Un-BlockInternetAccess on non connected nodes

[JEdu]

Hello

1st: congratulations to Eric for this piece of software! Truly awesome.

The question: I have been searching for a while and I am not able to get a solution... (ASUS RT-AC88U, with 380.63 and two previous ones also...)

If I "Block Internet Access", in the pop-up that appears after selecting a client Icon in the "Network Map" -> "Client Status List", I only can unblock it if it is connected...

Is there a way to "unblock the internet access" it from the GUI or the command line if the client is not connected?

Best regards and thank you

Eduardo

 

[Martineau]

If I "Block Internet Access", in the pop-up that appears after selecting a client Icon in the "Network Map" -> "Client Status List", I only can unblock it if it is connected...

Is there a way to "unblock the internet access" it from the GUI or the command line if the client is not connected?

When Internet access is disabled for a device, it appears it is implemented using modified NVRAM variables and by MAC address - with blocking rules added to three CHAINS.

I suppose the Internet block could therefore be bypasssed if MAC spoofing was used?, and if this is the case, should the blocked MAC device never ever reconnect, then NVRAM used to implement the Internet block is effectively wasted; although on the plus side, should the blocked MAC device ever reconnect in the future then it should still remain blocked - even after a router reboot?

e.g. Sample Android device SGS5 which uses MAC DE:AD:DE:AD:DE:AD was blocked by the GUI popup:

admin@RT-AC68U:/jffs/scripts# iptables --line -t filter -nvL FORWARD

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination    
1      175 10484 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC DE:AD:DE:AD:DE:AD
2        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0      
3        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0      
4      614  117K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5        0     0 logdrop    all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0      
6        0     0 logdrop    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID
7       87  6888 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0      
8      183 10926 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0      
9        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT


admin@RT-AC68U:/jffs/scripts# iptables --line -t nat -nvL PREROUTING

Chain PREROUTING (policy ACCEPT 3320 packets, 451K bytes)
num   pkts bytes target     prot opt in     out     source               destination    
1        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
2      178  7768 VSERVER    all  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx  
3      362 29622 PCREDIRECT all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC DE:AD:DE:AD:DE:AD
4      213 13979 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
5       19  1140 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53


admin@RT-AC68U:/jffs/scripts# iptables --line -t nat -nvL PCREDIRECT

Chain PCREDIRECT (1 references)
num   pkts bytes target     prot opt in     out     source               destination    
1       35  2100 DNAT       tcp  --  br0    *       0.0.0.0/0           !10.88.8.0/24         tcp dpt:80 MAC DE:AD:DE:AD:DE:AD to:10.88.8.1:18099

and several (GUI) NVRAM variables were modified....

MULTIFILTER_DEVICENAME=SGS5
MULTIFILTER_ENABLE=1
MULTIFILTER_MAC=DE:AD:DE:AD:DE:AD
MULTIFILTER_MACFILTER_DAYTIME=<

So for my example, the following appropriate iptables delete commands 'reinstates' Internet access for the disconnected device (although until it reconnects it can't be proved! )

admin@RT-AC68U:/jffs/scripts# iptables -t filter -D FORWARD    1
admin@RT-AC68U:/jffs/scripts# iptables -t nat    -D PREROUTING 3
admin@RT-AC68U:/jffs/scripts# iptables -t nat    -D PCREDIRECT 1

and resetting the NVRAM variables should? ensure that the GUI status/icons match the reinstated Internet access:

nvram set MULTIFILTER_DEVICENAME=
nvram set MULTIFILTER_ENABLE=
nvram set MULTIFILTER_MAC=
nvram set MULTIFILTER_MACFILTER_DAYTIME=

However, care must be taken if there are multiple devices that are blocked i.e. the NVRAM variables should be updated carefully!

MULTIFILTER_DEVICENAME=SGS5>TL-SG2008-1
MULTIFILTER_ENABLE=1>1
MULTIFILTER_MAC=DE:AD:DE:AD:DE:AD>FA:DE:FA:DE:FA:DE
MULTIFILTER_MACFILTER_DAYTIME=<><

if only the disconnected SGS5 device is to be manually removed, the NVRAM variables should be altered as follows:

nvram set MULTIFILTER_DEVICENAME=TL-SG2008-2
nvram set MULTIFILTER_ENABLE=1
nvram set MULTIFILTER_MAC=FA:DE:FA:DE:FA:DE
nvram set MULTIFILTER_MACFILTER_DAYTIME=<

EDIT: Eventually I did find how to remove the blocking via the GUI

http://www.snbforums.com/threads/un-blockinternetaccess-on-non-connected-nodes.35617/#post-290012

Regards,

 

[JEdu]

Hi...

What an answer! I'll try that and keep you informed.

Thank you very much!

JEdu

 

[JEdu]

Done! Thank you... I think this could be a good addition to the GUI...

Best regars

Eduardo

 

[Martineau]

Done! Thank you... I think this could be a good addition to the GUI...

Best regars

Eduardo

Err, embarrassingly it already is in the GUI?

After the disconnected blocked device no longer appears in the Network Map Client Status panel list, navigate to AiProtection->Parental Control->Time Scheduling page.

The blocked device is shown and if you click the icon it shows as 'offline' in the pop-up window.

Subsequently you can click the delete icon and the 3 iptables rules and the NVRAM variables are removed as expected!

 

[tomsk]

Err, embarrassingly it already is in the GUI?

After the disconnected blocked device no longer appears in the Network Map Client Status panel list, navigate to AiProtection->Parental Control->Time Scheduling page.

The blocked device is shown and if you click the icon it shows as 'offline' in the pop-up window.

Subsequently you can click the delete icon and the 3 iptables rules and the NVRAM variables are removed as expected!

And so intuitive!

 

[JEdu]

Err, embarrassingly it already is in the GUI?

After the disconnected blocked device no longer appears in the Network Map Client Status panel list, navigate to AiProtection->Parental Control->Time Scheduling page.

Well... I didn't think I was actually acting parentally

Perhaps an informational note on the Pop-Up indicating this would be very welcome... It could be either in the Title (Block Internet Access - AIP - Parental control) or in the "bubble"

Thank you

Eduardo