Access Restrictions don't work

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
https
DD-WRT Novice


Joined: 22 Aug 2008
Posts: 8

PostPosted: Wed Jan 03, 2018 22:26    Post subject: Access Restrictions don't work Reply with quote
I'm using DD-WRT v3.0-r34311 mega 12/29/17 on a WRT610Nv2 and I'm trying to use Access Restrictions and can't get it working. I tried this:
- Cron is enabled
- verify with own device (iPhone)
- make 100% sure that I know the MAC of iPhone (checked in Status/Wireless) and that it's connected to this router
- only one policy with Enable, Deny, Everyday, 24 hours and MAC in client list
- Save, Apply, Reboot Router
-> iPhone can still happily access WAN.
What I also tried:
- configure all 10 policies identical to block all
- add IP range to list of clients
No luck there either.
I tested only over WLAN, as I'm using it only as access point.
Any other ideas or is this feature 'known broken'?
Sponsor
https
DD-WRT Novice


Joined: 22 Aug 2008
Posts: 8

PostPosted: Wed Jan 03, 2018 22:48    Post subject: Reply with quote
I think I found the problem, but no solution yet.
I noticed that at the top of each page there is "WAN: Disabled" and the title of the restrictions page says "WAN Access". As mentioned, I'm using my device only as access point. In Setup, WAN Connection Type is set to Disabled. Assign WAN Port to Switch was enabled, but I also tried disabling it. DHCP is set to DHCP Forwarder.
How would I need to configure a simple access point setup to block network access for some MAC addresses at certain times?
FurryNutz
DD-WRT User


Joined: 31 Oct 2010
Posts: 204

PostPosted: Wed Jan 03, 2018 23:03    Post subject: Reply with quote
Can you set up this configuration at the main host router?
https
DD-WRT Novice


Joined: 22 Aug 2008
Posts: 8

PostPosted: Thu Jan 04, 2018 22:20    Post subject: Reply with quote
FurryNutz wrote:
Can you set up this configuration at the main host router?

I could, but I wanted to set this up on the access points.
Why did I not want to set this up on the router?
- It worked at some time in the past (update: might not be true)
- Complicated network structure and access points is the best place to catch the mobile users
- The router is not DD-WRT and has limited functionality for restrictions
- I thought the router doesn't know the MAC of the WLAN client and would see only the MAC of the access point (not true)

Anyway, I went ahead and did configure it finally on my router (it works now), but if anyone knows how to configure this on the access point(s), then please answer.
xmlf
DD-WRT Novice


Joined: 20 Jan 2018
Posts: 12

PostPosted: Sat Jan 20, 2018 5:42    Post subject: Reply with quote
Yes!
my router is DD-WRT v3.0-r33675M kongac (11/03/17).
Access Restrictions is not work.

The previous build r31085(01/05/17) was fine!
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7391

PostPosted: Sat Jan 20, 2018 6:16    Post subject: Reply with quote
Access Restrictions has never worked in AP/WAP mode. It's solely a function of the WAN because most of it is implemented via the firewall. But in a AP/WAP configuration, that router's firewall with respect to the rest of the local network is irrelevant. It never comes into play. Other local devices are *only* affected by the primary router's firewall.
xmlf
DD-WRT Novice


Joined: 20 Jan 2018
Posts: 12

PostPosted: Sat Jan 20, 2018 7:47    Post subject: Reply with quote
eibgrad wrote:
Access Restrictions has never worked in AP/WAP mode. It's solely a function of the WAN because most of it is implemented via the firewall. But in a AP/WAP configuration, that router's firewall with respect to the rest of the local network is irrelevant. It never comes into play. Other local devices are *only* affected by the primary router's firewall.

my router worked in route(pppoe) mode.
Access Restrictions is not work.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7391

PostPosted: Sat Jan 20, 2018 8:05    Post subject: Reply with quote
xmlf wrote:
my router worked in route(pppoe) mode.
Access Restrictions is not work.


I was only addressing the narrow issue of the OP using his router as access point (WAP), not a router. Under such circumstances, Access Restrictions will never work.

But if your router is in fact configured as a router (not just a WAP), and Access Restrictions doesn't work, or work the way you think it should work, that's a completely different issue. It should work, but perhaps you're configuring it wrong, perhaps expecting it to work one way but doesn't, or even has bugs. But WAP (access point only) mode will always be a non-starter when it comes to Access Restrictions.
xmlf
DD-WRT Novice


Joined: 20 Jan 2018
Posts: 12

PostPosted: Sat Jan 20, 2018 9:12    Post subject: Reply with quote
eibgrad wrote:
xmlf wrote:
my router worked in route(pppoe) mode.
Access Restrictions is not work.


I was only addressing the narrow issue of the OP using his router as access point (WAP), not a router. Under such circumstances, Access Restrictions will never work.

But if your router is in fact configured as a router (not just a WAP), and Access Restrictions doesn't work, or work the way you think it should work, that's a completely different issue. It should work, but perhaps you're configuring it wrong, perhaps expecting it to work one way but doesn't, or even has bugs. But WAP (access point only) mode will always be a non-starter when it comes to Access Restrictions.


My router access Restrictions feature was previously configured to work properly.
Only later upgrade to the latest version, but can not be used.
slice1900
DD-WRT User


Joined: 18 Feb 2013
Posts: 74

PostPosted: Sat Jan 20, 2018 13:37    Post subject: Reply with quote
I found a simple way to make it work using ebtables. The below will stop listed MAC addresses from being FORWARDED in the internal bridge, but won't prevent the device from getting an IP address (since DHCP doesn't cross the bridge) or communicating with stuff on the same subnet.

This works for my purposes since I needed to block a few MAC addresses on the guest wifi, where I have AP isolation enabled and there are no wired devices on that subnet. So all they can do in my case is grab an IP address and ping the gateway. Without AP isolation they'd still be blocked from the internet but not from your internal network.

I added the MAC addresses I wanted to block in the Wireless/MAC Filter section under wl0, then inserted the following in my startup commands:

# Make MAC blocking actually work
for i in `nvram get wl0_maclist`
do
ebtables -I INPUT -s $i -j DROP
done

If you want to see how many packets are being blocked for each MAC address (so you can see if you still need the block or if it is obsolete) use the command 'ebtables -L --Lc'.

If you look at iptables you can see the MAC filter and Access Restrictions/WAN Access policies stuff, but it isn't getting added correctly to the right place which is why they don't work. I think it would be pretty simple for someone to look at the code and make a few line patch to fix it. It obviously isn't a high priority for Brainslayer or Kong or it would have been fixed by now, so someone else will have to produce/test the patch, post it, and hope they commit the fix.
ric63
DD-WRT Novice


Joined: 07 Aug 2017
Posts: 5

PostPosted: Mon May 21, 2018 18:00    Post subject: Reply with quote
have you solved with another dd-wrt versione ?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum