Can I make an exception to allow ICMP?

[PopeJamal]

Hello, here's my situation. Hopefully someone can point me in the right direction:

-On my router, I set static DHCP addresses for my children's phones and laptops. These addresses are NOT in the DHCP range.
-I've enabled "Block MAC addresses assigned a static IP that connect from a different IP".

So now, in theory, my kids can only connect to the network in the "Kids Block" of IP addresses.

Next, I setup a series of restriction rules:
-Allow my wife and I full access to everything
-Allow all addresses in the DHCP range full access to everything
-Allow access to specific websites only by domain for the "Kids Block" of addresses.

This all works fine and I'm really happy with it, but I've run into one problem: poptropica.com.

poptropica is a flash based adventure game for kids. It allows you to create a custom character and choose clothes and hats for them and all kinds of stuff. You can create a user id and password to remember your character. Here's the problem:

According to my amateur wireshark sleuthing, whenever you try to login with an id and password, the flash app tries to ping the poptropica website first. If the ping fails, then it doesn't even attempt to login and immediately throws up an error message about connectivity. If you just go to the site and create a new player, everything works just fine, so it would seem to be a login issue.

Is there any way to create a rule to allow ICMP traffic to a specific domain? Can you create a rule that allows ICMP for all clients?

I can allow ports, I can allow TCP or UDP, but I don't see a way to allow ICMP.

Any help would be greatly appreciated.

[pbix]

Why would a ping to this website fail? Is it blocked?

[PopeJamal]

Why would a ping to this website fail? Is it blocked?

I'm assuming it fails because everything is blocked except for what's on the exception list. I only allow my kids to go to certain sites.

On my kids computer, everything is blocked and I have a handful of exceptions setup:

Allow by domain: poptropica.com, wikipedia.org, etc
Allow remote ports: 993,465 (Otherwise, they couldn't check email)

That's it. In fact, it's so locked down that I can't ping anything outside of the LAN from my kids computer. I've tested pinging the router, and that works fine. Even the domains that I created an exception for are not pingable. Here's what I get if I try to ping one of the allowed domains from my kids computer:

Code: Select all

user@my-box ~ $ ping wikipedia.org
PING wikipedia.org (208.80.152.201) 56(84) bytes of data.
From router.home.lan (192.168.1.1) icmp_seq=1 Destination Port Unreachable
From router.home.lan (192.168.1.1) icmp_seq=2 Destination Port Unreachable
From router.home.lan (192.168.1.1) icmp_seq=3 Destination Port Unreachable
From router.home.lan (192.168.1.1) icmp_seq=4 Destination Port Unreachable
From router.home.lan (192.168.1.1) icmp_seq=5 Destination Port Unreachable
From router.home.lan (192.168.1.1) icmp_seq=6 Destination Port Unreachable
From router.home.lan (192.168.1.1) icmp_seq=7 Destination Port Unreachable
From router.home.lan (192.168.1.1) icmp_seq=8 Destination Port Unreachable
From router.home.lan (192.168.1.1) icmp_seq=9 Destination Port Unreachable

BTW, I'm using a TL-WR1043ND.

[pbix]

Could you post some screen shots of your restrictions setup. I do not remember a "Allow by domain" setting anywhere so I am a little confused.

Sorry you are going to have to bring me up to speed a little.

[PopeJamal]

Could you post some screen shots of your restrictions setup. I do not remember a "Allow by domain" setting anywhere so I am a little confused.

Sorry you are going to have to bring me up to speed a little.

No problem. Here's what I'm talking about. It's actually called: "Website URL(s) -> Permit Only -> Domain contains: xxxxxxxxx".