I'm also having an issue with this. I'm using Kongs build on my R7000 (24710M) and already had some working urls being filtered out. But when I went to add another url it keeps letting the page load (prior ones still working).
Seems pretty odd to me. I've rebooted the router. Same issue. I'm gonna try a power cycle now...
edit: Something odd I just released. The link I am blocking is an Google OTA firmware update link, and it seems the link switches to HTTPS (maybe because HTTP is blocked?). Anyway, I added the HTTPS url to the block list, but it still loads..
I'm also having an issue with this. I'm using Kongs build on my R7000 (24710M) and already had some working urls being filtered out. But when I went to add another url it keeps letting the page load (prior ones still working).
Seems pretty odd to me. I've rebooted the router. Same issue. I'm gonna try a power cycle now...
edit: Something odd I just released. The link I am blocking is an Google OTA firmware update link, and it seems the link switches to HTTPS (maybe because HTTP is blocked?). Anyway, I added the HTTPS url to the block list, but it still loads..
I do volunteer IT work at a childrens home and school in Chiang Mai Thailand. I was asked to block certain websites and restrict access to the WAN at certain times of the day. I ended up using OpenDNS combined with DNSOMATIC for website blocking and it works great.
At the childrens home, I used the Access Restrictions tab to restrict access to the WAN at certain times of the day. There is a computer lab with a static ip assigned. I created a rule that blocks WAN access to this IP from 00:00 to 07::00 Monday to Friday. I then created another rule that blocks access from 20:30 to 23:59 Monday to Friday. I have gone over in the morning and validated that I can access the WAN in the computer lab after 7:00 AM and I can. But around 5:30 each night, one of the children comes and tells me they can’t get on the internet. To fix, I sign onto the DD-WRT Access Restrictions tab and hit apply. They can then access the WAN again. So the rule is correct. It just does not seem to stick.
I have done some searching on the forums and web and can’t seem to find an answer. I did see a post where another DD-WRT had an issue and said the last build that worked for them for Access Restrictions was Build 27506 July 2015. I am tempted to flash with this build if I can’t get this to work.
I have nine rules and there is room for ten. This morning, I deleted the first rule so it is empty. I then placed it in rule 10. I will see if that works as I see where this worked for another user back in 2007. In pfSense, the order of the rules are very important. But not in DD-WRT. At least that is what I have read.
Mikimik posted a fix here for Access Restrictions when running a OpenVPN client:
The above script/solution appears to have fixed the problem even though I am not running a VPN client! Thank you Mikimik! I added the script to the start-up commands section, rebooted the router then went to the Access Restrictions GUI and Applied Settings. WAN access worked on the computer lab per the rules.
I will continue to monitor over the weekend with the other rules I have in place and report back.
The script appeared to be the fix. However, the WAN interface is not working per rules when it should at times. The fix is to go into the web GUI access restrictions tab and select the "Apply" button. They then works as they should, at least for awhile.
Posted: Wed Feb 22, 2017 0:17 Post subject: Solution for simple rules
Xentrk wrote:
The script appeared to be the fix. However, the WAN interface is not working per rules when it should at times. The fix is to go into the web GUI access restrictions tab and select the "Apply" button. They then works as they should, at least for awhile.
After a few hours trying to figure it out, I found that there are no cron jobs defined that would read the configurations and rebuild the iptable rules. The "Apply" button does that job, so unless you want to click on this button on every necessary changes, this feature is useless.
I did find a decent solution if your rules are simple (no overlapping rules). In my case, I wanted to deny or grant internet access to a list of MAC addresses. I created a single policy (it has to be #1) in the "Access restrictions" tab and listed all my MAC addresses, selected the "DENY" policy and as long as it is enabled, the rest is not important to set.
DD-WRT will then add a new iptable chain called "lan2web" with a "grp_1" target. That is all we need, now the second step is to manually add cron jobs in the "Administration -> Management" tab.
When you want to have your rule active, you need to call "/usr/sbin/iptables -A lan2wan -j grp_1" which will enable the policy, and use "/usr/sbin/iptables -D lan2wan 1" when you want to disable it.
As an example of a complete cron job, I want to enable internet access at 3:30pm from monday-friday and at 9am saturday and sunday (i.e. remove policy) :
30 15 * * 1-5 root /usr/sbin/iptables -D lan2wan 1
0 9 * * 6,7 root /usr/sbin/iptables -D lan2wan 1
Then block access at 6pm (sunday to thursday) and 9pm friday+saturday (i.e. add policy)
0 18 * * 0-4 root /usr/sbin/iptables -A lan2wan -j grp_1
0 21 * * 5,6 root /usr/sbin/iptables -A lan2wan -j grp_1
The only thing to maintain is the list of denied devices in the access restriction tab and maybe cron time.
Hope this helps other users, I spent too many hours reverse engineering this part to discover it does not have any cron to update the iptable rules.
Bare in mind, because the cron always delete target #1 from the lan2wan chain, YOU CANNOT HAVE MORE THAN ONE POLICY ACTIVE or this cron job might not work.
I did some more googling. I ended up writing ssh scripts that contain iptables command to drop and allow wan connections based on day and time of day. I am away from home on holiday and unable to access router remotely via ssh with iPad. I will post my solution when I return last week of February.
This logs the start and end time to a log file called cronlog. Because guess what, cron is another issue with my build. Ugh. It seems if I manually do the stopservice cron and starservice cron after reboot it works. I then issue the iptables -L command to make sure the command ran okay.
Code:
#!/bin/sh
echo "********************PC-Lab_Naomi_off script run START at `date`" >> /var/log/cronlog
# Block an incoming connection from PC Lab
iptables -I FORWARD -s 192.168.2.218 -j DROP
# Block an incoming connection from Naomi Laptop
iptables -I FORWARD -s 192.168.2.232 -j DROP
iptables -L FORWARD | grep DROP >> /var/log/cronlog
echo "********************PC-Lab_Naomi_off script END run at `date`" >> /var/log/cronlog
Code:
#!/bin/sh
echo "********************PC-Lab_Naomi_on script run START at `date`" >> /var/log/cronlog
# drop rule that blocked an incoming connection from PC Lab
iptables -D FORWARD -s 192.168.2.218 -j DROP
# drop rule that blocked an incoming connection from Naomi Laptop
iptables -D FORWARD -s 192.168.2.232 -j DROP
iptables -L FORWARD >> /var/log/cronlog
echo "********************PC-Lab_Naomi_on script END run at `date`" >> /var/log/cronlog