How to use Access Restrictions

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4, 5, 6  Next
Author Message
Eko
DD-WRT Developer/Maintainer


Joined: 07 Jun 2006
Posts: 5771

PostPosted: Mon Jan 21, 2008 10:02    Post subject: How to use Access Restrictions Reply with quote
* * * How to use Access Restrictions * * *
this is for at least RC5 builds - I don't remember how it was on older builds.

1) Policy is applied when set IP (or range, or MAC) and set time are both matched.


2) All ten policies are used
- this is different then in factory Linksys firmware, when only first match is used

3) "Deny" policy
- Deny policy completely blocks internet access. (filters are of course not used). If you need to deny internet access e.g form 10PM to 6AM, make 2 policies: 1st from 22:00 - 23:59; 2nd form 0:00 to 06:00

4) "Allow" policy
- Name is wrong, it should be "Filter" (already fixed in code). This policy will not allow intenet access during selected days and hour, as it is popular belief, but will only apply set filters and port services (p2p, block by URL....) on set times. Other times will have unfiltered internet access.


I tried this now and works 100% ok. Comments welcome.


Last edited by Eko on Mon Jan 21, 2008 10:40; edited 2 times in total
Sponsor
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Mon Jan 21, 2008 10:24    Post subject: Reply with quote
Another nice fix Eko. Cool

I've seen some people getting confused about Access Restrictions. I think this will finally (hopefully) clear it up for them Smile
Eko
DD-WRT Developer/Maintainer


Joined: 07 Jun 2006
Posts: 5771

PostPosted: Mon Jan 21, 2008 10:39    Post subject: Reply with quote
Maybe WikI must be fixed too.
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Mon Jan 21, 2008 12:19    Post subject: Reply with quote
Done. Anyone feel free to add more info, or correct anything I may have overlooked.

Access Restrictions
zen_seeker
DD-WRT Novice


Joined: 16 Jan 2008
Posts: 23

PostPosted: Mon Jan 21, 2008 14:52    Post subject: Reply with quote
Can we have a working example to rout out the working firmware from the failing models? (I still think my WRT350N isn't working right.)

Using this as a the example I've tried...

Rule 1 - Allow, MAC 12345, Mon. to Fri., Time, 5pm to 9pm.
Rule 2 - Allow, MAC 12345, Sat. & Sun., Time, Noon to 5pm.
Rule 7 - Deny, MAC 12345, Time/Day 24/7

Using the above info and messages this should allow the MAC address 12345 to access the internet from 5pm to 9pm Monday to Friday and again on weekends from noon to 5pm should it not?

The only way I know that works on the router as it is now is to create 2 deny rules for each allow rule. One for Mon. to Friday from 0:00am to 17:00pm and a second from 21:00pm to 23:59. (Same for the weekend rule but different times.)
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Mon Jan 21, 2008 15:00    Post subject: Reply with quote
Rule 1 applies filters
Rule 2 applies filters
Rule 7 blocks internet access 24/7

It should be very clear that Rule 7 blocks MAC address 12345 so that it will never be able to access the internet. Your filtering rules do not "Allow" anything. Allow is improper description. It really means "Filter". I suggest you read Eko's post and the wiki again.
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Mon Jan 21, 2008 15:18    Post subject: Reply with quote
Sorry, that sounded harsh when I read it back.

What you need to do is make Deny rules/policies for the times that you do not want people to be accessing the internet.

Again, the "Allow" option is NOT for allowing internet access. It is merely to "Filter" it. Eko has fixed this confusion for next release.
ddaryl
DD-WRT Novice


Joined: 18 Jan 2008
Posts: 12

PostPosted: Mon Jan 21, 2008 18:36    Post subject: Reply with quote
somebody want to post a few examples for us to go by. I've tried 100 different combinations and and have spent many hours trying everything.

in fact I have just a single policy, 24/7 deny on my Stepsons Mac and IP and he still has complete access to everything. (His IP is set to static DHCP). Well i haven't confirmed but he has not complained about his access so I assume he has access.

If it is fixed then again I would like to see a few examples of how I would allow 2 computers 24/7 access and partial access to my stepsons PC ( I want to shut him out of all internet access and chats etc from 21:00 to 06:00)

I appreciate any and all replies
ddaryl
DD-WRT Novice


Joined: 18 Jan 2008
Posts: 12

PostPosted: Mon Jan 21, 2008 18:42    Post subject: Reply with quote
Eko wrote:
Maybe WikI must be fixed too.



I think the Wiki should contain a few different examples accompanied with an explanation of why things are done the way they are.

I understand PC's and networking pretty well, and the Wiki is as clear as mud. I'd edit it myself but I have yet to have any success. As soon as I have success i will contribute to the Wiki and include a scenario example.
zen_seeker
DD-WRT Novice


Joined: 16 Jan 2008
Posts: 23

PostPosted: Mon Jan 21, 2008 19:19    Post subject: Reply with quote
soulstace wrote:
Sorry, that sounded harsh when I read it back.

Not a problem, in the IT business...used to reading these for the info...not the way it was written.

soulstace wrote:
What you need to do is make Deny rules/policies for the times that you do not want people to be accessing the internet.

That was what I noted in my last paragraph. But it takes 2 rules to make a Deny block work when a single Allow would work better. (If that was the way it was to work on my model.)

soulstace wrote:
Again, the "Allow" option is NOT for allowing internet access. It is merely to "Filter" it. Eko has fixed this confusion for next release.

I can accept that...provided you explain how that would work and what good it would be? What am I filtering if not exceptions to the Deny rules? I forward or redirect elsewhere...what is the Allow for then?

Thanks for the feedback. Not sure yet if I have an issue with the WRT350N or just my understanding of the Allow. Look forward to the replay. I'll review the Wiki again but I might have to load the original firmware just to see if it did work this way.
zen_seeker
DD-WRT Novice


Joined: 16 Jan 2008
Posts: 23

PostPosted: Mon Jan 21, 2008 19:50    Post subject: Reply with quote
I've just reread the Linksys User Guide on the WRT350N and it states you can set just Allow rules for internet access. (It's in a PDF so I can't cut and past the paragraph but the PDF is attached.)

Linksys even calls it "The Access Restrictions Tab - Internet Access Policy" in the attached guide.

I did this when I first brought it home and it worked fine. It's the extra reporting and features I was trying to get with DD-WRT.

So I still think the "Allow" in DD-WRT should work the same way...I just can't get it to. I was going to check out OpenWRT as I found a new release today for the WRT350N.

I'll keep testing and report back.



WRT350N_ug.pdf
 Description:

Download
 Filename:  WRT350N_ug.pdf
 Filesize:  3.79 MB
 Downloaded:  3343 Time(s)

ddaryl
DD-WRT Novice


Joined: 18 Jan 2008
Posts: 12

PostPosted: Tue Jan 22, 2008 0:07    Post subject: Reply with quote
OK... When I use my stepsons MAC ADD. Access restricition DO NOT WORK. When I use a combination of MAC ADD. and IP ADD. the restricitons do not work.

HOWEVER so far if I use just his IP address Access restricitons seem to be working.

I did set him up with a static DHCP IP so he can't change his IP and this will work for me, btu I think there is still a possible issue here.
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Tue Jan 22, 2008 5:19    Post subject: Reply with quote
I made a Deny policy named "test" to deny my MAC address and IP address access to the internet. I enabled this policy with the status button. Everyday 24 hours is checked. (I Saved and Applied on every page I made a change)

When I tried to access this forum and refresh a page, I couldn't. Nor could I do anything else like get on the internet to check my e-mail. This is exactly what I created the test policy to do.

zen_seeker wrote:
soulstace wrote:
Again, the "Allow" option is NOT for allowing internet access. It is merely to "Filter" it. Eko has fixed this confusion for next release.

I can accept that...provided you explain how that would work and what good it would be? What am I filtering if not exceptions to the Deny rules? I forward or redirect elsewhere...what is the Allow for then?


The "Filter" option is for filtering access to web sites, services, or keywords. It does not block internet altogether like the "Deny" option does. Nor does it allow internet access during times that a Deny policy denies it.

If you will notice, when you click the Deny button (instead of the Filter button), those extra options at the bottom of the page get greyed out (at least in newer dd-wrt versions). This is because filtering a web site, service, etc. in a Deny policy is pointless since the machines in the policy would be denied internet access anyway!


Last edited by soulstace on Wed Jan 23, 2008 16:54; edited 1 time in total
Eko
DD-WRT Developer/Maintainer


Joined: 07 Jun 2006
Posts: 5771

PostPosted: Tue Jan 22, 2008 6:17    Post subject: Reply with quote
Also to be considered is that filtering by MAC was broken in some builds some time ago, but is already fixed in newer builds. For these builds use only IP addresses, not MAC (even combo IP / MAC will not work). It was IP-tables module problem.
zen_seeker
DD-WRT Novice


Joined: 16 Jan 2008
Posts: 23

PostPosted: Tue Jan 22, 2008 13:21    Post subject: Reply with quote
I've tried RC5, RC6.2, and the USB with camera image. All have MAC issues.

So I'm assuming no one read the attached PDF on the Linksys WRT350N as no one commented on it. It explains on page #37 how Allow works.

This also leads me to believe that it is a coincidence that the word Allow was used on DD-WRT and that it does not function the same way.

I've returned this unit as the stock software is buggy, as is most 3rd party images I've tried. I'll look for a better model or a more opensource ready model. I'd just prefer to have a GB router rather than a router and GB switch side by side.

I have a DI-614 and DI-624+. The first sucks…the second sucks a little less. I have no more outlets in this location as I've filled two powerbars and an extension cord so a single good router with GB is what I need. (Under $200 on sale would be my buy point.)

X-wrt, OpenWRT, DD-WRT, or stock firmware are all options as long as the router works and is near production quality.

What products are known to meet this level, have GB switch, and can be bought locally anywhere? (Cisco would be great but $$$ I don't have.)

Recommendations now that Buffalo are on hold?
Goto page 1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 1 of 6
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum