Hi
I have a BT Home Hub 5a running OpenWRT 19.07.3.
I have setup the parental control using the firewall rule, with time restrictions.
Values are below, however, its not working and access is NOT restricted.
I used Luci to enter the values and the guide below
Unless you are doing NAT6, the ULA address will never be used to access the internet. If you have IPv6 you'll need to block the GUA, so it is better if you block the mac address instead.
Also, did you reorder the rules as mentioned at the bottom of the page?
I chose the ip addresses from the drop down menu, when you click ADD IP address in the firewall rule.
The IP address is shown with the MAC address, however ONLY the IP address is shown after selected.
There is NO way to select the MAC address and it is not accepted when entered in the Custom field.
Note, all the configuration is done in LUCI.
Thanks for your help !
Adding the MAC address in the advanced settings and reordering the rules, resolved my problem.
curious, as to why the MAC address option was not mentioned in the instructions or maybe I didn't read it properly ?
I presume that reordering the rules is a one time action ?
Yes, MAC address was there, however, as the instructions were a bit old the gui options are different.
I didn't want to mess with the advanced section as I didn't want to cause any other problems. Your pointer helped to correct that.
One other query, I have setup a new rule using the instructions and your pointers, however the internet is still available. I have rebooted the router, but no joy. Do I have to run the reorder script again, after adding a new rule or modifying an existing rule ?
Can it be rerun more than once without any adverse affect.
FYI, I reran the reorder script and get the following output, incase it helps ...
seems to be an error ! Skipping due to different family of ip address..
root@BTHH5a:~# cat << "EOF" > /etc/firewall.estab
> for IPT in iptables ip6tables
> do
| sed -e "/FORWARD.*ESTABLISHED/d;
> ${IPT}-save -c -t filter \
> | sed -e "/FORWARD.*ESTABLISHED/d;
> /FORWARD.*reject/i $(${IPT}-save -c -t filter \
> | sed -n -e "/FORWARD.*ESTABLISHED/p")" \
> | ${IPT}-restore -c -T filter
> done
> EOF
root@BTHH5a:~#
root@BTHH5a:~# uci -q delete firewall.estab
root@BTHH5a:~# uci set firewall.estab="include"
root@BTHH5a:~# uci set firewall.estab.path="/etc/firewall.estab"
root@BTHH5a:~# uci set firewall.estab.reload="1"
root@BTHH5a:~# uci commit firewall
root@BTHH5a:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @rule[10] (Apple TV - Morninig) does not specify a protocol, assuming TCP+UDP
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'LG TV'
* Rule 'Apple TV - Morninig'
* Rule 'AppleTV-PM'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'LG TV'
! Skipping due to different family of ip address
* Rule 'Apple TV - Morninig'
! Skipping due to different family of ip address
! Skipping due to different family of ip address
* Rule 'AppleTV-PM'
! Skipping due to different family of ip address
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
* Running script '/etc/firewall.estab'
root@BTHH5a:~#
root@BTHH5a:~# echo /etc/firewall.estab >>/etc/sysupgrade.conf
My firewall config file is below, ONEPLUSTEST is working but i have it disabled and only use it for testing.
APPLT TV PM is the one that is not working, let me know if you need any other config files or logs
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option name 'LG TV'
option target 'REJECT'
option dest 'wan'
option src 'lan'
option start_time '09:00:00'
option utc_time '1'
list proto 'all'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
list src_ip '192.168.1.170'
option stop_time '11:00:00'
list src_mac 'XXXXXXXXXXXX'
config rule
option target 'REJECT'
option dest 'wan'
option src 'lan'
option utc_time '1'
list src_mac ''XXXXXXXXXXXX''
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
list src_ip '192.168.1.180'
option start_time '08:00:00'
option stop_time '11:00:00'
option name 'Apple TV - Morninig'
config rule
list proto 'all'
option stop_time '23:00:00'
option src 'wan'
list src_ip '192.168.1.180'
option dest 'lan'
option start_time '11:01:00'
option target 'DROP'
list src_mac ''XXXXXXXXXXXX''
option name 'AppleTV-PM'
option utc_time '1'
config rule
option name 'Onleplustest'
list proto 'all'
option dest 'wan'
option src 'lan'
option target 'DROP'
option utc_time '1'
option start_time '00:00:00'
list src_mac ''XXXXXXXXXXXX''
list src_ip '192.168.1.234'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
option stop_time '23:59:00'
option enabled '0'
config rule
list proto 'all'
option name 'Mini Galaxy Tab'
list src_ip '192.168.1.213'
option dest 'lan'
option target 'DROP'
option src 'lan'
list src_mac ''XXXXXXXXXXXX''
option enabled '0'
option utc_time '1'
config rule
list proto 'all'
option name 'S7 Edge'
list src_ip '192.168.1.246'
option dest 'lan'
option src 'lan'
list src_mac ''XXXXXXXXXXXX''
option target 'DROP'
option enabled '0'
option utc_time '1'
config include 'estab'
option path '/etc/firewall.estab'
option reload '1'
That's strange as ther were showing correctly in the GUI. Anyway I have redone the rule and listed the config below, becuase its still not working. Also uploaded a screenshot of the rules
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option name 'LG TV'
option dest 'wan'
option src 'lan'
option start_time '09:00:00'
option utc_time '1'
list proto 'all'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
list src_ip '192.168.1.170'
option stop_time '11:00:00'
list src_mac 'xxxxxxxxxxxxxxxxxxxx'
option target 'DROP'
config rule
option target 'REJECT'
option dest 'wan'
option src 'lan'
option utc_time '1'
list src_mac 'xxxxxxxxxxxxxxxxxxxx'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
list src_ip '192.168.1.180'
option start_time '08:00:00'
option stop_time '11:00:00'
option name 'Apple TV - Morninig'
config rule
list proto 'all'
option stop_time '23:00:00'
list src_ip '192.168.1.180'
option start_time '11:01:00'
option target 'DROP'
list src_mac 'xxxxxxxxxxxxxxxxxxxx'
option name 'AppleTV-PM'
option utc_time '1'
option dest 'wan'
option src 'lan'
config rule
option name 'Onleplustest'
list proto 'all'
option dest 'wan'
option src 'lan'
option target 'DROP'
option utc_time '1'
option start_time '00:00:00'
list src_mac 'xxxxxxxxxxxxxxxxxxxx'
list src_ip '192.168.1.234'
option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
option stop_time '23:59:00'
option enabled '0'
config rule
list proto 'all'
option name 'Mini Galaxy Tab'
list src_ip '192.168.1.213'
option target 'DROP'
option src 'lan'
list src_mac 'xxxxxxxxxxxxxxxxxxxx'
option enabled '0'
option utc_time '1'
option dest 'wan'
config rule
list proto 'all'
option name 'S7 Edge'
list src_ip '192.168.1.246'
option src 'lan'
list src_mac'xxxxxxxxxxxxxxxxxxxx'
option target 'DROP'
option enabled '0'
option utc_time '1'
option dest 'wan'
config include 'estab'
option path '/etc/firewall.estab'
option reload '1'
The weekdays are missing. Also there is no point to use IPv6 family in a rule that uses IPv4 address.
Use only mac address and assign it to both families.
I will restrict the IP family to IP4 onlyy, however, the strange thing is that the firewall config is not reporting the correct details, because I had the weekdays checked, please see the screenshots below
Yesterday when you said the LAN & WAN choices needed to be reversed, they were, however, were NOT showing correctly in the firewall config..
I haven't changed the config since sending you the firewall config and the screenshots below are showing the weekdays.
I tried it myself and whether you tick all weekdays or leave them unticked with "Any Day" has the same result in the actual iptables rule.
Regarding the representation of the options on the Luci, it reads the configuration from the same file that uci reads to extract the data. So I am not sure that there is doubt that one represents the configuration correctly and the other not.
Anyway, post here the low level rules to see what might be the issue: iptables-save -c
I don't see anything wrong here. The rule which forwards established connections is after the rule which matches traffic to be forwarded from lan to wan, which is correct.
The AppleTV-PM rule has hits, the other 3 rules don't have any hits, so either there was no connection attempt between 8:00 and 11:00 or the IP/MAC is wrong for the LG TV rule.