1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

access restriction problem with oryginal firmware 4.20.6 ...

Discussion in 'Cisco/Linksys Wireless Routers' started by moko, Aug 17, 2005.

  1. moko

    moko Network Guru Member

    Hello all,
    Few days ago I have bought my TOY (WRT54G hw_ver2.2) because I would like to share internet with my kid.
    I have loaded new firmware from linksys ner 4.20.6 and started configuration play.
    Generally I had no problem excepting access restriction - I coudn't configure restriction for kid, it seems to be complicated because I have no idea how this filtering works.
    I tried to create rules like for firewall but finally I had no access for all of us ...
    Maybe somebody knows what is a main rule to configure this - "all is allowed what isn't forbiden" ???
    Why in configuration is possibility to give "allow" and "deny" when without any rules all is allowed.
    For me this is strange or I miss somethig important.
    I would like to configure simple restriction for kid PC (MAC) to access to internet in the scope of hours and block rest of MAC (excepting my).
    Forgive me for this stupid question but I'm beginer with Linksys and I would like to know philosophy to solve my uniqe (or not) problems ...
    Thanks in advance for any advice ...
     
  2. 4Access

    4Access Network Guru Member

    I've never actually tested the Access Restrictions so I can't guarantee this will work but I suggest you try something like the following:

    Configure rule 1 like this:

    [​IMG]

    Rule 2 like this:

    [​IMG]

    And Rule 3 Like this:

    [​IMG]

    Configure rule 1 with your MAC address. Rule 2 with your kid's MAC address. And rule 3 with the IP address range of 192.168.1.1 - 192.168.1.255. (Assuming you are using the default IP addresses for your network.)

    Please let me know if this works. Good luck!
     
  3. moko

    moko Network Guru Member

    Thank you for advice.
    I have tested this yesterday.
    Unfortunately it doesn't work - 3rd rule has blocked all traffic to internet. I tried to set various combination of 1st and 2nd rules and it seems that only 2nd rule works with kid's MAC.
    The main difficulties for me is how to block rest of possible connection.
    The solution could be static DHCP (maybe you have tested alternative firmware for WRT54G?) or WLAN restriction for exact MAC in case of WLAN card installed in kid's PC.
    Anyway, thank you for help - if you will have other idea how to solve this problem let me know.
     
  4. 4Access

    4Access Network Guru Member

    :???: When you say "blocked all traffic to the internet" do you mean just for your son or did it also affect you?

    I think I made a mistake when I put together the rules above but I need to know the exact symptoms before I can fix it since I'm still not sure how the logic of multiple rules affect each other.

    I would expect that traffic gets compared to each rule one at a time starting with rule 1 and that the 1st rule that matches is applied and no more rules are checked for that particular packet... If that's the case then assuming you correctly configured Rule1 you should have always been able to access the internet... but I could be wrong. I suppose it's possible that the last matching rule is applied but that really wouldn't be efficient... :eyebrow:

    I'm curious so we'll get to the bottom of this. :)
     
  5. elconejito

    elconejito Network Guru Member

    I dont know if linksys operates the same way, but when i used to work with windows servers a few years ago, the rule on permissions was that "deny" always took priority over "allow". May be the same applies here...
     
  6. moko

    moko Network Guru Member

    This rule has blocked all traffic for kid as well as for me !
    :sad:
    It seems that Access Restriction functionality works on router rather as a simple filter - I can guess that flows go through all rules and will be accepted only if will have all rule acceptance (logical 1).
    In this case restriction for unknown MAC will be difficult to configure because it has to be phisically written in to rule set to "deny".

    Anyway, I have no idea how to find out solution with simple configuration ....
     
  7. 4Access

    4Access Network Guru Member

    Hmm... I just checked and confirmed that the rules work as I expected. (At least with the DD-WRT firmware. I don't believe there were any major changes made to the Access Restrictions though so the stock firmware should function similarly.) Specifically, all traffic is tested against the Access Restriction rules in order from 1 - 10 and the first rule that matches is applied, and no further rules are checked for that traffic. (I looked at the iptables rules and setup a few test rules here to confirm.)

    Since that's the case the only thing I can suggest is that you double check your first rule and make sure you specified your MAC address properly. (Alternately try using your IP address instead.) Also make sure you specified that the rule be enabled Everyday 24/7. Finally make sure the rule is enabled.

    Once you've got that squared away you'll need to change rule 2 from what I posted in my 1st reply to:

    [​IMG]

    Let me know how it goes.
     
  8. moko

    moko Network Guru Member

    I'm sure I didn't make mistake with my configuration.
    But I thought it could be interesting to make a litlle test ...

    I made 1st rule for my MAC address ALLOW for everyday and 24h per day and 2nd for the same MAC address DENY for everyday and 24h per day and what happend?

    According your knowladge >>>

    it should be OK because all traffic from my PC is match to the 1st rule.
    But the result turned out different - my internet connection returned back after set 2nd rule to DISABLE !!!
    Of course I tried to test more combination, for example with time restriction between 1:00am and 12:55pm because I had read about some bugs in another post on forum - I didn't find interesting results ...
     
  9. moko

    moko Network Guru Member

    I'm disappointed with Access Restriction on linksys. :thumbdown:
    Are you sure that your configuration works? Maybe some alternative software will have better implementation of Access Restriction, at least will work with my linksys...?

    Anyway it will be good experience to test alternative firmware - could you advice me which one will have static IP (IP reservation for defined MAC) and will be stable enough. I heard good opinion about Alchemy ...
    Have you heard about radius implemented on linksys with alternative firmware?

    Till this moment I haven't found out solution yet but I will try any idea I could. If you will have one - let me know. Thanks for spent time and concepts.
     
  10. 4Access

    4Access Network Guru Member

    Well all I know is during two testing sessions I setup multiple different rules on 2 routers and all rules worked as expected both times on both routers. So yes, I'd say I'm pretty sure my configuration works.

    Alchemy is good but I prefer DD-WRT.

    Do you mean, how well do the RADIUS wireless security features work on alternatative firmware, or do I know of a firmware that includes a RADIUS server on the WRT? Regarding the 2nd question, tinyPEAP is the only firmware that I know of that includes a RADIUS server, although theoretically you should be able to get some of the OpenWRT packages to work with DD-WRT (and Alchemy?).
     
  11. penguin_2000

    penguin_2000 Network Guru Member

    Sorry to bring this up, but I was having same problem.

    Moko- did you get this to work? If so, how?

    I was chatting with Linksys support (not as helpful as I had hoped) and he said that any deny would superceed any allow, as "elconejito" mentioned... I can't figure out how 4access got it to work but Moko didn't.
     
  12. 4Access

    4Access Network Guru Member

    I have a feeling that there may be a problem with the stock firmware. In another thread (link) someone else was having similar problems with HyperWRT and as soon as they switched to DD-WRT they were able to get the Access Restrictions functioning properly. I'd suggest giving DD-WRT a try and letting us know how it goes.

    Good luck.
     
  13. moko

    moko Network Guru Member

    OK 4Access, thanks for suggestion - I will change firmware to DD-WRT as soon as possible. In fact I had a plan to try alternative firmware and, if it could fix my problem, it will be next reason to do that.

    Sorry for delay of answering - last two weeks I had no time to work on it. So, I will post the result in this thread ...
    :)
     
  14. moko

    moko Network Guru Member

    Last evening I have tried to change firmware from oryginal linksys version 4.20.6 to DD-WRT version 22 final (file dd-wrt.v22_wrt54g.bin from compressed package dd-wrt.v22-final.zip).
    It looks easy to do what I read in several post on this forum, but for me goes to bricking my router (power LED blinking).
    I found how to unbrick my WRT54G - I have tried to recover it by load standard version of firmaware WRT54GV3.0_3.03.6_US_code.exe - result was good but router didn't recover (http management no available).
    So, I have tried to use tftp and upload another firmware like linksys 4.20.6 (previouse one) and linksys 4.20.7 (official last one) - nothing change, I cauld ping it but still without http access (power LED still blinking).
    I thought that I mistaked at the beginning when I chose firmware dd-wrt.v22_wrt54g.bin and I decide to upload by tftp with dd-wrt.v22_basic_wrt54g.bin and ... suprise.
    I have got my router back (power led stop blinking) - I can access it by http !!!
    Bad news - I can access by http only before restart the router.
    After restarting router situation return back, power LED blinking and I can't access by http (management and configuration interface) !
    I don't know what's going on - I repeted the same scenario 3 or 4 times and after restarting router or reseting to factory default each times I lost it.
    Could somebody help me ..... ?
    What should I do to permanently recover my router?
    What has to be the procedure of loading dd-wrt firmware avoiding the problems desribed above?
     
  15. moko

    moko Network Guru Member

    ... I have decided to change the subject for my actual problem and repleace them to other place = to threat about firmware DD-WRT on this forum and subject "bricked WRT54G after upload dd-wrt v22 final ...".

    Thank you 4Access for help connected to access restriction problem and help me please with new one :cry:

    It will be great when you will forward to and look your experienced eye for ...
     

Share This Page