1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access restriction question

Discussion in 'Cisco/Linksys Wireless Routers' started by scuba_steve, Sep 18, 2007.

  1. scuba_steve

    scuba_steve LI Guru Member

    Well, I tried searching, but I am new here so I may have missed an obvious location for the answer, so I'll apologize in advance and ask away:

    My wife and I have used the access restrictions capability in our WRT54G (Firmware Version: v2.02.7) to limit our daughter's access to the internet...and it works great. i.e., The internet is disabled between 9pm and 5am on school nights (Su-Th) and disabled between 12am and 5am on weekend evenings (F and Sa).

    We now want to extend this capability. We have agreed with our daughter that she will no longer access several social sites (e.g., myspace) on school nights...and she has agreed...and while we trust her and monitor her, we also want the router to enforce the policy.

    So...any idea if this configuration is possible with different firmware? My linksys router's config pages give me up to 10 different access restriction definitions...but they seem to be mutually exclusive between time-based and site-based...and I need a definition that includes both sets of restrictions (e.g., block myspace from Sunday at 7pm until Friday at 3pm, but allow other sites). If it could enforce the rule for just one MAC address, that would be great too, but it's not an absolute requirement. Any ideas?


  2. scuba_steve

    scuba_steve LI Guru Member

    Okay, well I patched the firmware version to official linksys version v4.21.1, which is supposedly the appropriate version for my V2 router...and the access restrictions are still limited. In fact, they don't even work as advertised.

    I tried to create the first definition to be an "allow" rule for 24 hours a day and 7 days a week for all IPs in the range 0 to 254 and it does not circumvent the other rules (yes, I enabled the rule :) ). The goal was to get this rule to work and then add my PC's MAC address so that it was exempt from the balance of the rule definitions, but it doesn't work even without the MAC address.

    Man, is there any router (or third-party firmware) that actually has access restrictions that work? I see posts by numerous others with similar complaints. The implementation does not seem like rocket science...but it does not appear that Linksys can make even the limited functionality that they provide work properly...let alone provide me with a capability to block only certain sites during a predefined time window. :mad:

    This is what I do have working:

    Rule 7 - block facebook and myspace for all PCs
    Rule 8 - block internet access for all PCs between 9 and 11:55 on Su, Mo, Tu, We, and Thu
    Rule 9 - block internet access for all PCs between 12:00 AM and 5 AM every day

    (rules 1-6 and 10 are blank)

    What I want is:

    - Rule 1 that allows my PC (by MAC address) to be exempt from these rules. I can create this rule, but the router ignores it.
    - Rule 7 to be time- and day-based for those two domains (rather than being in effect 24 hours a day, 7 days a week). The router does not allow me to create this one - time and site are mutually exclusive.
  3. scuba_steve

    scuba_steve LI Guru Member

    Okay...my internal monologue continues. What I have learned (feel free to correct me):

    - A "deny" rule will not work unless you click on the "Edit List of PCs" button and *either* specify all IPs to be denied, a range of IPs to be denied, or one or more MAC addresses to be denied. If I want the rule to apply to all PCs, I set the IP range to 0-254 and leave everything else alone in this window for that rule definition. If I leave the window in its default state (i.e., no MAC addresses and IP ranges set to 0-0), the rule will not work.

    - You may leave the IP range set to 0-0 if you add one or more MAC addresses that should be denied.

    -"allow" rules just don't seem to work in any way...even when they show up first in the "set"

    I managed to get around my desire for a rule 1 by modifying rules 8 and 9 to specify my daughter's MAC address only...and leaving the IP range to 0-0. I am still screwed on my desire for rule 7...so I am still looking for better firmware if you folks have any ideas. Until then, I'll be manually disabling and enabling rule 7 once each week. :thumbdown:

  4. ifican

    ifican Network Guru Member

    The allow rules are processed the same way, you have to edit the ip or the mac of the pc's you want allowed (monitored) by the rule. I run Thibors firmware so i cant speak for the stock, but I chose to block myspace.com for a certain time period and allow everything else and it worked (blocked) myspace until the time limit was reached and then allowed myspace traffic as normal.
  5. mstombs

    mstombs Network Guru Member

    I recognize the rule 7/ rule 8 gap allowing 5 minutes just before Midnight - so did my kids - couldn't find a way round this with Thibor! I can however tell you that Tomato fixes this one and allows a single overnight rule. Tomato also allows a rule to turn off wireless which I also use.

    Both Hyperwrt Thibor and Tomato extend the stock Linksys rules, I haven't tried your selective time/site block but I recall the key bit of info needed to understand the rules is that they are checked in order, and if access is specifically allowed or blocked by an early rule the later rules are not evaluated.
  6. scuba_steve

    scuba_steve LI Guru Member

    Thanks for the responses guys.

    ifican, it took me a lot of trial and error, but I did find out that the list of PCs does not default to "all" for any rule and that you must specify either IPs or MAC address(es). I did specify these values for the "deny" rules and life was good, but I have had problems getting the "allow" rule to work. Not a huge deal, at least right now, since I can add her MAC address to the "deny" rules rather than adding my MAC address to the "allow" rules, but annoying (and perhaps limiting in the future) nonetheless.

    mstombs, yes, that five minute gap is annoying, but I am living with it. I would really like to get a firmware that supports time-based site blocking rules though. Makes me wonder if I am the only parent struggling to deal with myspace and facebook. :)

    I've been led to believe that Thibor's rules are more extensive, but the documentation that I have found is vague...and I am not looking forward to experimenting with firmware versions and potentially bricking my router if the firmware doesn't support what I need.

    BTW, I found out about the sequential rule application behavior the hard way...through frustration...but thanks for the heads up. :thumbup:

    Thanks again for the responses guys. I really appreciate it.

  7. mstombs

    mstombs Network Guru Member

    I ran the latest version of Thibor for a year before starting to 'play' with Tomato (on a wrt54gs v1.1 and v4 I've never 'bricked' them YMMV!). Hyperwrt Thibor is a natural extension of Linksys Web screens, for me static dhcp on its own was a reason never to go back to stock firmware. I agree the access rules are quirky - I resorted to looking at the Linux "iptables" and "cron" commands (only with 3rd party firmware) to understand what was actually being implemented as actual time tests are tricky and not exhaustive! I'm sure there were repeatability issues but never able to reliably reproduce a fault - suspect DNS/ web caching an issue on both test PC and router - usually things work when both rebooted!

    Tomato web interface is new and fresh, but underlying codebase similar to Thibor, and allows me to make better use of my router flash memory as a writable partition so can add things like host advert blocking etc... I currently only have time/day based deny access rules - but would really like to change these to allow - suspect its now easy to change MAC or IP address...

    Edit: I created a single rule in Tomato to block myspace and facebook between 20:00 and 20:30 - worked first time pdf of screens attached - don't think you need to look further!

    Attached Files:

  8. scuba_steve

    scuba_steve LI Guru Member

    Wow! mstombs you rock! Thanks so much! Tomato it is!

  9. mstombs

    mstombs Network Guru Member

    Hope it works for you too!

    I had a poke around to see how it was implementing the rules. You can only specify times in 30 minutes slots, and every 30 minutes a 'cron' task is run - presumably to changeover the rules if necessary.

    For my new selective rule anything from my IP address was diverted through a specific 'iptables' filtering chain - I didn't touch all the optional advanced features which appear to be a simple GUI to the standard Linux OS commands (a good pedigree).

    So my expectation is that the Tomato access rules are more independent / less sensitive to the order entered than Linksys - the only criticism is that they are not that well documented on the FAQ http://www.polarcloud.com/tomatofaq#in_the_access_restriction_page / Wiki
    http://en.wikibooks.org/wiki/Tomato_Firmware#QoS_.2F_Access_Restrictions_Notes !
  10. scuba_steve

    scuba_steve LI Guru Member

    Wow...mstombs, Tomato rocks! I just installed it and it looks like it has EVERYTHING that I need. This firmware is a MUCH better choice than the stock Linksys firmware for parents looking for more flexible access restriction rules...and it even allows you to define rules that span midnight :thumbup:

    I haven't tested all of my rules yet, but so far it looks great! The only issues that I have noted thus far are:

    1) The order of the rules appears to be alphabetical in the access restrictions list view...so I am not sure if it will apply the most restrictive, least restrictive, or...? I guess I'll find out.

    2) I bricked my router when I first installed the firmware. No idea why. I used the web-based Linksys utility to perform the upgrade. It got 30 secs into the upgrade and then showed a browser message box stating "the document contains no data"...and then followed a minute or so later with another message box stating (in broken English) that the upgrade had failed. I tried all of the power and reset tricks to get the router back, but no dice. I finally assigned a static IP to my PC and used TFTP to push the standard Linksys firmware back in...and I got it back...and then used the web-based Linksys utility a second time...and this time things went great. Minor panic, but all is well now.

    Thanks again! :thumbup::thumbup:

Share This Page