1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Temporarily disable access restrictions

Discussion in 'Tomato Firmware' started by otterslide, Mar 17, 2017.

  1. otterslide

    otterslide Network Newbie Member

    Is there any way to disable access restrictions for say an hour or two hours?

    I think such feature would be very useful. I want to schedule my Wifi to turn off during the night, but rarely I might need it during the restricted hours.

    Is there any workaround right now other than disabling the restriction? I may forget to re-enable it if I do this.

    My router is an Asus and it has a little button on the back. If I can make that button disable access restrictions for 2 hours it would be amazing.
    Is it possible to make a script that runs when I push the button that disables all access restrictions for the next 2 hours?

    The router is Asus RT-N12.

    Any help is very much appreciated!
    Last edited: Mar 18, 2017
  2. Elfew

    Elfew Network Guru Member

    You can set time range when restrictions are active, so let them ON only when you want
  3. eibgrad

    eibgrad Network Guru Member

    Try binding the following custom script to the WPS button.

    iptables -I restrict -j RETURN
    sleep $((60*120))
    iptables -D restrict -j RETURN
    ) &
  4. otterslide

    otterslide Network Newbie Member

    Thanks for that code.
    Unfortunately, I get an error. I'm not sure how iptables can enable/disable an access restriction that turns on/off the Wifi Radio? Is that how it works?

    root@unknown:/tmp/home/root# iptables -I restrict -j RETURN
    iptables: No chain/target/match by that name
    Maybe I have no restrict iptable entry because I'm restricting Wireless Radio, not any IP addresses.

    I just need to somehow disable/enable access restrictions using command line... Including Wifi disable one.. I don't have any other access restrictions.
  5. ruggerof

    ruggerof Network Guru Member

    Identify the rule you want to activate and de-activate via "nvram show | grep something".

    Example, I have a permanent access restriction rule restricting my Samsung smart TV to access the internet whose name is No-SamsungTV. By doing "nvram show | grep SamsungTV" I get the following.

    If I want to deactivate this rule by script:
    nvram set rrule23="0|-1|-1|127|AA:BB:CC:DD:EE:FF|||0|No-SamsungTV"
    nvram commit
    service wireless restart
    If I want to activate this rule via script:
    nvram set rrule23="1|-1|-1|127|AA:BB:CC:DD:EE:FF|||0|No-SamsungTV"
    nvram commit
    service wireless restart
    1) What makes a rule active or not is the 0 or 1. Active is 1 whilst not-active is 0.
    2) I don't know if there is another command that could replace "service wireless restart". Others might know another command that forces tomato to rebuild the iptables rules without having to restart the wireless.

    IMPORTANT: If your access restriction rules spans over more than one line this method might fail and can even screw your rules up. In this case search this forum for a script written to backup the nvram settings and extract the idea behind. You could use it to write a file in your tmp directory (i.e. your RAM) and "sed" the 0 by 1 and vice versa.
  6. eibgrad

    eibgrad Network Guru Member

    The assumption by me (and that code) is that AR (access restrictions) is always active. And when it is, there will be a restrict chain in the filter table. That chain starts the AR process. It's from that chain that all your AR restrictions are actually tested. All my script does is add a rule to the top of the chain that causes an immediate return, thus effectively preventing the individual AR rules from being tested. It's just that simple.

    Now if it turns out that there are times when AR is NOT active, and the restrict chain therefore doesn't exist, then the attempt to add a rule to the chain will obviously fail. But I was assuming that's never the case, esp. if you need the rule to activate when AR is active! IOW, if the restrict chain is NOT there, it means AR is not active, so you don't need to be deactivating it anyway.

    Now as I thought more about this, it dawned on me that enabling/disabling the wifi radio probably works differently. I suspect it uses a separate process (perhaps schedule using cron) to enable/disable the radio. And in that case, obviously trying to use the firewall will have no effect.
  7. ruggerof

    ruggerof Network Guru Member

    I probably misunderstood a few things. Reading again it seems that you have only 01 entry in the Access Restrictions that is set to disable wireless from time X to time Y, is that correct?

    If so, I would work try approaching the problem in a different way. I would disable wireless via scheduler and enable it via scheduler too (in the GUI).

    Give the below a try, I can't test it myself as I don't have a N12 but in principle should work.

    - In Administration / Scheduler / Custom 1, set enabled, choose the days of the week and the hour to disable wireless. In command add:
    wl down
    rm /tmp/wireless_up.txt
    - In Administration / Scheduler / Custom 2, set enabled, choose the days of the week and the hour to enable wireless. In command add:
    wl up
    touch /tmp/wireless_up.txt
    With these two you will have the wireless disabling and enabling at these times.

    Now in the Administration / Buttons LED, when pushed for 0-2 seconds, choose "Run Custom Script", in the field Custom Script put the following.

    if [ -f /tmp/wireless.txt ]; then
       exit 0
    if [ -f /tmp/wireless_up.txt ]; then
       exit 0
    wl up
    touch /tmp/wireless.txt
    sleep 7200
    wl down
    rm /tmp/wireless.txt
  8. otterslide

    otterslide Network Newbie Member

    This is what I looking for! Thanks a lot.
    I'm thinking I will put the rules in the WL UP script so they always get reset to ON when it starts up.
  9. otterslide

    otterslide Network Newbie Member

    I don't think this will work because access restriction on Wifi turns the radio off, not the wl. Turnning "wl up" while radio is off doesn't turn it on still. If you run "radio on", the access restriction turns it right back off within a few seconds. So only the way you mentioned earlier will work.
  10. otterslide

    otterslide Network Newbie Member

    Unfortunately, I just went to the button settings in Admin menu and got "This feature is not supported on this router."
    I tried a Toastman RT-N build, as well as Shibby K26-1.28.RT-N5x-MIPSR2-132-IPv6-VPN. The router does have a WPS button at the back, I wonder why it's not supported.
  11. ruggerof

    ruggerof Network Guru Member

    That is reason for me to propose not to use the access restriction but rather scheduler (i.e. cron) to turn on / off the wireless.
  12. ruggerof

    ruggerof Network Guru Member

    Last edited: Mar 29, 2017
  13. otterslide

    otterslide Network Newbie Member

    Got it, yes you are right that should work, I didn't understand it at first. Thanks a lot. I have a WRT54GL that will benefit from this, I just wish I could also put it on the Asus.

Share This Page