Gargoyle with Teens

[alphaG_25]

Hi

Summary.
I have a household with middle age kids and high school teenagers. We wanted time scheduling of their devices in regards to internet access (mostly due to social media issues, distractions during assignments). I used to restrict internet time by putting the kids devices in a iP range between 192.168.8.201 and 192.168.8.254 and blocking this range during different hours using the Netgear Firmware which was limited. I have now installed Gargoyle on the Netgear WNDR3700v4 router and it connects from its Yellow WAN port to a LAN port on my main NBN router. I have upgraded to Gargoyle and have setup DHCP iP range as being between 192.168.8.201 and 192.168.8.254 and when a device connects to the Gargoyle router I find its MAC address and assign it a static ip, this allows me to log events and know who the user is. I group the devices into Tablets and Laptops for different access times (Tablets=Social media,etc Laptop=School Assignements). The below firewall rules use their MAC ID to prevent/allow internet access. I have setup a printer on the Gargoyle router so assignments can be done and printed but internet is restricted. I also have a harddrive plugged into the Gargoyle Router with mediashare enabled to stream to televisions boxes in the house. My gargoyle setup works brilliant and the internet time restrictions work without fail.

Question.
My question is that I want my Windows 10 Pro computer to be able to copy movies/files from a device on my 192.168.1.1 router to the Gargoyle 192.168.8.1 router harddrive.

On my desktop computer I have a WIFI card connected to the Gargoyle Router and a LAN card connected to the main router by Cat5e. Computer runs Windows 10 Pro and opening Network Connections I can view and play movies on the DLNA from the gargoyle router but not copy to it. I can access network devices on both routers through the WIFI/LAN connection both being active at the same time. I believe I require some port forwarding ?

Any ideas?

Thanks,

Geoff


*******************************************************************
*******************************************************************
Main NBN Modem Router

Code: Select all

Make: technicolor
Model: TG789vac v2
ip: 192.168.1.1
Outgoing CAT5e cable plugged into LAN Port 1

*******************************************************************
*******************************************************************
2nd Router - N600 Wireless Dual Band Gigabit Router - Gargoyle Installed

Code: Select all

Device Name:Gargoyle
•Gargoyle Version:1.10.0
•Model:NETGEAR WNDR3700v4
•Device Configuration:Gateway
•Memory Usage:28.3MB / 122.8MB (23.1%)
•Connections:240/4096
•CPU Load Averages:0.00 / 0.00 / 0.00 (1/5/15 minutes)
•LAN IP Address:192.168.8.1
•LAN Netmask:255.255.255.0
•LAN MAC Address:04:A1:51:7F:ED:96
•WAN IP Address:192.168.1.212
•WAN Netmask:255.255.255.0
•WAN MAC Address:9E:F6:00:75:EF:DC
•WAN Gateway IP:192.168.1.1
•WAN DNS Server(s):192.168.1.1
•Wireless Mode: Access Point (AP) 
• Wireless MAC Address: 04:A1:51:7F:ED:98 
•2.4GHz Access Point SSID: BUSNETG2018 
•5GHz Access Point SSID: BUSNETG2018-5G
DHCP Enabled
DHCP iP Range: 192.168.8.201 to 192.168.8.254

Incoming CAT5e cable plugged into Yellow WAN Port
*******************************************************************
*******************************************************************
Computer
Dell Windows 10 Pro
- Has BOTH Wifi and LAN connection Enabled
Dell Wifi Card IPv4 address: 192.168.1.202
Dell Wifi Card IPv4 DNS servers: 102.168.1.1
Dell LAN Card IPv4 address: 192.168.1.247
Dell LAN Card IPv4 DNS servers: 102.168.1.1

Internet Connection Okay
Both LAN cable and Wifi have connection okay
Able to access network shares on Router 192.168.1.1
Able to playmovies on DLNA mediashare on Router 192.168.8.1
Unable to copy files to DLNA mediashare on Router 192.168.8.1

*******************************************************************
*******************************************************************
FIREWALL file /etc/config directory

Code: Select all

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option enforce_dhcp_assignments '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option type 'script'
	option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
	option family 'IPv4'
	option reload '1'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'openvpn_include_file'
	option path '/etc/openvpn.firewall'
	option reload '1'

config include 'tor_include_file'
	option path '/etc/tor.firewall'
	option reload '1'

config restriction_rule 'rule_99'
	option is_ingress '0'
	option description 'GARGOYLE TABS MADI HOMEALONE TIMES CONTROL'
	option local_addr 'E4:F8:EF:64:F7:ED,D4:AE:05:13:78:51,A8:66:7F:DC:E6:45,90:B9:31:C1:81:28,D0:5B:A8:74:1E:94,9C:04:EB:33:4E:87,A8:06:00:C5:97:D7,6C:19:C0:4B:21:87,80:58:F8:25:FB:0A,90:B9:31:8A:E2:E8,78:A3:E4:55:57:63,BC:52:B7:43:7B:87,A8:06:00:CB:59:49,A8:FA:D8:40:5B:15'
	option active_weekdays 'sun,mon,tue,wed,thu,fri,sat'
	option active_hours '00:00-06:00,23:00-23:59'
	option enabled '0'

config restriction_rule 'rule_100'
	option is_ingress '0'
	option description 'GARGOYLE TABS MASTER TIMES CONTROL'
	option local_addr 'E4:F8:EF:64:F7:ED,D4:AE:05:13:78:51,A8:66:7F:DC:E6:45,90:B9:31:C1:81:28,D0:5B:A8:74:1E:94,9C:04:EB:33:4E:87,A8:06:00:C5:97:D7,6C:19:C0:4B:21:87,80:58:F8:25:FB:0A,90:B9:31:8A:E2:E8,78:A3:E4:55:57:63,BC:52:B7:43:7B:87,A8:06:00:CB:59:49,A8:FA:D8:40:5B:15'
	option active_weekdays 'sun,mon,tue,wed,thu,fri,sat'
	option active_hours '00:00-08:00,09:00-17:30,19:30-23:59'
	option enabled '1'

config restriction_rule 'rule_101'
	option is_ingress '0'
	option description 'GARGOYLE KID PC ACCESS TIMES'
	option local_addr '70:F1:A1:3B:24:E1,74:F0:6D:37:E3:C3,F8:28:19:E7:65:63'
	option active_hours '00:00-06:00,20:30-23:59'
	option enabled '1'

config restriction_rule 'rule_102'
	option is_ingress '0'
	option description 'GARGOYLE TEEN PC ACCESS TIMES'
	option local_addr '74:C6:3B:42:16:6D,58:00:E3:C8:3B:77'
	option active_hours '00:00-06:00,23:00-23:59'
	option enabled '1'

config restriction_rule 'rule_103'
	option is_ingress '0'
	option description 'XBOX LIVE'
	option local_addr '2C:54:91:B9:37:E7'
	option active_weekdays 'sun,mon,tue,wed,thu,fri,sat'
	option active_hours '08:00-22:00'
	option proto 'both'
	option url_domain_contains '"download.xboxlive.com","download.xboxlive.com","ocsp.msocsp.com","images-eds.xboxlive.com"'
	option enabled '1'

config remote_accept 'wan_ftp_server_command'
	option proto 'tcp'
	option zone 'wan'
	option local_port '21'
	option remote_port '21'

config remote_accept 'wan_ftp_server_pasv'
	option proto 'tcp'
	option zone 'wan'
	option start_port '50990'
	option end_port '50999'

*******************************************************************
*******************************************************************

[ispyisail]

This question comes up every so often

The short answer is put everything on the same subnet and all your problems go away.

The long answer.....

1. Put gargoyle into bridge mode or
2. Setup OpenVPN or
2. other..

WAN to LAN is setup to block as designed. Gargoyle is not designed for advanced networking.

[Lantis]

There's a few things going on here which could be leading to your troubles.

First, you cannot have 2 separate NICs connected to two separate subnets at the same time without doing some static routing. This setup should be avoided in my opinion. Looking at your IP's handed out to the wired and wireless NICs, they are both in the 192.168.1.x range which is not correct for what you are trying to achieve.

Now assuming that Read/Write access works from inside the 192.168.8.x subnet (this should be tested first otherwise there is no point continuing), i would access the share via its "WAN" ip, which is really an internal IP from your modem.
To let this happen, you need to forward port 445 to port 445 at 192.168.8.1 (i.e. its own address) on the Gargoyle router which will allow it to accept local SMB connections via the WAN port.
NOTE that if a poor firewall on your Modem allows connections from 445 to also reach your Gargoyle router, then you may be exposing your SMB share to the internet. This should be tested as well to ensure no data leakage outside your network.
Now from the Windows machine on the 192.168.1.x subnet, you can access the share at \\192.168.1.212\share_name.

It would be worth setting a static IP in this instance to keep things sane.
For your information (and inspiration), i have just replicated your desired setup on my own home network and it works fine.

My other piece of advice would be to upgrade to the latest version of the 1.10.x branch, as i rewrote a lot of the user/password/share configuration code fixing several bugs and shortcomings. Additionally, i also wrote in SSL support for the URL blocking feature (which i notice you are using). This feature was almost completely broken before this due to encryption, and again may be worth the upgrade. However, if both these features are currently working ok for you, it is perfectly acceptable to leave it alone.

And finally, thanks for your detailed description of your problem. Working with all of the information is always a lot simpler than without.