Access Restrictions and ESTABLISHED connections

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
stelek
DD-WRT Novice


Joined: 22 May 2008
Posts: 14

PostPosted: Tue Oct 06, 2020 17:59    Post subject: Access Restrictions and ESTABLISHED connections Reply with quote
Hi,
I'm using DD-WRT v3.0-r44406 std (09/18/20) on Archer C7.

The situation is as follows:

At 7pm I want my children to take a break from using the internet. The Access Restrictions rule is set up to kick in at this time. Surprisingly, after 7pm my kids can still continue playing Fortnite.

At first I thought it was a Cron issue but I can see this is not the case. Cron executes properly and the relevant ip tables chain becomes "referenced" as expected.

What really happens is that the already ESTABLISHED connections are not dropped. So my daughters lose the internet access except for what they were already doing.

Obviously this is not desired and I have a feeling it worked correctly on my old router running an older version of dd-wrt.

Here's my dump. The relevant group is "grp_6". Any ideas?

Code:

root@Archer C7:~# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
23614 2764K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  135 44280 ACCEPT     udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    1    28 DROP       udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            udp dpt:520
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:520
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:520
  133  5944 DROP       icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0
  317 10144 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0
  122  8596 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
30659 3115K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
 7431  367K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 622K  274M upnp       all  --  *      *       0.0.0.0/0            0.0.0.0/0
 622K  274M lan2wan    all  --  *      *       0.0.0.0/0            0.0.0.0/0
 509K  264M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      vlan2   192.168.0.0/24       0.0.0.0/0            tcp dpt:1723
    0     0 ACCEPT     47   --  *      vlan2   192.168.0.0/24       0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.111        tcp dpt:25565
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.111        udp dpt:25565
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.111        tcp dpt:19132
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.111        udp dpt:19132
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.111        tcp dpt:19133
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.111        udp dpt:19133
    0     0 TRIGGER    all  --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
21121 4488K trigger_out  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    all  --  vlan2  eth0    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  vlan1   0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  ath0    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  ath0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  ath0   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  ath1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  ath1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  ath1   *       0.0.0.0/0            0.0.0.0/0            state NEW
20561 4460K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
  560 28679 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 15464 packets, 4158K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_11 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_12 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_13 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_14 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_15 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_16 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_17 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_18 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_19 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_20 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
16322  953K DROP       all  --  *      *       192.168.0.100/30     0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.0.100/30
44107 1713K DROP       all  --  *      *       192.168.0.104/30     0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.0.104/30
    0     0 DROP       all  --  *      *       192.168.0.108/31     0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.0.108/31

Chain grp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_11 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_12 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_13 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_14 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_15 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_16 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_17 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_18 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_19 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_2 (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_20 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_3 (1 references)
 pkts bytes target     prot opt in     out     source               destination
12981 1002K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-source 18:C0:4D:1E:AF:37
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-destination 18:C0:4D:1E:AF:37

Chain grp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-source B4:2E:99:C6:A6:97
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-destination B4:2E:99:C6:A6:97
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-source 18:C0:4D:1E:AF:37
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-destination 18:C0:4D:1E:AF:37
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-source D0:D7:83:E9:27:80
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-destination D0:D7:83:E9:27:80

Chain grp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-source B4:2E:99:C6:A6:97
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-destination B4:2E:99:C6:A6:97
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-source 18:C0:4D:1E:AF:37
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-destination 18:C0:4D:1E:AF:37
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-source D0:D7:83:E9:27:80
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-destination D0:D7:83:E9:27:80

Chain grp_6 (1 references)
 pkts bytes target     prot opt in     out     source               destination
12699 1211K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-source B4:2E:99:C6:A6:97
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-destination B4:2E:99:C6:A6:97
 5760  571K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-source 18:C0:4D:1E:AF:37
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-destination 18:C0:4D:1E:AF:37
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-source D0:D7:83:E9:27:80
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC --mac-destination D0:D7:83:E9:27:80

Chain grp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain lan2wan (1 references)
 pkts bytes target     prot opt in     out     source               destination
 139K   55M grp_6      all  --  *      *       0.0.0.0/0            0.0.0.0/0
 121K   53M grp_3      all  --  *      *       0.0.0.0/0            0.0.0.0/0
 121K   53M grp_2      all  --  *      *       0.0.0.0/0            0.0.0.0/0
 121K   53M grp_1      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID LOG flags 7 level 4 prefix "DROP "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset

Chain trigger_out (5 references)
 pkts bytes target     prot opt in     out     source               destination

Chain upnp (1 references)
 pkts bytes target     prot opt in     out     source               destination
Sponsor
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1557
Location: WCentral Indiana USA

PostPosted: Tue Oct 06, 2020 18:34    Post subject: Reply with quote
Try this save as firewall:
Code:
iptables -D FORWARD -j lan2wan
iptables -I FORWARD -j lan2wan


This is from this thread which is incomplete due to some accidental deletions.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=277540

_________________
STUBBY DoT install guide----Forum Guide Lines (Please read!) --- How to get help the right way----PIA Setup Guide by egc----
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7427
Location: Netherlands

PostPosted: Tue Oct 06, 2020 19:09    Post subject: Reply with quote
I have transferred this thread to the right forum.

See: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

The drop rules seem to work.

Is it only one client escaping?

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1035

PostPosted: Tue Oct 06, 2020 23:22    Post subject: Reply with quote
This is a known "issue", the problem is that you would have to clear the established connections from the state tables. I know that this was asked on the forums before, I just cannot find it right off hand.

So you would have to add rules before the RELATED,ESTABLISHED rules that does the blocking.

The other thing is that DD-WRT may set the NEW state on the access control rules and thus the related/established connections do not match and thus pass on.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4224
Location: UK, London, just across the river..

PostPosted: Wed Oct 07, 2020 11:12    Post subject: Reply with quote
hmm as the new iptables modules took place in the recent builds and if you are lucky..to have them on your router, update to the last build and try something like....

iptables -I FORWARD -s 192.168.x.x -d 8.8.8.8 -m time --timestart 8:00 --timestop 18:00 --weekdays Mon,Wed,Fri,Sat --kerneltz -j REJECT

replace source IP 192.168.x.x with your IP (presume you gave it a static lease)

replace destination IP -d with your desired IP to block


as well you can specify time and day of the week...

thanks to egc and eibgrad to shred light on that ....
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326719

you can also try an IPset rules combined with those Wink too...

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 45993 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 46316 BS AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 46166 BS AP,NAT,AD/Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 46259 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 46259 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
stelek
DD-WRT Novice


Joined: 22 May 2008
Posts: 14

PostPosted: Thu Nov 05, 2020 22:49    Post subject: Reply with quote
bushant wrote:
Try this save as firewall:
Code:
iptables -D FORWARD -j lan2wan
iptables -I FORWARD -j lan2wan


This is from this thread which is incomplete due to some accidental deletions.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=277540


If you look at my dump:
Code:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 622K  274M upnp       all  --  *      *       0.0.0.0/0            0.0.0.0/0
 622K  274M lan2wan    all  --  *      *       0.0.0.0/0            0.0.0.0/0
 509K  264M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

you will see that my lan2wan is almost at the top. The only thing above is upnp which is empty. ESTABLISHED is lower than lan2wan. So I do not see how this could help... Well, I'll try anyway...
stelek
DD-WRT Novice


Joined: 22 May 2008
Posts: 14

PostPosted: Thu Nov 05, 2020 22:50    Post subject: Reply with quote
Alozaros wrote:

iptables -I FORWARD -s 192.168.x.x -d 8.8.8.8 -m time --timestart 8:00 --timestop 18:00 --weekdays Mon,Wed,Fri,Sat --kerneltz -j REJECT


This actually looks great but unfortunately it does not work on my Archer C7. Is there a way to make it work?
stelek
DD-WRT Novice


Joined: 22 May 2008
Posts: 14

PostPosted: Thu Nov 05, 2020 22:54    Post subject: Reply with quote
And another thing I've noticed is that when the ESTABLISHED connection keeps going even despite being filtered out, I can go to the AR settings and press Apply. This kills all the connections on the router which is NOT a perfect solution but I'd be willing to use it.

Do you know what commands are executed when the Apply button is pressed? I might just schedule it with cron.

Or is there a way to schedule a script that would kill only the connection of my daughters' PCs at a certain time?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7427
Location: Netherlands

PostPosted: Fri Nov 06, 2020 10:41    Post subject: Reply with quote
stelek wrote:
And another thing I've noticed is that when the ESTABLISHED connection keeps going even despite being filtered out, I can go to the AR settings and press Apply. This kills all the connections on the router which is NOT a perfect solution but I'd be willing to use it.

Do you know what commands are executed when the Apply button is pressed? I might just schedule it with cron.

Or is there a way to schedule a script that would kill only the connection of my daughters' PCs at a certain time?


Set a static lease on the client you want to block e.g. 192.168.1.10.
make a script with the following rule
Quote:
iptables -I FORWARD -s 192.168.1.10 -j REJECT


Call that script with a cron job at the time you want the blocking to begin
(do not forget to make the script executable)

Make a second script to unblock:
Quote:
iptables -D FORWARD -s 192.168.1.10 -j REJECT

Call that when you want to unblock and Bob's your uncle

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
stelek
DD-WRT Novice


Joined: 22 May 2008
Posts: 14

PostPosted: Fri Nov 06, 2020 22:21    Post subject: Reply with quote
egc wrote:

Quote:
iptables -I FORWARD -s 192.168.1.10 -j REJECT

Quote:
iptables -D FORWARD -s 192.168.1.10 -j REJECT



Unfortunately these do nothing to the issue that I'm seeing. The host is obviously not able to establish new connections, but the ones already ESTABLISHED are still active. In other words: my daughter can spend the entire night on Discord unless I tell her to go to bed.

There must be away to break the ESTABLISHED connections. Pressing the "Apply" button in the Access Restriction panel does exactly that. But what does the button do? What's its associated command?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4224
Location: UK, London, just across the river..

PostPosted: Fri Nov 06, 2020 23:59    Post subject: Reply with quote
stelek wrote:
egc wrote:

Quote:
iptables -I FORWARD -s 192.168.1.10 -j REJECT

Quote:
iptables -D FORWARD -s 192.168.1.10 -j REJECT



Unfortunately these do nothing to the issue that I'm seeing. The host is obviously not able to establish new connections, but the ones already ESTABLISHED are still active. In other words: my daughter can spend the entire night on Discord unless I tell her to go to bed.

There must be away to break the ESTABLISHED connections. Pressing the "Apply" button in the Access Restriction panel does exactly that. But what does the button do? What's its associated command?


try with this command instead..it will cut off WAN access tottaly...so nothing will fly trough...

iptables -I FORWARD -i br0 -s 192.168.1.10 -o `get_wanface` -j DROP

or

iptables -I FORWARD -i br0 -s 192.168.1.10 -o $(get_wanface) -j DROP




..and yep with that router, you cannot explore the full potential of DDWRT...
as its only for a basic needs...as the others suggested, for more detailed access restriction, its time for a new Router...

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 45993 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 46316 BS AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 46166 BS AP,NAT,AD/Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 46259 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 46259 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Sat Nov 07, 2020 9:41; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7427
Location: Netherlands

PostPosted: Sat Nov 07, 2020 7:46    Post subject: Reply with quote
stelek wrote:
egc wrote:

Quote:
iptables -I FORWARD -s 192.168.1.10 -j REJECT

Quote:
iptables -D FORWARD -s 192.168.1.10 -j REJECT



Unfortunately these do nothing to the issue that I'm seeing. The host is obviously not able to establish new connections, but the ones already ESTABLISHED are still active. In other words: my daughter can spend the entire night on Discord unless I tell her to go to bed.

There must be away to break the ESTABLISHED connections. Pressing the "Apply" button in the Access Restriction panel does exactly that. But what does the button do? What's its associated command?


These rules do not have a state NEW so they should break ESTABLISHED connections (if executed before the ESTABLISHED rule)

So set the rule from the CLI and check with iptables -vnL if the rule is set

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
stelek
DD-WRT Novice


Joined: 22 May 2008
Posts: 14

PostPosted: Sat Nov 07, 2020 9:08    Post subject: Reply with quote
Hi,
These rules are definitely set. They're first in the chain. And you can see they work, because my daughter can't do anything "new" on her PC. But the things she already started (like Fortnite session, Discord talk, Youtube stream) keep working. I have to press "Apply" in the RA to actually break those connections.

Is it possible that the ESTABLISHED connections are not going through iptables at all? I think I read somewhere about some sort of optimization for this.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6030
Location: Romerike, Norway

PostPosted: Sat Nov 07, 2020 9:22    Post subject: Reply with quote
Do you have SFE enabled?

It does a shortcut through the firewall.
stelek
DD-WRT Novice


Joined: 22 May 2008
Posts: 14

PostPosted: Sat Nov 07, 2020 12:53    Post subject: Reply with quote
Yes, it is enabled. Must have been like that by default, as I did not even know such option existed.

I'll switch it off and see if it helps.

EDIT: Well, one thing it definitely does is bring my internet down from ~800Mbps to ~200MBps Sad
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum