Posted: Sat Jun 25, 2016 19:40 Post subject: Access Restriction Isn't Working with WRT1900ACS
I'm using the latest build by Kong dated June 24 but the problem was also present with the June 20 build by BS as well.
I'm trying to use Access Restriction to block a couple of devices from using the internet during certain hours of the night - it's a simple case and it's a home router setup.
I've used the wiki to help set up the policy. I'm using both MAC and IP addresses to identify the clients/devices but neither seems to work.
I'm also using OpenVPN with ExpressVPN, which may have something to do with it. I've done some searching but other than one individual reporting that AR is broken with OpenVPN I can't find a solution.
Anyone else experience this? If yes, is there a work around?
Last edited by kagazi on Sun Jun 26, 2016 1:17; edited 1 time in total
Like you suggested maybe it is some glitch with OpenVPN. I’m not using OpenVPN but I’m blocking access for three devices All Day/Every Day with Kong build r30015M. I'm blocking access for a NAS, Printer and Blue Ray player with no issues.
I don’t know if it related but I do recall (a while ago) someone over in the TP-Link forum posted that they were unable to filter websites but that would be the "Filter" option. I’m blocking via the "Deny" option.
If the access restriction is not working, it may be possible to use a cron entry to update the iptables rules based on the time you want to allow/disallow access. I have yet to use the cron facility here in DD-WRT, so you'd probably want to consult the wiki or doc page for that. But I'd imagine setting the following lines for the deny time in your cron:
IPTABLES -A INPUT -s <ipToBlock> -j DROP
IPTABLES -A FORWARD -s <ipToBlock> -j DROP
Then when you want to give access back, set your 2nd cron job to be something like:
IPTABLES -A INPUT -s <ipToAllow> -m state --state NEW -j ACCEPT
IPTABLES -A FORWARD -s <ipToAllow> -m state --state NEW -j ACCEPT
You'd probably also want to set DHCP to use a static MAC address assignment found under Services tab so that the same IP will always be given to that device. That way you won't inadvertently block someone else if the leases get shuffled around. Still won't stop the user from assigning a static address directly on the device, unless you have access restrictions on that device itself.
Hope this might help to give a workaround at least.
All the IP TABLE thing is a great idea, only if i'm doing it. If my girlfriend want to do it this way... oh boy... so it's a a viable option here unfortunately