected HDD for FTP Sharing via NordVPN Dedicated IP on AC86U Asuswrt-Merlin 3
L AX86U 388.5 - 2.4GHz devices connected but not reachable Asuswrt-Merlin 5
Z Port forwarding for client connected to OpenVPN server Asuswrt-Merlin 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 981 (members: 28, guests: 953)
Top