Posted: Wed Jan 03, 2018 22:26 Post subject: Access Restrictions don't work
I'm using DD-WRT v3.0-r34311 mega 12/29/17 on a WRT610Nv2 and I'm trying to use Access Restrictions and can't get it working. I tried this:
- Cron is enabled
- verify with own device (iPhone)
- make 100% sure that I know the MAC of iPhone (checked in Status/Wireless) and that it's connected to this router
- only one policy with Enable, Deny, Everyday, 24 hours and MAC in client list
- Save, Apply, Reboot Router
-> iPhone can still happily access WAN.
What I also tried:
- configure all 10 policies identical to block all
- add IP range to list of clients
No luck there either.
I tested only over WLAN, as I'm using it only as access point.
Any other ideas or is this feature 'known broken'?
I think I found the problem, but no solution yet.
I noticed that at the top of each page there is "WAN: Disabled" and the title of the restrictions page says "WAN Access". As mentioned, I'm using my device only as access point. In Setup, WAN Connection Type is set to Disabled. Assign WAN Port to Switch was enabled, but I also tried disabling it. DHCP is set to DHCP Forwarder.
How would I need to configure a simple access point setup to block network access for some MAC addresses at certain times?
Can you set up this configuration at the main host router?
I could, but I wanted to set this up on the access points.
Why did I not want to set this up on the router?
- It worked at some time in the past (update: might not be true)
- Complicated network structure and access points is the best place to catch the mobile users
- The router is not DD-WRT and has limited functionality for restrictions
- I thought the router doesn't know the MAC of the WLAN client and would see only the MAC of the access point (not true)
Anyway, I went ahead and did configure it finally on my router (it works now), but if anyone knows how to configure this on the access point(s), then please answer.
Access Restrictions has never worked in AP/WAP mode. It's solely a function of the WAN because most of it is implemented via the firewall. But in a AP/WAP configuration, that router's firewall with respect to the rest of the local network is irrelevant. It never comes into play. Other local devices are *only* affected by the primary router's firewall.
my router worked in route(pppoe) mode.
Access Restrictions is not work.
my router worked in route(pppoe) mode.
Access Restrictions is not work.
I was only addressing the narrow issue of the OP using his router as access point (WAP), not a router. Under such circumstances, Access Restrictions will never work.
But if your router is in fact configured as a router (not just a WAP), and Access Restrictions doesn't work, or work the way you think it should work, that's a completely different issue. It should work, but perhaps you're configuring it wrong, perhaps expecting it to work one way but doesn't, or even has bugs. But WAP (access point only) mode will always be a non-starter when it comes to Access Restrictions.
My router access Restrictions feature was previously configured to work properly.
Only later upgrade to the latest version, but can not be used.
I found a simple way to make it work using ebtables. The below will stop listed MAC addresses from being FORWARDED in the internal bridge, but won't prevent the device from getting an IP address (since DHCP doesn't cross the bridge) or communicating with stuff on the same subnet.
This works for my purposes since I needed to block a few MAC addresses on the guest wifi, where I have AP isolation enabled and there are no wired devices on that subnet. So all they can do in my case is grab an IP address and ping the gateway. Without AP isolation they'd still be blocked from the internet but not from your internal network.
I added the MAC addresses I wanted to block in the Wireless/MAC Filter section under wl0, then inserted the following in my startup commands:
# Make MAC blocking actually work
for i in `nvram get wl0_maclist`
do
ebtables -I INPUT -s $i -j DROP
done
If you want to see how many packets are being blocked for each MAC address (so you can see if you still need the block or if it is obsolete) use the command 'ebtables -L --Lc'.
If you look at iptables you can see the MAC filter and Access Restrictions/WAN Access policies stuff, but it isn't getting added correctly to the right place which is why they don't work. I think it would be pretty simple for someone to look at the code and make a few line patch to fix it. It obviously isn't a high priority for Brainslayer or Kong or it would have been fixed by now, so someone else will have to produce/test the patch, post it, and hope they commit the fix.