Posted: Sat Feb 11, 2017 21:29 Post subject: IP tables - local, internet and no access; noob question
I'm fairly new to DD-WRT (newish to firewalls) and after browsing the forums here and googling it, could not find a solution, maybe someone can help. Here is my setup:
I have a Linksys ACS 1900 running [Firmware: DD-WRT v3.0-r28788 std (01/13/16)], this is the main router for the house and a number of devices connect to it via both (2.4ghz and 5ghz) wifi-networks. Also, the device is connected (via Cat6 cables) to a few desktops as well as a wireless access point (Dlink DAP2660) running [Firmware: DD-WRT v3.0-r27506 (07/09/15) std].
Having given you the lay of the land, here is what I have been trying to accomplish without luck: I want to setup firewall rules (by mac addresses) to configure individual machines (on all 3 interfaces: 2 wireless and 1 wired) to have access to the local network, some of those to have access to the internet as well and to drop all other incoming and outgoing traffic.
I have had very mixed results with the configurations I have tried; from no noticeable effects at all, to exactly what I want but no access to the router page, and everything in between. My conclusion is that I am entering the wrong commands or am specifying the wrong interfaces.
Can someone give me a solution that will by default drop all traffic and examples on how to allow mac specific traffic to the local network, and separately from that to the outside world and to the router web-config?
Tell me if I am reading this right - there is no way (on the router firewall level) to regulate mac1 to mac2 traffic? (i.e. machine 1 "talking" to machine 2 on the same network)?
If the above is correct, is there a way to allow only specific mac addresses to access the router web-interface? How would those commands look? i.e. I want only XX:XX:XX:XX:XX:AA to be able to access the router web-interface via the 2.4ghz network (I believe this is identified in the router as ath1), AND only XX:XX:XX:XX:XX:BB to manage the router web-interface via its' hard-wired connection (vlan0 ? - not sure about this).
Lets further assume that I only want XX:XX:XX:XX:XX:AA and XX:XX:XX:XX:XX:BB to have internet access with the rest of the machines restricted to the local area network only.
Having followed your logic and code suggestion I think I have things setup (in regards to the WAN access) the way I want them. Allow me to ask a few additional questions:
1. Can I configure only specific macs to have access to the router configuration page? If so, how? Also on this, is there a way of limiting the number of connection attempts per minute to say 3? and again...how?
2. On a conceptual level - if I still want mac-to-mac traffic limitations (while maintaining them on the same subnet), this would be achievable via a managed switch wouldnt it? Does dd-wrt support any? Also, any 8 port recommendations for home use?
Thank you again for the help. Everything is now running the way I wanted it!
well...
I went out and bought a d-link DGS-1100-08P "smart" switch (an 8 port, home use, managed layer 2 switch with POE).
This thing is absolutely driving me nuts: it took the place of the last (un-managed) switch with the same cat7 cables entering ports.
In this configuration the switch refuses to acknowledge the existence of the router even on a basic level (i.e. port lights are not lighting up) and yet sees everything else connecting to it just fine.
To add insult to injury - if I connect the same cable directly the modem instead, lights go on. If I run a different cable to it, lights work and it makes friends with the router (I can ping both devices).
The reasonable thing to do would be to just change the cable right? Not so easy - the original cable has been run through the house walls and terminates in wall plugs on either side. The test I made (where the two devices saw one another) was by bypassing the "wall" cable and running another cable down the stairs much to the ire of my wife.
Is there anything you guys can think of that might explain this odd behavior?
P.S.
I know this isnt my free tech support... genuinely appreciate all the help.
update: I tried all manner of physical configuration and could not get the switch and the router to make friends while connecting via the original "wall" cables until I connected an un-managed switch between them.
Now they see one another, machines connecting to the managed switch can ping the router and access the WAN and so on. I am obviously missing something very trivial here; does anyone have any ideas what could be causing this?
