can't set up access restriction

Discussion in 'Tomato Firmware' started by dvdhll, Dec 20, 2009.

  1. dvdhll

    dvdhll Addicted to LI Member

    i have a somewhat complex network with a linksys wrt-54gl in its middle, and trying to setup acceess restriction (banning certain computers on certain hours by their IP or MAC address) doesn't work at all.
    first i'll illustrate my network:
    1. DSL Modem-router (asus 604) - dialing to the ISP is made through this modem
    2. wireless bridge side A (access point level1 wap-0005) - connected to one of LAN ports on the modem
    3. wireless bridge side b (access point level1 wap-1001) - recieves and transmits to side A
    *****the wireless bridge has NO security or QOS or firewall settings****
    4. linksys WRT-54GL (with tomato 1.27) - connected to the side B of the wireless bridge, through one of the WRT-54GL LAN ports. this device serves as a DHCP server to all the computers on the network. however, other devices (e.g. access points) have their permanent IP address. also, the WRT-54GL doesn't dial to the ISP.
    5. laptops and desktops connected to the linksys through its LAN ports and wirelessly.

    all devices share the same ip range -, and the same subnet mask

    this complex system was made to extend the range of the DSL connection. the closest site where i can connect to DSL in 1.5 km far, so the wireless bridge bridges this gap (using special antennas)
    i'm trying to setup access restriction to some of the computers: restrict them from accessing the internet (or at least http surfing) at certain times, by their IP address or by their MAC address. i've tried many combinations - but nothing seems to work.

    i have a guess: maybe it has to do with the fact that the bridge is connected to the WRT-54GL through the LAN port and not through the WAN port (see section 4 above). so the WRT-54GL doesnt "know" what's the "internet" part of the traffic and what's the "intranet" part. but when trying to connect the bridge-side-b to the WAN port STOPS the connection to the internet.

    what do you think? is my guess correct? if it does, do you have an idea why i can't use the WAN port on the WRT-54GL? if it doesn't, what else should i try?

    thanks in advance
  2. michse

    michse Addicted to LI Member

    you are right. at this time you use your wrt as a simple switch. no traffic (accept from wrt-wlan to lan and reverse) passes the cpu. so you can not do anything.

    your wlan clients have to connect to wrt, all lan clients to. wan port is connected to your wlan-bridge . set wrt in router (default is gateway, works too). set wrt to static wan and give it an ip from the subnet of your modem/wlan-bridges. the lan side needs another subnet so it can be route. so all your clients need this subnet. in routermode your modem (I thinks its a router!) needs to know the subnet behind the wrt. in gatewaymode wrt sets always his own wan ip and you have to portforward something - your choice. now you can do qos, access restriction and what else.

    subnet all
    modem/router lan
    bridge side A
    bridge side B
    wrt wan ip dns gateway
    wrt lan ip
    clients , dns, gateway

    so it should work

  3. dvdhll

    dvdhll Addicted to LI Member

    thank you so much! it seems to work like a charm.
    now the question is: how do i restrict certain mac addresses from surfing on certain hours - but still allowing them to email, chat and use 5 certain websites?
  4. michse

    michse Addicted to LI Member

    I think you need 2 rules, but you have to test yourself :)

    one restrict mac in time, and one verbose all but some sides. try it
  5. dvdhll

    dvdhll Addicted to LI Member

    there's is an option to block all http requests (thereby allowing email and chat) but i don't know how to disclude certain websites so they'll be accessible. any idea?
  6. michse

    michse Addicted to LI Member

    you can add in "http request" a domain name like so it would be accessible or not.
  7. dvdhll

    dvdhll Addicted to LI Member

    as i understand. adding a domain blocks it. i don't need to block certain domains but to allow them - becuase they're all blocked by the http rule.
    what cna i do to allow a certian domain? is ther any flag i can add to a domain name in "http request" field, so it'll be discluded - and not restricted?
  8. michse

    michse Addicted to LI Member

  9. dvdhll

    dvdhll Addicted to LI Member

    you're very kind. i tried the commands you wrote and it didn;t work. it blocked everything, but the second line that excludes a certain website didn't work.
    are you sure the commands should be put in this order? anyway, i tried putting the second line first - and it still blocked everything without exception.
    the tutorial you linked to is very comprehensive, and it would take me a week to study it. do you have another idea how to permit a specific website?
    also, do you happen to know if IPTABLES can restrict certain MAC addess just on a specific time?
  10. michse

    michse Addicted to LI Member

    no, sorry. I fight agains iptables but lost most the time :)

    the gui makes iptables rules. so you can better tell iptables direct than via gui.
    time factor is iptables with cron. but only an idea. and I don't know how.

    the tutorial is one I found a few days ago. its not easy and it looks not like a charme.

    maybe you start a new thread that comes with iptables questions.

    you can try this: , I dont tested it, but someone else from forum. I read something in the past about firewallbuilder. Only it's not freeware but 30 days free.

    sorry. I think I am at the End...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice