Trying to block WAN access, Help!

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
lkraus
DD-WRT Novice


Joined: 30 Nov 2015
Posts: 2

PostPosted: Sun Sep 12, 2021 15:10    Post subject: Trying to block WAN access, Help! Reply with quote
In July, we bought a new GE oven, which has a phone app to provide remote control and oven status over our wireless LAN. I wanted to block the oven from any WAN access.

I'm using a WRT1900ACS v2, with DD-WRT v3.0-r44715 std

In Access restrictions, I set:
Policy: 1 (NO WAN)
Status: Enable
Interface: Any (default, can't find documentation on this)
Policy Name: NO WAN
PCs: MAC address of the oven in the list of clients
Deny Internet access during selected days and hours selected.
Days: Everyday checked
Times: 24 Hours selected

I thought that would be sufficient.

A week or so later, I decided to turn off the oven's wireless since we were not really using the remote feature.

Two days after that I received an email that the oven had been disconnected for 48 hours. So apparently the oven had still been in contact with GE in spite of the access restriction.

Yesterday, I re-activated the oven's wireless, found I need to reconfigure/re-pair the app on the oven's own wireless access point, decided it was too much trouble and turned it off again. Four hours later, another email arrived from GE telling me that the oven lost connection.

We might use the remote to set timers or to know when a baking cycle is complete but I'd really prefer not to allow access to/from the internet.

What am I doing wrong?

EDIT:I added my laptop to the list of denied MAC address and immediately lost internet access, so I'm doing something right. There is no other wireless network in range, no unknown devices in the DHCP client list.
Sponsor
d33b0_n4p41m
DD-WRT User


Joined: 10 Sep 2021
Posts: 133

PostPosted: Sun Sep 12, 2021 17:35    Post subject: Reply with quote
You should consider using a more recent release; there have been issues with Access Restrictions for quite some time and it's only recently been in focus to look into and fix.

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/09-08-2021-r47381/linksys-wrt1900acsv2/
Monza
DD-WRT User


Joined: 01 Jul 2018
Posts: 332

PostPosted: Sun Sep 12, 2021 18:16    Post subject: Reply with quote
Might be easier to use Wireless/MAC Filter and enable MAC filter for both radios, set for "Permit only clients listed to access the wireless network" add all your allowed device MAC's to the filter list via "Edit MAC Filter List" button . . . except for the stove?

Not forgetting to add any NEW device MAC's to the list as acquired in the future.
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1598
Location: WCentral Indiana USA

PostPosted: Sun Sep 12, 2021 20:23    Post subject: Reply with quote
You can use iptables to keep the oven off the internet.

iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p tcp -s <oven-ip> -j REJECT

iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p udp -s <oven-ip> -j REJECT

Try these in CLI (putty/ssh). A reboot will clear these.
If they work put in Administration-Commands-Save Firewall.

Alternate rules:
iptables -I FORWARD -i br0 -o $(get_wanface) -p tcp -s xxx.xxx.xxx.xxx -j REJECT
iptables -I FORWARD -i br0 -o $(get_wanface) -p udp -s xxx.xxx.xxx.xxx -j REJECT

Replace xxx with oven IP.
lkraus
DD-WRT Novice


Joined: 30 Nov 2015
Posts: 2

PostPosted: Tue Sep 14, 2021 14:53    Post subject: Reply with quote
I'll try the beta firmware when I get some time. I usually prefer a stable release, but if it doesn't really do what it says it probably doesn't deserve to be called stable.

It's OK for the oven to use wi-fi and our LAN, letting a phone act as a remote, so the Wireless/MAC filter idea is not what I want. I can turn off the wi-fi radio on the oven to keep it off the LAN. I just want to block the oven's access to the internet.

I'll save the iptables idea for if/when the newer firmware fails me. Might be awhile before I can take the time to experiment.

Thanks for the ideas.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4521
Location: UK, London, just across the river..

PostPosted: Tue Sep 14, 2021 15:26    Post subject: Reply with quote
lkraus wrote:
I'll try the beta firmware when I get some time. I usually prefer a stable release, but if it doesn't really do what it says it probably doesn't deserve to be called stable.

It's OK for the oven to use wi-fi and our LAN, letting a phone act as a remote, so the Wireless/MAC filter idea is not what I want. I can turn off the wi-fi radio on the oven to keep it off the LAN. I just want to block the oven's access to the internet.

I'll save the iptables idea for if/when the newer firmware fails me. Might be awhile before I can take the time to experiment.

Thanks for the ideas.



Bear in mind all DDWRT firmwares are beta, no such a thing as a stable realize.
Classified as a 'stable' is a beta that works well on you and has all the necessary security updates...so known as the "last beta" currently 47381 Razz
As well we expect the upcoming beta, as it will contain some major fixes and security updates Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 47117 BS AP,NAT
TP-Link WR1043NDv2 -DD-WRT 47474 BS AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 47381 BS AP,NAT,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm Atheros/
Netgear R7800 --DD-WRT 47381 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT,Vanilla
Netgear R9000 --DD-WRT 47474 BS AP,NAT,AD-Block,AP Isolation,Firewall,Local DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 47381 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1598
Location: WCentral Indiana USA

PostPosted: Tue Sep 14, 2021 15:26    Post subject: Reply with quote
lkraus wrote:
I'll try the beta firmware when I get some time. I usually prefer a stable release


All DD-WRT firmware is beta and has been for many years,
including the versions posted in the Router Database as stated in Forum Guidelines found in my signature.
You have to be using versions from 2008 and before to be using a "stable" version.
44715 is old with security issues and no longer supported.

_________________
STUBBY DoT install guide----Forum Guide Lines (Please read!) --- How to get help the right way----PIA Setup Guide by egc----Before asking for help - Read the forum guidelines and upgrade DD-WRT!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum