1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access Rules Problems

Discussion in 'General Discussion' started by wency, Apr 18, 2006.

  1. wency

    wency Network Guru Member

    Hi,
    may be i'm doing things wrong somewhere...
    Anyway - my WRT54G (v. 5) has a LAN IP 192.168.0.250 and it is a Gateway for 15 computers from the same 192.168.0 network.
    I want to fully block the Internet Access for all PCs except for 2 having addresses 192.168.0.10 and 192.168.0.15.
    So i created 2 rules:
    1. Allow full access to the Internet from the two PCs (specified by exact IP addresses)
    2. Deny the access for the PCs with IP addressess within the range of 192.168.0.1 - 192.168.0.254

    I know that the first matching rule is the only applied, and in above scenario 192.168.0.10 and 15 should have Internet Access no matter what the rule 2 contains. But they are also filtered - just like the rule #1 does not exists...
    Any ideas?
     
  2. katsuki23

    katsuki23 LI Guru Member

    This worked for me before. Try to switch the policy. Deny the access first on policy 1 then allow access for the two PC's on policy 2.
     
  3. wency

    wency Network Guru Member

    Yes, i have tried this, but with no effect.
    The interesting thing is that such approach helped me months before with other WRV54G router. But not now.
     
  4. Toxic

    Toxic Administrator Staff Member

    the range you used 192.168.0.1 - 192.168.0.254 includes the routers IP address.

    can you not define the IP range better and just bock thoses IP addresses? makes sure

    1 you name the policy.
    2. click save afterwards.

    full access to tbh is allowed anyway. so just deny the ones you want.

    when you click on the summary does it show the correct details?
     
  5. wency

    wency Network Guru Member

    Yes, Toxic, i can, but my goal is not to block exactly 2 addresses, but to block ALL OTHER except these two

    Both 2 things are checked

    Yes, Summary shows the correct details, but the effect is not correct. I will ask again:
    Is the "first matching rule" principle valid as it is in iptables (BTW, i do not know if WRT54G v. 5 uses iptables under VxWorks).
    If so, in my case these 2 IP addresses should have Internet Access, because they hit rule #1 regardless of the fact they fall into rule #2 also
     
  6. katsuki23

    katsuki23 LI Guru Member

    From what I gather with Linksys chat is that the access restriction works per policy, meaning it will run the first policy before the second policy. So, the setup should be denied first before you allow the access on policy 2, otherwise it will overrule the access on policy 1 if the 2nd policy is to deny all. What firmware are you using?
     
  7. wency

    wency Network Guru Member

    Yes, but the question is:
    Are the next rules being checked if the first one takes effect?
    I have tried to deny the access for the entire network (as first rule) and in the second one to allow access for the 2 PCs. This resulted in entire network blocked.
     
  8. Toxic

    Toxic Administrator Staff Member

    can you not just block ranges for the addresss you need to be blocked? leaving out 10 and 15 altogether.

    192.168.0.2 - 9
    192.168.0.16 - 254

    and block 192.168.0.11 - 14 individually
     
  9. wency

    wency Network Guru Member

    Yes, this could be a solution althought it is constrained one :)
    What if my 2 PCs are with addressess 10 and 50 for example?

    And the question about the priority of the rules still remains unanswered...
    I wanto understand the logic that the firewall follows
     
  10. wency

    wency Network Guru Member

    Yes, this could be a solution althought it is constrained one :)
    What if my 2 PCs are with addressess 10 and 50 for example?

    And the question about the priority of the rules still remains unanswered...
    I want to understand the logic that the firewall follows.
     
  11. katsuki23

    katsuki23 LI Guru Member

    What firmware are you using? If it is a stock firmware 1.00.4 and below, better upgrade it to 1.00.6.
     
  12. wency

    wency Network Guru Member

    It is 1.00.6
     

Share This Page