To make Access Restrictions work

Discussion in 'Tomato Firmware' started by AlterEgo, Dec 29, 2018.

  1. AlterEgo

    AlterEgo LI Guru Member


    Running Advanced Tomato Firmware 1.28.0000 -3.5-140 K26ARM USB AIO-64K on Asus RT AC68U . My current network topology can be visualized in the following (to the best of my charting abilities).


    Based on my setup, I am using the router with WAN disabled (and used as a LAN port), so dont know whether its acting as a router or a switch or a gateway (dont exactly know the expected difference in its behaviour), I have selected it to be a gateway anyhow, which it is for the rest of the network clients.


    So I was trying to put some access restrictions for my devices, namely Amazon Dash buttons (to be used in a DIY Home Automation Project), to not to be able to call home/internet and trigger notifications on the mobile and periodic emails (i know I can turn off the mobile app notifications).

    So I did put the following access restriction rule in place, however it is not working at all. I mean the dash button is still able to reach internet and trigger mobile app notification.


    A question, it is mentioned as MAC/IP, so does it work for both or either one of them is much preferable for a specific reason. Wherever I read on the internet, it is always mentioned by the MAC address, hence what is the need to mention IP address then.

    I did read that Access Restriction rules will not work if the WAN port is disabled, so just wanted to confirm that, and to know of any other workaround possibility to make it work in my specific scenario (without bringing much change to the network setup :)

    Thanks for reading and possible guidance.
  2. Sean B.

    Sean B. Network Guru Member

    In your configuration, the Asus router cannot enforce any kind of access control or policy on your network for two reasons:

    A.) The router is not at a gateway position in your topology. At a gateway, communications move from the link layer to the network layer. The most obvious example of this is the point of which your LAN connects to the internet. Gateways can also exist purely internal to your LAN, connecting internal subnets ( IE subnet and subnet ). Which leads to the next reason..

    B.) Your network is all within one subnet, 192.168.10.x , so clients can all communicate on layer 2 ( link layer ) not having to cross into layer 3 ( network/routing ). Your Dell running Untangled side steps this ( for internet bound traffic only, client to client traffic has other paths ) because it's using two hardware separate NIC's and the bridge between them is the CPU, creating the only link layer path between all your LAN clients and the modem. Compared to a router which consists of a 5 port network switch and a CPU, ports 1 through 4 are external while port 5 is internal and connects to the CPU. If link layer traffic has a destination that the switch sees connected to another one of its ports ( this cascades through switches, meaning you can put 20 switches between 2 clients and all switches will know the clients are connected ) it will send the traffic directly there. The CPU will only see the traffic if the switch does not see the destination reachable on one of its other ports.
    Last edited: Dec 29, 2018
  3. ruggerof

    ruggerof Network Guru Member

    The reason for Tomato's access restriction not to work was explained by @Sean B. above.

    But as you have Untangle in bridge mode, with the installation of "Policy Manager" you can easily use it to restrict internet access of any host.
  4. AlterEgo

    AlterEgo LI Guru Member

    Thanks for your explanation and sharing the knowledge

    So based on it, if I need to split my home network into two subnets with a gateway being able to handle such requests, can you please :

    1. Suggest at what point (according to my network diagram), the split should be made between the subnets. I guess it should be at the ASUS router level, so all devices behind the router would be in one subnet range while devices ahead of the router would be in another.

    2. I understand to make it work I would need to revert the WAN port on the router to be a WAN port (not bridged to the LAN), so what settings from tomato would be used for WAN connection, when the WAN isnt connected to a bridged modem according to my topology.

    3. What could be the exact IP address and subnet ranges (proposed based on existing 192.168.xx.xx)

    4. What kind of configuration changes across devices, and specifically on the gateway would I need to make to
    ensure both subnets are able to talk to each other and also to the internet , just the way they are now.

    5.Any other specifics I need to take care of while deciding for the different sub-netting approach.

    Thanks for your responses.
  5. Sean B.

    Sean B. Network Guru Member

    As @ruggerof stated, your Optiplex running Untangled is already in a position to enforce policy with regards to LAN<->Internet traffic. So before spending the time responding to all those related questions, let me confirm, you'd rather restructure your network so the Asus can enforce policy, as opposed to just using the Optiplex?
  6. AlterEgo

    AlterEgo LI Guru Member

    The untangle is a paid subscription about to end and hence most features of its appliance would be rendered unusable. Policy or firewall is definitely a paid component. Whether I extend the subscription or not depends on my perceived utility from it in my network scenario. It started more out of my DIY itch to convert a old thin optiplex in a UTM appliance by adding a mini pcie gigabit card.

    Tomato being a perpetual free solution could be more suitable to be used for such requirements as it would not need a subscription renewal to be extended.

    The extent of changes required to my current network topology may not be entirely redoing the whole setup kinda thing, as I presume.

    Thanks for the support and input.

    Sent from my SM-N9500 using Tapatalk
  7. Sean B.

    Sean B. Network Guru Member

    Ah, I see, makes sense. The easiest, as well as the most functional way from a configuration standpoint, would be to put a standard switch in place of where the Asus is now and put the Asus where the Optiplex is ( location as in terms of network topology, not their physical location ). If your Huawei ONT supports doing so, which it should, you should set it to transparent bridge mode. In this mode the modem will pass-through the WAN IP to the WAN interface of the Asus, eliminating the double-nat scenario.

    The Asus would then be able to enforce restriction and policy on all traffic going from your LAN to the internet and visa versa. No need to go through all the steps/config of subnetting your LAN apart. However if you require specific clients on your LAN to be separated or access controlled from other clients on your LAN, then subnetting/VLANing would be required for the Asus to provide that functionality.
  8. AlterEgo

    AlterEgo LI Guru Member

    I have checked the Huawei ONT and as of now it seems the settings are operator locked, so I cannot change its mode to behave as a bridge.

    From your reply I assume you are saying to entirely remove the Untagle UTM appliance - while placing Asus in place of it. UTM is something I want to keep for now at least till when I have active subscription to be able to use its detailed reporting and network utilization features/reports. I assume it is a transparent bridge, so would it cause any harm to the current or target topology, or is it necessary to remove it.

    In my case then VLAN or Subnet seems to be a workable solution. Are these both use in the same meanings or these are two different technical approaches.

    Would be be nice if I can get a headstart guide to subnettings and probably some response to my 5 queries in post no.4 above.

    Thanks for your help.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice