Restiriction and white list not working good

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

iincitr
Posts: 32
Joined: Sun Sep 13, 2015 9:20 am
Location: turkey

Restiriction and white list not working good

Postby iincitr » Sat Jan 12, 2019 1:53 am

Hi

For a long time I pull my hair.

I define a single pc mac address to full stop go to internet via restiricition menu but some exception some education URL

When ever define even for one pc restiriction all pc on my network blocked to internet. And the white list not worked even

Thank you
Tp-link 1043ND v1.8 gargoyle 1.11.x thank you

Buffalo AirStation WZR-600DHP DD-WRT last version

High Speed Boadband Internet

Lantis
Moderator
Posts: 4709
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Restiriction and white list not working good

Postby Lantis » Sat Jan 12, 2019 2:07 am

Please list which exact version you are using, and show what settings you are using.
I am out of the country from 19th March to 4th April, and will not be monitoring the forum.
Routers: Various ar71xx/mvebu/x86-64
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases

iincitr
Posts: 32
Joined: Sun Sep 13, 2015 9:20 am
Location: turkey

Re: Restiriction and white list not working good

Postby iincitr » Sat Jan 12, 2019 2:15 am

1.11.x
1.11.X (Built 20181210-0904 git@477ea871)


config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option block_static_ip_mismatches '1'
option force_router_dns '1'
option enforce_dhcp_assignments '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option src 'wan'
option proto 'igmp'
option target 'ACCEPT'

config rule
option src 'wan'
option proto 'udp'
option dest 'lan'
option dest_ip '224.0.0.0/4'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'
option reload '1'

config include
option type 'script'
option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
option family 'IPv4'
option reload '1'

config include 'openvpn_include_file'
option path '/etc/openvpn.firewall'
option reload '1'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

config remote_accept 'ra_443_443'
option local_port '443'
option remote_port '443'
option proto 'tcp'
option zone 'wan'

config remote_accept 'ra_80_80'
option local_port '80'
option remote_port '80'
option proto 'tcp'
option zone 'wan'

config remote_accept 'ra_22_22'
option local_port '22'
option remote_port '22'
option proto 'tcp'
option zone 'wan'

config restriction_rule 'rule_3'
option is_ingress '0'
option description 'Cuma gunu'
option not_local_addr 'd0:a6:37:92:19:2b,2C:8A:72:B8:7D:17'
option active_weekdays 'fri'
option active_hours '10:00-15:00,20:00-21:30,22:00-00'
option enabled '0'

config restriction_rule 'rule_4'
option is_ingress '0'
option description 'Gece Yasak 0:30 06:00'
option active_hours '00:30-06:00'
option enabled '0'

config restriction_rule 'rule_6'
option is_ingress '0'
option description 'herzaman internet yok'
option local_addr '88:51:FB:20:2B:88'
option enabled '1'

config restriction_rule 'rule_7'
option is_ingress '0'
option description 'GECE 02 :00 --- 06:00 ARASI ACIK'
option local_addr '04:F1:3E:7E:0B:32'
option active_weekdays 'sun,mon,tue,wed,thu,fri,sat'
option active_hours '08:00-00:00,00:01-02:00'
option enabled '0'

config restriction_rule 'rule_8'
option is_ingress '0'
option description 'apple update block'
option local_addr '04:F1:3E:7E:0B:32'
option active_hours '00:00-02:10,08:00-23:59'
option proto 'both'
option url_exact '"mesu.apple.com","appldnld.apple.com"'
option enabled '0'

config restriction_rule 'rule_5'
option is_ingress '0'
option description 'cumartesi pazar'
option local_addr '60:36:DD:63:E1:83,88:9B:39:D9:84:21'
option active_weekdays 'sun,sat'
option active_hours '10:00-15:00,17:00-22:00'
option enabled '0'

config restriction_rule 'rule_2'
option is_ingress '0'
option description 'pazar gunu'
option local_addr '60:36:DD:63:E1:83,88:9B:39:D9:84:21'
option active_weekdays 'sun'
option active_hours '10:30-16:00,17:00-22:30'
option enabled '0'

config restriction_rule 'rule_10'
option is_ingress '0'
option description 'tabletler'
option local_addr '192.168.5.177'
option enabled '0'

config restriction_rule 'rule_1'
option is_ingress '0'
option description 'genel yasak'
option local_addr '60:36:DD:63:E1:83,88:9B:39:D9:84:21,192.168.5.177'
option active_weekdays 'mon,tue,wed,thu'
option active_hours '17:30-19:00,20:30-23:45'
option enabled '1'

config whitelist_rule 'exception_1'
option is_ingress '0'
option description 'herzaman'
option local_addr '88:51:FB:20:2B:88,60:45:BD:DF:EE:CC,00:1B:77:41:9C:AA,D0:A6:37:92:19:2B'
option enabled '1'

config whitelist_rule 'exception_2'
option is_ingress '0'
option description 'All device'
option remote_addr '31.13.64.50/31,31.13.65.48/31,31.13.66.48/31,31.13.67.51/32,31.13.67.52/32,31.13.68.50/32,31.13.68.52/32,31.13.69.240/32,31.13.69.242/32,31.13.70.48/31,31.13.71.48/31,31.13.72.49/32,31.13.72.52/32,31.13.73.48/31,31.13.74.48/31,31.13.75.49/32,31.13.75.52/32,31.13.76.80/31,31.13.77.48/31,31.13.78.51/32,31.13.78.53/32,31.13.80.50/32,31.13.80.53/32,31.13.81.50/32,31.13.81.53/32,31.13.82.48/32,31.13.82.51/32,31.13.83.48/32,31.13.83.51/32,31.13.84.48/32,31.13.84.51/32,31.13.85.48/32,31.13.85.51/32,31.13.86.48/32,31.13.86.51/32,31.13.87.50/31,31.13.88.49/32,31.13.90.48/32,31.13.90.51/32,31.13.91.48/32,31.13.91.51/32,31.13.92.50/32,31.13.92.52/32,31.13.93.48/32,31.13.93.51/32,31.13.94.50/32,31.13.94.52/32,31.13.95.63/32,50.22.198.204/30,50.22.210.32/30,50.22.210.128/27,50.22.225.64/27,50.22.235.248/30,50.22.240.160/27,50.23.90.128/27,50.97.57.128/27,75.126.39.32/27,108.168.174.0/27,108.168.176.192/26,108.168.177.0/27,108.168.180.96/27,108.168.254.65/32,108.168.255.224/32,108.168.255.227/32,157.240.0.48/32,157.240.0.53/32,157.240.1.51/32,157.240.1.53/32,157.240.2.51/32,157.240.2.53/32,157.240.3.51/32,157.240.3.53/32,157.240.6.51/32,157.240.6.53/32,157.240.7.51/32,157.240.7.54/32,157.240.8.51/32,157.240.8.53/32,157.240.9.51/32,157.240.9.53/32,157.240.10.51/32,157.240.10.53/32,157.240.11.51/32,157.240.11.53/32,157.240.12.51/32,157.240.12.53/32,157.240.13.51/32,157.240.13.54/32,157.240.14.51/32,157.240.14.52/32,157.240.15.53/32,157.240.16.51/32,157.240.16.52/32,157.240.17.51/32,157.240.17.53/32,157.240.18.51/32,157.240.18.52/32,157.240.20.51/32,157.240.20.52/32,157.240.21.51/32,157.240.21.52/32,158.85.0.96/27,158.85.5.192/27,158.85.46.128/27,158.85.48.224/27,158.85.58.0/25,158.85.61.192/27,158.85.224.160/27,158.85.233.32/27,158.85.249.128/27,158.85.254.64/27,169.44.23.192/27,169.44.36.0/25,169.44.57.64/27,169.44.58.64/27,169.44.80.0/26,169.44.82.96/27,169.44.82.128/27,169.44.82.192/26,169.44.83.0/26,169.44.83.96/27,169.44.83.128/27,169.44.83.192/26,169.44.84.0/24,169.44.85.64/27,169.44.87.160/27,169.44.167.0/27,169.45.71.32/27,169.45.71.96/27,169.45.87.128/26,169.45.169.192/27,169.45.182.96/27,169.45.210.64/27,169.45.214.224/27,169.45.219.224/27,169.45.237.192/27,169.45.238.32/27,169.45.248.96/27,169.45.248.160/27,169.46.52.224/27,169.46.111.144/28,169.47.5.192/26,169.47.6.64/27,169.47.33.128/27,169.47.35.32/27,169.47.37.128/27,169.47.40.128/27,169.47.42.96/27,169.47.42.160/27,169.47.42.192/26,169.47.47.160/27,169.47.130.96/27,169.47.145.0/26,169.47.192.192/27,169.47.194.128/27,169.47.198.128/27,169.47.212.160/27,169.53.29.128/27,169.53.48.32/27,169.53.71.224/27,169.53.81.64/27,169.53.250.128/26,169.53.252.64/27,169.53.255.64/27,169.54.2.160/27,169.54.44.224/27,169.54.51.32/27,169.54.55.192/27,169.54.193.160/27,169.54.210.0/27,169.54.222.128/27,169.55.60.148/32,169.55.60.170/32,169.55.67.224/27,169.55.69.128/26,169.55.74.32/27,169.55.75.96/27,169.55.100.160/27,169.55.126.64/26,169.55.210.96/27,169.55.235.160/27,169.63.64.128/28,173.192.162.32/27,173.192.219.128/27,173.192.222.160/27,173.192.231.32/27,173.193.205.0/27,173.193.230.96/27,173.193.230.128/27,173.193.230.192/27,173.193.239.0/27,174.36.208.128/27,174.36.210.32/27,174.36.251.192/27,174.37.199.192/27,174.37.217.64/27,174.37.243.64/27,174.37.251.0/27,179.60.192.48/32,179.60.192.51/32,179.60.193.51/32,179.60.193.52/32,179.60.195.48/32,179.60.195.51/32,184.173.136.64/27,184.173.147.32/27,184.173.161.64/32,184.173.173.116/32,184.173.179.32/27,185.60.216.51/32,185.60.216.53/32,185.60.218.51/32,185.60.218.53/32,185.60.219.51/32,185.60.219.53/32,192.155.212.192/27,198.11.193.182/31,198.11.251.32/27,198.23.80.0/27,208.43.115.192/27,208.43.117.79/32,208.43.122.128/27'
option remote_port '53'
option proto 'both'
option url_domain_contains '"eba.gov.tr","whatsapp.net","whatsapp.com","google.com"'
option enabled '1'
Tp-link 1043ND v1.8 gargoyle 1.11.x thank you

Buffalo AirStation WZR-600DHP DD-WRT last version

High Speed Boadband Internet

Lantis
Moderator
Posts: 4709
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Restiriction and white list not working good

Postby Lantis » Sat Jan 12, 2019 7:22 am

Well, that's one of the biggest rules i've seen. I'm not really surprised it doesn't work. I think you might be misinterpreting how the rules should be structured.

Let's go back to basics.

What exactly are you trying to block, and for whom?
And what made you come up with the rules you have created?
Where do all of those IPs come from?
I am out of the country from 19th March to 4th April, and will not be monitoring the forum.
Routers: Various ar71xx/mvebu/x86-64
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases

iincitr
Posts: 32
Joined: Sun Sep 13, 2015 9:20 am
Location: turkey

Re: Restiriction and white list not working good

Postby iincitr » Sun Jan 13, 2019 8:50 am

Hi

Actualy rule contais JUST whatsapp IP Address.

In my location there is almost 15 device Phone, SmartTVs, Tablet and PC

Mainly two groups.

One Always on web.

The other belongs time restiriction rules and works PERFECTLY.( Thank you again this property) .

What I want to do: The second group when the time of no internet, they may use whatsapp and some unblocked URL ( Thatis WhiteLsit)

This is the only req.

Thank you
Tp-link 1043ND v1.8 gargoyle 1.11.x thank you

Buffalo AirStation WZR-600DHP DD-WRT last version

High Speed Boadband Internet

iincitr
Posts: 32
Joined: Sun Sep 13, 2015 9:20 am
Location: turkey

Re: Restiriction and white list not working good

Postby iincitr » Mon Jan 14, 2019 5:48 pm

Hi Any help ?
Tp-link 1043ND v1.8 gargoyle 1.11.x thank you

Buffalo AirStation WZR-600DHP DD-WRT last version

High Speed Boadband Internet

Lantis
Moderator
Posts: 4709
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Restiriction and white list not working good

Postby Lantis » Mon Jan 14, 2019 6:21 pm

I have not had time to look yet, but it is on my list of things to do.
I am out of the country from 19th March to 4th April, and will not be monitoring the forum.
Routers: Various ar71xx/mvebu/x86-64
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases

Lantis
Moderator
Posts: 4709
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Restiriction and white list not working good

Postby Lantis » Sat Jan 19, 2019 3:53 am

Your request is complicated to setup, and even more so to explain.
To achieve what you require, you need to create two rules.

Rule 1 - Block_all_except_certain_websites
What does it do? Allows the specified devices access to everything, but during certain hours, only allows them to get access to certain websites.
Only change the Website URL(s) to "Block All Except", then use the "Domain Contains" and enter your 4 domains.

Rule 2 - Block_all_except_certain_ips
What does it do? Allows the specified devices access to everything, but during certain hours, only allows them access to certain IP addresses
Only change the Remote IP(s) to "Block All Except", then enter your list of IPs.
NOTE: You will also need to add the IP address for google, whatsapp and eba websites to this list, or you won't get to them. It may also be necessary to list your DNS server.

It is important to remember what when you are trying to do IP blocking AND website blocking, that websites are just IP addresses with fancy names. You need to be careful or you will get unexpected results.

The end result is the following set of logic:
-- STAGE 1 --
IF the packets come from the listed devices AND they are destined for the listed IPs, let them through to stage 2
IF they packets come from the listed devices AND they are NOT destined for the listed IPs, block them
IF the packets come from ANY OTHER DEVICE, let them through to stage 2
-- STAGE 2 --
IF the packet is a HTTP(S) request AND it is destined for one of the listed websites AND it comes from the listed devices, let them through
IF the packet is a HTTP(S) request AND it is NOT destined for one of the listed websites AND it comes from the listed devices, block them
IF the packet is a HTTP(S) request AND it is destined for ANY website AND it does NOT come from a listed device, let them through
I am out of the country from 19th March to 4th April, and will not be monitoring the forum.
Routers: Various ar71xx/mvebu/x86-64
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases


Return to “Network / Wireless Issues”

Who is online

Users browsing this forum: No registered users and 1 guest