1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access Restrictions

Discussion in 'Tomato Firmware' started by der_Kief, Oct 20, 2006.

  1. der_Kief

    der_Kief Super Moderator Staff Member Member

    Hi @ all,

    can someone explain me how the Access Restrictions in tomato works !? Is it the same way like in DD-WRT ?

    This is from the DD-WRT WiKi:
    Policies are processed in order. This is an important item to remember when creating Deny policies. For example, if Policy #1 is a Deny policy that restricts all internet access for your entire network, no machines will be able to access the internet regardless of any Allow policies you might have in spots 2-10.

    For Example it want restrict a specific IP:
    Monday - Thursday 6.00am - 10.00pm ALLOW
    Friday 6.00am - 0.00pm ALLOW
    Saturday allday(24h) ALLOW
    Sunday 0.00am - 10.00pm ALLOW
    all other times -> DENY

    Whats the best way to implement this in tomato ?
    Hope someone can help me.

  2. canis

    canis Network Guru Member

    I tried nearly erverything with the tomato access restrictions.
    It seems to work completely different as the Linksys / DD-WRT system. If something is denied, there seems to be no way to override this restriction by another rule.

    I`m using tomato now, because it has the double speed of the WAN interface compared to DD-WRT, which is very important for me.
  3. der_Kief

    der_Kief Super Moderator Staff Member Member

    I totally agree. You can only create deny rules, there is no way to create allow rules. On this side the DD-WRT is a little more comfortable. But for my requirements the Access Restrictions from tomato is absolute enough :)

  4. canis

    canis Network Guru Member

    Possibly it works, there seems to be a very simple logic in it:
    The example rule shows that in specific days and time gateway access is alowed and certain services are forbidden.
    So far, the rest of day is free access possible.
    Another rule can deny all gateway access, but it seems to be fact that times shall not be allowed to overlap themselves.
    So far as IPs are used only?
  5. canis

    canis Network Guru Member

    Subject: Only MAC registered clients should have access

    OK, now it works, but not in the straight way.

    The rules seem to be iptable entries only, but the ui cannot translate everything as expected and there is a bug in tomato: The startup- script is definately not executed, but the wanup- script is.

    What I have done:
    1. Put a iptable command in startup- script, denying all free ip range (but it is not executed, so I put it in wanup- script), looking like:
    iptables -A OUTPUT -d (ip-adress/mask) -j DROP
    which has to be repeated till everything is covered.
    2. Add an access restriction in the ui for specific MACs allowing access by time and day allowing access. For the reason of not correct translating deny a website wich is never accessed, for example something.com or something like this, or deny all P2P or whatelse.
    3. Add an access restriction rule for the specific MACs denying all gateway access in the other times, which shall not be overlapping.

    Every 30 minutes a cron job (cru) is executed, switching somehow the chains (better: The valid chains), this seem to be working good, but here further testing is reguired, may be another bug is sitting here not to switch off an invald rule.

    It`s working, but that`s not the way.
    May be, I should mail this to the author.
  6. Mercjoe

    Mercjoe Network Guru Member

    Ok, dd-wrt could be tricky. In DD-WRT you had to set up the rules in order of when to ALLOW a connection. Then the final rule (#10 usually) being a DENY ALL ACCESS rule. With DD-WRT I had the following rules.

    #1 Allow <mac adress> Sun -thur 8:00am-11:00pm
    #2 Allow <mac adress> fri-sat 8:00am-11:59pm
    #10 Deny <mac adress> all internet access.

    Those 3 rules were to restrict my teenager from the internet except for those time. DD-WRT rules are set up in such a way that one you meet the criterea for a rule it drops out of the access restriction. If a rule conditionis not met then it goes down to the next rule till it find one that the conditions meet and then executes the policy.

    I will give DD-WRT the nod in being more complete as you can set up access restriction that block services, port, and a whole host of combinations rather than being a simple on-off switch. The downside being that you could only have TEN rules.

    Tomato is EASY and the way it SHOULD be IMHO. Now you set up the time and port/mac/ip and tell set the times you do NOT want to have access. All other times are allowed.

    I now have:
    #1 Deny <mac adress> 11pm-8am sun-thur
    #2 Deny <mac adress> 12:00am-8:00am Fri-sat

    Thats it. When you set up a rule and tell it DENY with the radio button at the bottom of the ruleset you have done it. One more important thing to note here. DD-WRT rules do not work past midnight. If you want a rule that goes past that time you HAVE to create 2 rules. Tomato recogizes that past midnight. in fact, it reads for for my rule #1 overview

    11:00 PM to 8:00 AM(the following day).

    and yes, it works, much to my teens disappointment.

    I hope this helps.
  7. Mercjoe

    Mercjoe Network Guru Member

    I'm sorry, I quoted the 2nd down and not you.
    If I am reading your DD-WRT rules correctly you want to allow access mon-thru 6am till 10pm, having unlimited access from 6am friday till 10pm on sunday when you go back to limited access.

    I read it like this:

    Monday......6am till 10pm
    Tuesday.....6am till 10pm
    Wednesday 6am till 10pm
    Thursday....6am till 10pm
    Friday........6am on
    saturday....<all day>
    Sunday......till 10pm

    Is this correct?

    If so then:

    Mon-Thur 10:00pm-6:00 am Deny
    sun 10:00pm - 600 am Deny

    I hope this helps. If someone can show me how to upload a picture I can just make the rules and show you how. It is easy once you see how it is done.
  8. der_Kief

    der_Kief Super Moderator Staff Member Member

    I have done it other way:

    Sun - Thur 10.00pm-0.00am(otherday) DENY
    Mon - Fri 0.00am-6.00am DENY

    I think this should also work !

    also i put an rule (for same IP as other 2 rules) at the end of the list which deny all p2p traffic

    all day - every day
    all IPP2P

    Does this work ?

  9. canis

    canis Network Guru Member

    LOL! Update your teens?
    I have up to 12 kiddies and teens in the area here connected to our (outside) network and can`t physically control what they plug in somewhere. And they always try a new way to block all upload capacities of both gateways with P2P, 2 of them are playing arround with netmasks and so on to get unlimited access...
  10. der_Kief

    der_Kief Super Moderator Staff Member Member

    So, after playing a 'bit more with the Access Restrictions and the help from Mercjoe i figured out that for my requirements only one rule is enough !

    Su-Th 10.00pm-6.00am (the following day) DENY

    It looks like this:



    And here is the blocking P2P restriction:

    Thats all. It's so easy :)


    Host yout pics here -> http://www.imageshack.us/
    And put the given link in your post. Hope this helps.
  11. Mercjoe

    Mercjoe Network Guru Member

    Like I said, It is easy once you see how it is done. I think Access Restriction should be this easy in any firmware.

    DD-WRT is easy once you wrap your mind around a few boolean logic concepts that are not fully explained anywhere (at least the last time I looked at the WIKI that is). Honestly, I wish it had a switch that allowed you to go between WYSIWYG Access Restrictions (lke Tomato) and the more complex yet powerful way that DD-WRT does things.

    I keep flashing back and forth trying different things. I am not sold on either yet. Both do things that I like.

    Thank you for the tip on how to post pics, I honestly do not post much so I never learned how to do it.
  12. Mercjoe

    Mercjoe Network Guru Member

    Oh, I let him p2p to his hearts content during his allowed hours of access. I know that there is always a way around it. Simple fix:

    Set default class to E: the lowest class.

    Define all normal traffic (http, ftp, etc etc etc to a normal class. You will have to set multiple rules but hey, that ok)

    Set all p2p traffic to E:

    On inbound limits make E: 1% of allowable limit. On my router that makes it 29kb/sec. Set outbound limit to 1% whick is about 3kb/sec

    He can browse, e-mail and anything he wants but if he tries to p2p then well.. it is a little slow. If he tries to change the protocols and such to be outside a defaulted port the router autatically defaults it to E:. If he or his friends try a netmask it defaults to E:

    I do not know many teens that want to download at such slow modem class speeds. They just do not have the patience for it. They will go elsewhere to p2p. If I could make it slower I would. Heck, I would LOVE to make class E: work as if it was on a 2400 baud modem. Give them the taste of the OLD times.
  13. McDowelljc

    McDowelljc Network Guru Member

    I control my kids access to the internet daily..

    Sunday thru Thursday they can be on the net until 9pm

    Other wise.. Midnight to 8am.. they can not get on...

    Attached Files:

  14. canis

    canis Network Guru Member

    Thanks for the advise, but let me explain the situation:

    These youngsters are daily refreshing their viruses at school and always infect each other. For this reason we have an outside network, where they can kill each other virtually or their PCs, and 2 inside networks and a VLAN for the papas who have to tunnel their extreme P2P through the outside network.
    That`s also the reason for the iptable extensions described, because several times an unknown PC from other kids shows up somewhere, so we have to classify the PCs by their MAC adress and to deny access to all unknown devices.

    Had never been a big problem. But we had to switch to tomato due to the double WAN port speed compared to other firmwares (4 MByte/s), because we will switch to 2 MByte/s provider line end of the month and still need some bandwidth for the WAN to LAN connections of the papas.

    At the beginning, we have done this with huge iptable scripts.
    DD-WRT was very easy, nearly no script was necessary, but the WAN port speed is only 2 MByte/s.
  15. canis

    canis Network Guru Member

    How to... different times on different days?

    It`s not working...
  16. der_Kief

    der_Kief Super Moderator Staff Member Member

    What do you mean ? What's not working ?

  17. canis

    canis Network Guru Member

    I just upgraded to the new version and read the hints carefully.
    It seems to be true,that, whenever a rule is matching, no other rule regarding the same destination will be executed. But I`m still trying several ideas.

    What I try to achieve:
    Only by MAC known clients shall have access to the internet gateway driven by time, which is different restricted in the week and on weekend.
    All clients in spite of one shall be blocked for P2P.

    This is the logical way of access restrictions, please submit any available ideas to realize it, thanks.
  18. GeeTek

    GeeTek Guest

    Tomato Rocks !! Qos Rocks !! Rules Rock !!

    We should stop using that nasty term "DD". That dude stole my $40, and his software is really full of holes, does not work, is impossible to figure out, and when you do, he changes it and it quits working. Let "DD" DIE ! I just set up some QOS rules for about 80 users on Tomato (v7). I had all the default rules in place. I created a "Catch All P2P" rule and set it for very slow speed. I noticed one offending user abusing port 80 with 40 or 50 connections at high speed, in addition to his p2p that was being caught. I put his MAC in it's own rule and gave him 56k, about as good as a fast dial-up. The order of the rules still control and refine the service. If I put his MAC rule above the high priority port 80 rule, then ALL of his traffic hit 56k only. If I dropped his rule just below the high port 80 rule, his port 80 traffic hit high priority, but all his other stuff was still above the "Junk" rule, so the junk rule never applied to him. You can make tomato do anything you want if you play with it. I love Tomato ! I Hate DD, and will never taint the forum with that word again !
  19. canis

    canis Network Guru Member

    That "dude" is struggeling as all of us us and got some more bucks as yours from open projects here.
    You should use stock firmware and never try to exeed what industry offers to give you for your hard earned money.
  20. canis

    canis Network Guru Member

    Sorry, but I`m writing what I`m thinking.
    Do you have an answer to my question, how to realize a real "access restriction" with the stacked rule processing in tomato?
  21. der_Kief

    der_Kief Super Moderator Staff Member Member

    Hi @ all,

    i have another question about Access Restrictions. I set the following rule Su-Th 10.00pm-6.00am (the following day) DENY.
    So when the computer which is assigned to the rule is online and the rule gets active are only new connections get blocked and established connections are still active or should ALL connections get blocked ?
    I ask this because in QoS monitor i recognized that only new connections get blocked and established (e.g. ICQ/MSN) are still active.


Share This Page