Access Restrictions not working

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
Alen-Joseph
DD-WRT Novice


Joined: 31 May 2019
Posts: 1

PostPosted: Fri May 31, 2019 18:44    Post subject: Access Restrictions not working Reply with quote
Hello Guys

I've got the latest DD-WRT installed on my Linksys WRT1900ACS.

DD-WRT v3.0-r37305 std (10/10/1Cool


I did all the steps, trying all ways, mac, IP and range of IPs none of them works

Please help with more details since I am new to DD WRT
Sponsor
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 217

PostPosted: Sun Oct 27, 2019 20:58    Post subject: Reply with quote
I followed the instructions in the wiki to restrict access to certain websites and it doesn't work for me either. Currently using firmware 41375 on a WRT3200ACM. It has never worked on any firmware that I've used. Either we're doing something wrong or this is broken and nobody cares.
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 449
Location: Appalachian mountains, USA

PostPosted: Sun Oct 27, 2019 22:07    Post subject: Reply with quote
I think everyone gave up on it and just adds iptables commands to the GUI>Administration>Commands page. See https://forum.dd-wrt.com/wiki/index.php/Iptables_command#Deny_access_to_a_specific_Outbound_IP_address_with_logging. Change "logdrop" to "DROP" if you don't want each blocked packet to cause a log entry, and note that if you do want the logging, you'll need to enable both Syslogd and Klogd in the System Log section of GUI>Services>Services. You may need to enable firewall logging at the bottom of the GUI>Security>Firewall page as well. I can't really remember re the latter.
_________________
Six of the Linksys WRT1900ACSv2 on r38159, r39144, r40009, and r40784. On various:
VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, QoS, OpenVPN client/PBR (old=NordVPN, new=AirVPN).
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 217

PostPosted: Mon Oct 28, 2019 1:18    Post subject: Reply with quote
That didn't help. I created an outgoing rule to block the IP that was returned from dig but it doesn't block it. I know I properly created the rule because I did the same thing for another site and that block worked. I even tried setting up a ufw rule on the box I want an outgoing block but that doesn't stop the connection either. Traceroute on that IP couldn't get past the ninth hop so something is not right.
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 449
Location: Appalachian mountains, USA

PostPosted: Mon Oct 28, 2019 14:34    Post subject: Reply with quote
[Edited to correct a serious error in the second paragraph!]

You can block a single site at the DNS level using a commands in dnsmasq's Additional Config. I've never actually used this approach, but I believe the command to block, say, hotmail.com would be address=/hotmail.com/0.0.0.0 and you can use as many such commands as you like.

A second approach would be to put addn-hosts=/tmp/badhosts in dnsmasq's Additional Config (there's nothing special about the name badhosts except that its not already in use) and then add a section in GUI>Administration>Commands, in the Startup Commands there, that looks like this:
Code:
cat <<'EOF' >/tmp/badhosts
0.0.0.0 foo.bar.com
0.0.0.0 bat.com
EOF

to block foo.bar.com and bat.com, where of course you can add as many lines as you like. The only advantage of this over the first method is that it puts your list in the Startup commands where, if you are like me and have various customizations there, you can see things mostly in one place. Also having the names in a file, here /tmp/badhosts for quick reference in the CLI is nice.

Or, if you want to go further and block many thousands of ad sites and trackers as well, you can use the adblocker I have posted at the first link in my sig below. It goes in GUI>Administration>Startup, and you can use its blacklist to add specific additional sites to block. All it does is use the second method above on a large scale, drawing on three online lists of known trackers and ad sites.

_________________
Six of the Linksys WRT1900ACSv2 on r38159, r39144, r40009, and r40784. On various:
VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, QoS, OpenVPN client/PBR (old=NordVPN, new=AirVPN).
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum