At present I am using Access Restrictions on WRT54GSv1.1 and WRT54GL1.1 with v24 06/20/2007. Any later build and I was finding poor radio operation.
Policies 1 to 9 Allow (Filter) Timed Access by MAC address and sometimes by IP for 5 x 1 hour 57 minute slots
(9 to 1057),
(1100 to 1257),
(1300 to 14.57)<---This Allows ALL the clients by IP address (other Policies by MAC+Some IP's)
etc upto 1857
plus 4 x 57 minutes slots
(1900 to 1957),
(2000 to 2057) etc upto 22.57
starting at 0900 and finishing at 2257.
Policy 10 Blocks Internet Access Now From 0857 to 2300 hours using ONLY IP addressing
Last Spring I was able to use BLOCK 0900 to 2300 and it worked. I found at that time I could not Start a policy at the same time as another Allow as it was unreliable at switching out clients using in particular Skype at that moment(?)
To faciliitate reliable switching out of clients and enabling new ones I introduced a 3 minute delay (2 seemed a bit flakey).
This Autumn I was having problems with the newer build as the 0900 to 1057 clients were not being switched in reliably if connected at 0900 if at all.
Answer was Block from 0857 to 2300.
Now they switch in at 0900 even if connected before 0900. They get a 3 minute break.
I tried to be clever and get rid of the 3 minute break on some time blocks i.e. I tried extending (1100 to 1305) and (2200 to 2305) this caused no break but just switched out the connected clients. The client(s) connected at 2300 could not make contact again until the following morning when the router had reset. Or so he reported on several occasions.
I will be using Access restrictions with Just IPs when I am sure I can get Static IP addressing to work for around max 40 clients. I had problems after 27. It made a real mess of the router functions even after a reset. I had to reflash it.
Since then I read more postings about Static IP addressing.
I have one Secondary AP (LAN connected) by a Wireless Client Routed WRT which passes on IPs to the Wirelss Clients reliably.
The Access Restrictions work on these Wireless Clients(or seem to) only with IP's NOT MAC ddressing.
The Primary AP's Access Restrictions work with MAC or IP addressing.
Apologies for the length and hope it helps someone.
Last edited by Dan on Tue Aug 26, 2008 19:14; edited 1 time in total
Hmm.....I see...thanks Eko....now I know that Access Restrictions are both "Deny", just function differently. But honestly, not much help in many cases since we need "Allow" (Whitelisting) function more. Oh well, hope that will be implemented soon. Thanks.
Hmm.....I see...thanks Eko....now I know that Access Restrictions are both "Deny", just function differently. But honestly, not much help in many cases since we need "Allow" (Whitelisting) function more. Oh well, hope that will be implemented soon. Thanks.
I too would need some kind of "Allow" function because I would like to achieve the following:
- Basically Deny Access 24/7 for specified MAC(s) and/or IP(ranges)
- Define "Allow access" periods for specified time, MAC or IP (unique or range).
- Easy switch on/off of Allow/Deny rules to anticipate on "ad hoc" needs.
Problem now is that for allowing acces from 6pm - 9pm every day I have to set up 2 deny rules from 0pm - 6pm and 9pm - 12pm and need to change both for "ad hoc" situations.
Did not manage to get this working with original Linksys firmware and hoped this would be possible with DD-WRT (which i am planning to upload this evening).
So I have a question about the wan access restrictions..
I think you all know MAC Filters..
I want to block WAN for all Computers connected with the Router.. and only allow few MACs to use WAN.
Without the Allow option i don't know how to do this..
have you some ideas?
Posted: Sun Aug 10, 2008 6:44 Post subject: Deficiency in how access restrictions are done
I'm hoping we can resurrect this thread, because I'm having the same problem. I want to allow two MAC addresses from my network to access the WAN (no others). The only way I've figured out to do it is by assigning the MAC addresses to static IP's and then not blocking them on a rule that filters HTTP, HTTPS, etc. for all other IP addresses.
However... this isn't really what I want to do. A user could spoof the IP address or set their machine to the allowed IP address. I really want to do this by machine MAC address.
Posted: Tue Aug 26, 2008 20:47 Post subject: Re: Deficiency in how access restrictions are done
randyj.crowder wrote:
However... this isn't really what I want to do. A user could spoof the IP address or set their machine to the allowed IP address. I really want to do this by machine MAC address.
Any ideas?
MAC can be spoofed too. :?
But I see your point. DD-WRT needs whitelist feature.
In whitelisting, you specify things you want to allow rather than things you want to deny or filter.
The only other way I can think to do this is manually with iptables. It would be nice for a GUI option someday.
Feature request: I want to be able to add PC's from other subnets handled by the router, as it is now its predefined ie 192.168.1.XXX in AR list.
Of course, it can be done directly with IP tables, but, for the completeness...
In wait for this, or for an whitelist feature too, is there someany that can aid in the creation of a iptable rule catching all P2P for a given host? Just like the UI choice checkbox, but so I can add a PC from ie 10.10.10.x subnet instead of routers local LAN subnet.
You want a feature called whitelist or allow rules
AR worked in a way that I found very useful in v23 and for some routers in earlier versions of v24.
Indeed for the last 18 months I've had 2 routers in different locations merrily letting different users in at certain times of the day so we could allow a maximum of 6 simultaneous PCs on a 1.5Mbit/sec ADSL line.
I did this by applying fixed IP addressing to each user.
AR then had rules 1 -9 to allow various IPs Access through the filters to the Internet for timed periods.
Rule 10 was the Global Deny which blocked ALL IPs provided the IP was not included in rules 1-9.
What you seem to be saying is that at some stage this was changed?
I would appreciate further advice as to when this was and to how I can help to get later versions of v24 to operate this way.
Still having problems with Access Restrictions? You may be using an older and no longer maintained version of DD-WRT firmware. In that case, it may help to review the steps in an older revision of this article, before it was modified for use with DD-WRT v24+
It would be helpful if this was made more prominent.
Someone must know when this apparent change in use from an ordered processing of policy so that the higher policy had priority took place in v24.
Posted: Thu Nov 06, 2008 19:37 Post subject: hey can you help me
hey can you help me I want to configure my router with dd-wrt buffalo V23 sp2 09/13/06 special. so that it suspend the internet service to the PC that are in my network every 20th of each month at 12:59 p.m. and do not give more access until I authorize him to the next 20 to 12:59 the following hagradesco months all the cooperation that I can make ...
Posted: Thu Nov 20, 2008 17:00 Post subject: DD-WRT and Access Restrictions on a Linksys WRT54G v8 Router
Hi,
I’ve been playing around with the Access Restrictions on a Linksys WRT54G (version 8 hardware) with the Linksys firmware and I’ve had enough.
I’m ready to give DD-WRT a try.
However, before I get to it (and potentially brick my router), I need to know if I can set up the following access restrictions for one specific MAC address:
1)
Deny all internet access from 10:00pm to midnight
2)
Deny all internet access from midnight to 6:00am
3)
Allow unrestricted internet access from 6:00am to 7:00am
4)
Allow access to most of the internet, but not Facebook, MySpace, YouTube, etc (for school work only) from 7:00am to 4:30pm
5)
Allow unrestricted internet access from 4:30pm to 6:00pm
6)
Allow access to most of the internet, but not Facebook, MySpace, YouTube, etc from 6:00pm to 10:00pm
I can currently get rules 1 and 2 to work just fine with the Linksys firmware, but I can't get the other rules to work properly because of the lame way that they are handled. Basically, if someone tries to use the internet on this computer after 7:00am they can't get access, even limited access, because no rules after #3 get processed.
Anyway, from what I've read here, I may be able to get this all working with DD-WRT, but I thought I'd run it past the gurus first before I attempt it.