nickd
DD-WRT Novice
Joined: 21 Jan 2020
Posts: 30
|
 Posted: Sat Mar 28, 2020 23:32 Post subject: Access restrictions/static lease IP not working. |
 |
Hello all,
As above and here are the steps I have taken and a bit about my setup.
I am using a cellular router, connected to my dd-wrt router that is running OpenVPN. All devices are wireless.
I have a standard Network Address Server Settings (DHCP) setup, start IP address is 192.168.1.100 with 50 Max DHCP users.
I have set static ip addresses (below 192.168.1.100) for the MAC addresses that I don't want to be restricted via static leases and then set two policies under Access restriction and applied these to the IP ranges 192.168.1.100-149
The machines with static addresses are two phones (Android) and a Mac. The phones are being assigned with the correct IPs but the Mac isn't, its using one from the pool: 192.168.1.100-149 and it isn't being affected by the access restriction policies. EDIT: Sorry, missed a '1' out of the IP address, its being assigned properly now!
Also, my daughter's iPhone (which I want to restrict) isn't being affected by the policy, although it is taking the IP address from the pool of 192.168.1.100-149
Any ideas, please?
If you need screen shots, etc, then please let me know.
Thanks,
Nick. |
|
nickd
DD-WRT Novice
Joined: 21 Jan 2020
Posts: 30
|
| Posted: Sun Mar 29, 2020 1:25 Post subject: |
|
OK, think I have fixed it with this:
| eibgrad wrote: | Not sure why it's not saving it. Perhaps if you have a lot of them, it doesn't have sufficient nvram space to store them.
Using the GUI for these purposes is (imo) not a good idea anyway, esp. for long lists of static leases. Transferring them to another build or firmware update just becomes a hassle. All they do is map down to dhcp-option's in DNSMasq anyway.
| Code: | | dhcp-host=01:02:03:04:05:06,192.168.61.51,pchostname1,24h |
In fact, if you have one or two leases already configured in the GUI, you can dump these using the following command from a shell (telnet/ssh):
| Code: | | cat /tmp/dnsmasq.conf |
Then copy them to the Additional DNSMasq Options field on the Services page and delete them from the GUI. Now manage all your static leases there instead.
If there isn't sufficient nvram, you may have to move the leases to jffs or USB. Store them in a file (e.g., /jffs/dnsmasq.custom) and references the file from Additional DNSMasq Options:
| Code: | | conf-file=/jffs/dnsmasq.custom |
|
... and this (I only needed up to step 4):
| mikimik wrote: | UPDATED GUIDE
Big thanks and all credits to eibgrad for simplifying the process of getting OpenVPN and DDWRT's Access Restrictions working together.
Have you got an OpenVPN on your DDWRT router and want to be able to restrict WAN access at certain times/days to make sure your kids aren't staying up late using the internet? If you have tried to get DDWRT's Access Restrictions working in the GUI you will know that it does not work when you have an OpenVPN enabled on the router. eibgrad script below will fix this issue.
Disclaimer: This setup was tested with a Netgear R7000 with Kong 25090M Build but should work in a number of similar scenarios, however make sure you backup, backup, and backup everything before following my guide.
1. Log into your DDWRT router using the GUI.
2. Go to 'Administration', then click on the 'Commands' tab.
3. Paste the code below into the text field:
| Code: | #!/bin/sh
SCRIPT="/tmp/lan2wan.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
while true; do
if [ "$(iptables -vnL FORWARD | awk '/lan2wan/ {print FNR}')" != "3" ]; then
iptables -D FORWARD -j lan2wan
iptables -I FORWARD -j lan2wan
fi
sleep 300
done
EOF
chmod +x $SCRIPT
$SCRIPT & |
4. Select the 'Save Startup' option.
5. Go to 'Access Restrictions' in DDWRT's GUI.
6. Set your preferences for when you want WAN access and no-access by assigning your MAC addresses in the 'Edit List of clients' tab.
7. Save, apply and reboot router.
The script should work if not you can always have a look at the original guide below. Remember that using eibgrad excellent script this updates every 300 seconds or 5 minutes and therefore might be a slight delay between your start and end time in 'Access Restrictions' if the router has just been rebooted for example.
ORIGINAL GUIDE
I have managed to get the issue fixed. Big thanks to raph321 & bjornbai for their posts here which got me started on my EZ Guide below: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=896286
Use Case: You have a VPN at the Router Level, such as PrivateInternetAccess (PIA) so that your entire household is protected, but you also want to limit Wan (internet) access to certain times so your kids aren't using the Internet late at night. The problem is OpenVPN and DDWRT's 'Access Restrictions' don't play well together, but my step by step guide below will show you how to manually do this.
Disclaimer: This setup was tested with a Netgear R7000 with Kong 25090M Build but should work in a number of similar scenarios, however make sure you backup, backup, and backup everything before following my guide.
If you want to know how to install PIA onto your R7000 you can follow the excellent guide here: http://www.instructables.com/id/Configure-VPN-Settings-on-a-DD-WRT-Router-for-Priv/?ALLSTEPS
As I am a complete noob, I am writing my guide for other noobs.
-***EZ GUIDE START***-
1. Access Restriction: Completely ignore the Access Restriction option in DDWRT GUI as it will simply not work with OpenVPN, so disable it via the GUI.
2. WinSCP: Download WinSCP from here: http://winscp.net/eng/index.php
3. Notepad++: Download Notepad++ from here: http://notepad-plus-plus.org/
4. Wan On & Off Scripts: In Notepad++ you are going to create two scripts. The first script will switch off (or disable) wan access for a specific machine on your network by using its mac address and the second script will switch on (or enable) wan access.
Copy and paste below into notepad++ and save it as "off.sh" whilst changing the xx:xx:xx:xx:xx:xx with the mac address of the machine you want to disable wan access on your network:
| Code: | #!/bin/sh
iptables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP |
Copy and paste below into notepad++ and save it as "on.sh" use same mac address as previously to enable wan access:
| Code: | #!/bin/sh
iptables -D FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP |
5. JFFS: The scripts need to be saved onto the router and the best way to ensure these scripts are not deleted every time the router reboots is to enable the JFFS option. To do this, use the DDWRT gui and go to 'Administration' and scroll down to 'JFFS2 Support'. Click on 'Enable' JFFS2, scroll down click 'save', and then click 'apply' wait a few minutes and reboot the router. Once rebooted go back there and now select 'Clean JFFS2' and scroll down and click 'apply' (do not save). Wait a few minutes and reboot the router once again. You now have a JFFS partition where you can upload your two scripts, to do this you will need WinSCP.
6. WinSCP Access: Start WinSCP, in 'File Protocol' select 'SCP', in 'Host Name' enter the IP address of your router (usually something like 192.168.0.1 or similar), in 'Port Number' make sure it is '22', user name enter 'root' (make sure you use root as the user name and not the user name of your router). In 'Password' enter the router's password. Select login and you should now be in your router.
If you get an error message make sure you have enabled SCP access on the Router. To do this use the DDWRT gui and go to 'Services' scroll down to 'Secure Shell' and enable 'SSHd', disable 'SSH TCP Forwarding', enable 'Password Login', make sure 'Port' is '22' and leave 'Authorized Keys' blank.
Then go to 'Administration' and scroll down to 'Remote Access' and enable 'SSH Management', make sure 'SSH Remote Port' is set to '22' and enable 'Allow Any Remote IP'. You should now be able to connect to your router with WinSCP.
7. WinSCP Uploading Files: In WinSCP you should see a 'jffs' folder, now create a new folder inside the jffs directory and name it 'wanaccess'. Make sure that the directory is 'rwxr-xr-x' to do this right click on 'wanaccess' select 'properties' and enter '0755' in 'Octal'. Now upload the two scripts you created earlier (on.sh & off.sh) to the 'wanaccess' directory, again make sure both scripts are 'rwxr-xr-x'.
8. Manually Testing Scripts: Open the DDWRT GUI and got to 'Administration' and then 'Commands'. Now paste the following into the text field and click the 'Run Commands' option:
| Code: | | sh /jffs/wanaccess/off.sh |
Whatever mac address item you specified in your script should now no longer be able to access WAN but still access the internal LAN (shared drives etc..). Now simply test that restoring wan access works by using the following code:
| Code: | | sh /jffs/wanaccess/on.sh |
9. Cron Jobs: At this point everything should be fine, you are now able to enable or disable wan access to specific mac addresses on your network whilst still keeping your OpenVPN running. What you want to be able to do now is set a timer to run the script at specific times/days so that you can manage internet access for your kids for example. One way to achieve this is with a cron job. Go to DDWRT GUI and select 'Administration' and then scroll down to 'Cron'. Enter the following test line:
| Code: | | * * * * * root sh /jffs/wanaccess/off.sh |
Click 'Save', and then 'Apply'. Reboot router to be sure. The above should in theory kill wan access by trying to run the 'off.sh' script every minute. If this works you can customise your cron job to suit your needs, have it enable the script and disable the script at set times. For example you want your kids to be able to have WAN access from 17:30pm to 20:45pm everyday for their homework, the code below is what you would use:
| Code: | 30 17 * * * root sh /jffs/wanaccess/on.sh
45 20 * * * root sh /jffs/wanaccess/off.sh |
-***EZ GUIDE END***-
Hope this is useful to someone, a lot of what is listed above users will already know, but noobs like me have to find out the hard way  Also might be a good idea to disable WinSCP access when finished. |
Original URLs are here and here. |
|
