[SOLVED] Problems implementing Access Restrictions

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
TedCheeze
DD-WRT User


Joined: 01 Feb 2016
Posts: 53
Location: Oregon, U.S.

PostPosted: Sat Jul 23, 2022 7:53    Post subject: [SOLVED] Problems implementing Access Restrictions Reply with quote
I have a WRT1900ac V1 running R48081.

This is my simple goal - I want all internet traffic for a finite set of devices to be blocked from 9pm thru 6am (21:00:00 thru 06:00:00).

I get that a user cannot use one rule that goes past midnight. Otherwise you are promptly greeted with:

"The end time must be greater than start time."

In so many words you have to create two rules one that goes from a time prior to midnight to midnight, then use a second rule to cover midnight to an end time after midnight.

However, this is not possible with current implementation because you cannot create a rule that actually reaches midnight. There is no 24:00 to select at the end of the day.
24:00 equates to MIDNGIHT at the end of the day and 00:00 means Midnight at the start of the day.

This means I'm relegated to a restriction schedule that starts at 9:00:00pm and ends at 11:59:00pm leaving 11:59pm thru 12:00am with out any restrictions. With a full gigabit connection a lot of data can sent & received in those 60 seconds.

How do I block that last single minute just prior to midngiht?


Last edited by TedCheeze on Sun Jul 24, 2022 22:02; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Jul 23, 2022 8:13    Post subject: Reply with quote
You probably cannot unless you do it manually I guess Sad
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sat Jul 23, 2022 8:22    Post subject: Reply with quote
IIRC, the netfilter time module supports seconds, NOT just hour and minutes. I assume that's what AR (Access Restrictions) is using, but maybe not, esp. since the time module was only added in the past few years.

The netfilter time module may be the better option, which means creating your own firewall rules. I was recently helping someone on the Merlin forum who also needed to cross the midnight hour. I had no problem using 00:00 for midnight on both rules (i.e., no gaps).

Code:
iptables -I FORWARD -m mac --mac-source 0a:32:13:75:7d:95 -m time --timestart 20:00 --timestop 00:00 --weekdays Sun,Mon,Tue,Wed,Thu --kerneltz -j REJECT
iptables -I FORWARD -m mac --mac-source 0a:32:13:75:7d:95 -m time --timestart 00:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j REJECT

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Jul 23, 2022 8:23    Post subject: Reply with quote
To answer your next question, the answer is in the IPSET guide, a sticky in this forum Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Jul 23, 2022 8:27    Post subject: Reply with quote
eibgrad wrote:
IIRC, the netfilter time module supports seconds, NOT just hour and minutes. I assume that's what AR (Access Restrictions) is using, but maybe not, esp. since the time module was only added in the past few years.

The netfilter time module may be the better option, which means creating your own firewall rules. I was recently helping someone on the Merlin forum who also needed to cross the midnight hour. I had no problem using 00:00 for midnight on both rules (i.e., no gaps).

Code:
iptables -I FORWARD -m mac --mac-source 0a:32:13:75:7d:95 -m time --timestart 20:00 --timestop 00:00 --weekdays Sun,Mon,Tue,Wed,Thu --kerneltz -j REJECT
iptables -I FORWARD -m mac --mac-source 0a:32:13:75:7d:95 -m time --timestart 00:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j REJECT


You should be able to do it in one rule by using --contiguous (but perhaps that is not available in older kernels used by Merlin and Tomato?)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sat Jul 23, 2022 9:58; edited 1 time in total
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat Jul 23, 2022 8:39    Post subject: Reply with quote
This will never work via UI since its validated input using JavaScript.

This is JavaScript here https://github.com/mirror/dd-wrt/blob/master/src/router/kromo/dd-wrt/Filters.asp#L70-L77

In the meanwhile you could try to set this via CLI, filter_tod(numberoffilter) values, there maybe another way but I need more coffee and I have a terrible migraine right now.

e.g nvram set filter_tod3="21:0 6:0 0-6" && nvram commit <- between 21:0 pm and 6:0 am, dont forget the double quotes, this is Linux to write a variable with spaces, else it only sets the first value. Leave the last `0-6` alone dont touch it.

I created a 3rd filter so mine is filter_tod3, so yours must match that number of your filter which must already be enabled and set. You can initially set a valid time and then overwrite via CLI, I did mine from 2:0 to 6:0 and then overwrote it via CLI to what I wanted in this test filter.

below is result after I edited via CLI bypassing input validation JS

Code:
:~# nvram show| grep filter_tod3
size: 39563 bytes (25973 left)
filter_tod3=21:0 6:0 0-6

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Jul 23, 2022 10:03    Post subject: Reply with quote
https://ipset.netfilter.org/iptables-extensions.man.html

Quote:
Matching across days might not do what is expected. For instance,

-m time --weekdays Mo --timestart 23:00 --timestop 01:00 Will match Monday, for one hour from midnight to 1 a.m., and then again for another hour from 23:00 onwards. If this is unwanted, e.g. if you would like 'match for two hours from Monday 23:00 onwards' you need to also specify the --contiguous option in the example above.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat Jul 23, 2022 12:01    Post subject: Reply with quote
You also have to ensure that filter_tod_bufxx=7 for it to apply every day of the week.

https://svn.dd-wrt.com/browser/src/router/httpd/visuals/filters.c#L31

https://svn.dd-wrt.com/browser/src/router/httpd/validate/webs.c#L241

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
TedCheeze
DD-WRT User


Joined: 01 Feb 2016
Posts: 53
Location: Oregon, U.S.

PostPosted: Sun Jul 24, 2022 23:09    Post subject: Thank you! Reply with quote
Of course the IPTABLES rules would be the most prudent way to implement my goal.

However, I find what the-joker suggests seems to fit my situation very well.

This way I can create my filter rule the way that I want except the timing. Then I manipulate the timing via the CLI. This also makes it very simple to disable or enable the filter rule for that group of devices easily with in the UI. Otherwise I would have to modify two rules for every device in the group.
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Mon Jul 25, 2022 8:57    Post subject: Reply with quote
@TedCheeze

let me know if it works, Im assuming there is no further validation after its been manipulated via CLI and saved, so at the designated times, if it processes as intended or not should be verified.

I believe the the UI validation is unnecessary and not correct as it stands, but that's something I must discuss with the main developer and try to find a better solution which allows sane that are valid time periods to be set.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Mon Jul 25, 2022 9:02    Post subject: Reply with quote
the-joker wrote:
@TedCheeze

let me know if it works, Im assuming there is no further validation after its been manipulated via CLI and saved, so at the designated times, if it processes as intended or not should be verified.

I believe the the UI validation is unnecessary and not correct as it stands, but that's something I must discuss with the main developer and try to find a better solution which allows sane that are valid time periods to be set.


I think it is necessary look back at my earlier postings.

What should happen is that --contiguous is set when the stoptime < starttime
However older kernels might not support this

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Mon Jul 25, 2022 9:29    Post subject: Reply with quote
Well currently it seems it accounts for start time and end time to be on same day and not start one day and end the next which is what makes sense here assuming we select more than one day.

If we take start time and end time to be same day then the error and validation is correct, otherwise is a little off.

Start one day at X end the next day at Y and rinse and repeat every day or per set days.

But the current logic only allows for a single 24 hour period no matter how many days are selected.

You can never activate the filter between one day and the next.

What kernel supports IDK, but currently when more than one day is selected its crap in crap out.

I think this can be considered a feature request rather than an all out bug.

PS.

start time on mon, tue, wed, thu, fri, sat, sunday -- end time != start day || first day || start time && start day (or something this is likely not sufficient

and then the UI changes to suit.

then we need a checkbox to do current logic daily timer, or multiple day timer and activate the correct fields.

Assuming its even possible to do new logic, you said kernel, but Im thinking cron whatever is best suited.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon Jul 25, 2022 10:17    Post subject: Reply with quote
I can't remember if this was a feature in the original WRT54 or E-series Linksys firmware off the top of my head, but this has always been a "bug" in the "feature". We're off to go to my routine check-up. I might remember to look at this later, or not.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
TedCheeze
DD-WRT User


Joined: 01 Feb 2016
Posts: 53
Location: Oregon, U.S.

PostPosted: Thu Jul 28, 2022 13:16    Post subject: Reply with quote
After a few days of trial and error I reached the same conclusion that @the-joker had already posted about.

Quote:
Start one day at X end the next day at Y and rinse and repeat every day or per set days.

But the current logic only allows for a single 24 hour period no matter how many days are selected.

You can never activate the filter between one day and the next.


Using the GUI you can prove this by creating a Access Rule and select 24 hours then save it, then view it in the CLI

Code:
nvram show|grep filter_tod1=
size: 41451 bytes (89621 left)
ping_ip=nvram show|grep filter_tod1=
filter_tod1=0:0 23:59 0-6


Here's what I also discovered.
    Using the filter rule method DNSMASQ goes down if end time is less than start time (i.e starts in one day & ends in next)
    DNSMASQ goes down even if the rule is disabled.
    DNSMASQ will not restart until the offending rule is corrected or deleted.
    How or why DNSMASQ is effected? I do not know, but that is the behavior I observed.

    Using IPTABLES method --timestop must not exceed 23:59:59. Otherwise you end up in a soft-brick condition after the first time the --timestart value has been reached.
    IPTABLES will not accept 24:00 as a valid --timestop value.(FYI-Cisco IOS uses 24:00 for End of day & 00:00 for start of day.)


So for my next dumb idea...

Can you enable or disable an access rule from the CLI? Then use a cron job to enable or disable a 24hr rule at the scheduled times.


But I can't seem to find the correct syntax for the variables to complete the statement. When the GUI creates rules it looks like the first three, and my attempt to modify rule 5 is a wreck:
Code:
:~# nvram show|grep filter_ru
size: 41532 bytes (89540 left)
ping_ip=nvram show|grep filter_rule
filter_rule1=$STAT:1$NAME:Example-1$DENY:1$IF:Any$$
filter_rule2=$STAT:1$NAME:Example-2$DENY:1$IF:Any$$
filter_rule3=$STAT:0$NAME:Example-3$DENY:0$IF:wlan0.1$$
filter_rule4=
filter_rule5=:0:Example-5:1:ANY17472
filter_rule6=
filter_rule7=
filter_rule8=
filter_rule9=
filter_rule10=



Suggestions?? Just ignore that one minute I guess?
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Jul 28, 2022 14:10    Post subject: Reply with quote
So my original suggestion is/was a big flat on the face flop.

You can enable disable anything that is manipulated via nvram which is basically pretty much everything, but you are going sideways with this with adding cron to mix.

You could create two filters, one from 21:00 to 23.59 and the next filter from 0:00 to 6:00 and see how that fairs. This should be doable and pass validation and ultimately achieve what you originally wanted to do.

One day when its possible to modify the kernel module and add a better solution that allows for both the current situation or optionally multiple days start-end time and do it all in one filter.

But unless someone makes a patch I dont see that happening., I wouldn't even know where to start.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum