1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access Restriction Confirmation?

Discussion in 'Tomato Firmware' started by Heather22, Oct 5, 2009.

  1. Heather22

    Heather22 Addicted to LI Member

    Hi ALL!
    I have a Linksys WRT54G-TM running Tomato 1.25
    I set up a rule on my router..
    This rule disables WIFI from 10pm - 10am everyday.
    My question is this..
    Is there a way I could confirm the rule has taken effect on a machine used by my sister? Her computer is in her room.
    I am testing this with different device now, and it is successfully disabling the internet. The problem is I would not know it is taking effect if the test device were not right next to me.
    The "Device List" shows a static IP address with a wifi signal.
    SO it looks like internet access is running although it is not.
    I could ping my test device when internet access has been stopped, so that does not help either! =(
    I need to confirm it is not running somehow. The log file is not enough to convince me. HELP!
  2. gawd0wns

    gawd0wns LI Guru Member

    You can monitor for usage using the Bandwidth monitoring options. Again, this will not tell you if the computer has access or not, it will allow you to see if data is being transmitted over WAN or LAN/wifi. This can be difficult if the laptop uses network resources, like a file server, or network shares. If not, it should be easy to tell if the laptop is transmitting or receiving data, which can only point to internet use.
  3. Heather22

    Heather22 Addicted to LI Member

    Thank you for your reply Gawd0wns!
    The ability to see if data is being transmitted would be excellent.
    If any data is being transmitted I assume my rule has not performed.
    How could I do this in bandwith monitoring options?
    The device I am restricting is an Ipod Touch.
    I am removing the internet access from just that device from 9pm - 10am every night through morning.
  4. Heather22

    Heather22 Addicted to LI Member

    I mean, I know how to go into bandwidth monitor, but how can I single out that 1 specific connection? I have MAC filtering enabled and I use static IP, no DHCP.
  5. TVTV

    TVTV LI Guru Member

    Now this is plain weird. I've tried disabling my 54GL's wireless AFTER connecting my lappie to it, and even though my lappie cannot find my network and has lost internet acces, the router still shows it as connected, with a wireless signal strength meter and all that jazz, even after a few refreshes. I believe that this is a bug and i will report it to Jon.

    So, to answer your question, Heather, even if your sister's computer appears as connected and has a wireless signal strength meter between the hours that the access restriction is in effect, wireless is in fact turned off and she cannot access the Internet.

    There is a way to track down bandwidth usage of a single user on the router, but that will require you to insert a script into the router's script page (Administration -> Scripts -> Firewall). I also advise you to set a static IP address for that user as well.
    modprobe imq
    modprobe ipt_IMQ
    ip link set imq0 up
    iptables -t mangle -A POSTROUTING -d xxx.xxx.xxx.xxx -j IMQ --todev 0
    ip link set imq0 up
    iptables -t mangle -A PREROUTING -s xxx.xxx.xxx.xxx -j IMQ --todev 0
    Replace xxx.xxx.xxx.xxx with your sister's IP address and reboot the router. Afterwards you should see a "IMQ0" tab in the graphs under the bandwidth monitoring page. That will show some traffic if your sisters' PC is making any.
    Under normal Tomato, you can add up to 2 IMQs - 0 and 1. Trying to set more than two may brick the router. Victek has issued a version of 1.23 RAF under which up to 16 IMQs could be added.
  6. Heather22

    Heather22 Addicted to LI Member

    Thank you so much! I will insert your script tonight =)
    I just converted to Tomato from DD-WRT after a year of use.
    There is one more I am testing now called Gargoyle Open -WRT
    Thank you so much for your help again!
  7. Planiwa

    Planiwa LI Guru Member

    If you want to disable WiFi, you can verify that by observing the router's Wlan LED.

    If you want to restrict acccess by MAC address, then that is different from disabling WIFi. The radio needs to continue to send and receive, if for no other reason than to enable to router to determine the MAC address of the clients.

    It may help you to think about the different states of "connection" between a WiFi client and an access point:

    1. Network Discovery (We have a signal)
    2. Authentication (What's the password?)
    3. Association (Client is authenticated, but not yet routable on the LAN)
    4. Routing (Address Assignment) (We have a LAN IP address and are routable)

    Also, distinguish between a client MAC address having a fixed (reserved) LAN IP address, having a lease, and actually being "on line" to the LAN.

    You will want to learn about arp and arping, which can be very useful commands.

    You may find this command helpful: "wl assoclist"

    The log contains very valuable information. It is well worth learning how to read it. The dnsmasq-dhcp entries contain your answer in detail. Look particularly at the router's response to the client's DHCPDISCOVER or DHCPINFORM messages.
  8. TVTV

    TVTV LI Guru Member

    Heather, one more question: which method are you using to cut off your sis' Touch? "Disable Wireless" or "Block All Internet Access"? I gather, from your first post, that you're using "Disable Wireless". If you're using "Block All Internet Access", you may see some traffic from the blocked computer, even though it will not be able to go through to the Internets.

Share This Page