Firewall is not blocking outgoing traffic

Discussion in 'Tomato Firmware' started by smartins68, Nov 16, 2010.

  1. smartins68

    smartins68 Networkin' Nut Member

    I am new with Tomato so I might be asking something obvious here. I just installed "Tomato Firmware v1.28.1816" and here is my configuration:

    1) Internet --> WRT54GS (WAN Port) --> Linksys E3000 (WAN Port)
    2) The WRT54GS and E3000 are both working as routers and they are different networks. I can have traffic on both directions because I created static route.
    3) I want to have the E3000 as my private network because of the Gb ports and N wireless
    4) The main goal of WRT54GS is to be an appliance where I can have more flexibility (Linux) and a better Firewall options.

    Since there is no decent Parent Control software in the market at the router level, I considered Tomato's "Access Restriction".

    Here is my issue: "Access Restriction" functionality is not blocking the outgoing traffic. I created a rule with "Applies to" MAC address xyz and checked "Block All Internet Access", but this MAC Address still can access internet without any issues.

    Is it a knwon issue? or Am I missing anything?


    Sandro Martins
  2. smartins68

    smartins68 Networkin' Nut Member

    Just an update:

    When I create the rule in the The "Access Restriction" functionalilty, I have a drop-down list to to restrict the acces either via MAC or IP. When I create my rule restricting based on the IP it works fine, but the IP is not what I am looking for because it is generated by DHCP.
  3. TexasFlood

    TexasFlood Network Guru Member

    I'm using Teddy Bears v1.28.9052 MIPSR2-beta23 K26 vpn3.6 build and it works for me. Are you sure the rule is correct and enabled? When you created it and entered the MAC address did you click on "add" before saving it? If not then the MAC to block won't be in there. Basic stuff I know, but easy to miss. Attaching an image of the rule I test successfully.

    Attached Files:

  4. TexasFlood

    TexasFlood Network Guru Member

    Note you can use static DHCP so a given MAC always gets the same IP, that's what I do!
  5. smartins68

    smartins68 Networkin' Nut Member

    Hi TexasFlood,

    Thanks for the quick reply. It looks like you are using Tomato USB, right? I installed just the regular Tomato from I considered moving to Tomato USB, but I am afraid I could break something and do not have much time to fix it, because I use my internet for remote work.
    Regarding the rule configuration, here is how I am doing it:
    1) Checked the Enable check box
    2) Named my rule
    3) Checked All Day and Every Day check boxes
    4) Chose "Normal Access Restriction" radio-button
    5) In "Applies to" I chose "The Following"
    The here I entered the MAC address
    Clicked ADD
    6) In Blocked Resources I checked the check box "All Internet Access"
    7) Save
    8) Test the restriction - Failed

    NOTE: I believe I am configuring the rule correctly because If I enter the IP on step 5 it works fine and will block the internet access as expected. Of course, I might be missing something else.

    Regarding the DHCP, I am using it on the E3000 router. I will check it there.
  6. TexasFlood

    TexasFlood Network Guru Member

    Yes, I'm using TomatoUSB on an Asus RT-N16 so YMMV. Works for me but as you point out, different build, different hardware. Maybe someone with the same router & build will chime in.

    You know, I was just thinking. When I read this it was my first knee-jerk reaction to test it on my configuration. I really didn't think a lot about your configuration. Going back and reading it again though I have some comments and questions.

    Am I right that your clients are on the E3000 and the WRT54GS is the WAN gateway router with the Access Restrictions?

    Are you using NAT on both or how is the E3000 traffic routing to the WRT54GS if not?

    Either way, aren't MAC addresses basically for ARPing on the local subnet? Once you route out of that subnet with an IP, it might be perfectly natural behavior for the MAC filtering not to work.

    My MAC filtering works but my MACs are on the same subnet as the router doing the filtering. Perhaps you could test by plugging directly into the WRT54GS and seeing if it works then.

    Correct me if I'm off on my assumptions.
  7. smartins68

    smartins68 Networkin' Nut Member

    Man, I think you are right. Here are some more details:

    1) My home computers, xbox, itouchs, servers, etc are all on the E3000 subnet A/24
    2) My WRT54GS WAN gateway is on B/24
    3) The IP and routing are:
    3.1) E3000 (My subnet A)
    - WAN IP is on subnet B
    - The router IP is on subnet A (All home computers use this router as default gateway)
    - DHCP ON
    - WIFI ON
    - No extra static route

    3.2) WRT54GS (My subnet B)
    - WAN IP is dynamic from ISP
    - DHCP OFF
    - WIFI OFF
    - Static Route to subnet A (that is routed from WRT to E3000)

    I used your suggestion to use reserved DHCP on E3000 and resolved my issue to be able to use IP instead.

    Thank you much!

  8. TexasFlood

    TexasFlood Network Guru Member

    So sounds like you're doing a double NAT? If so the static route to subnet A from the WRT to E3000 won't do anything by default unless you do some port forwarding to go along with it. Anything sent out through the NATs should already come back via the NAT tables. But sounds like you have it working like you want so cool.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice