luciangutu
join:2004-03-22
romania
|  P334 ip block
Hello,
How can I block an IP to be routed trough the P334 router ?
The router has 192.168.0.1 as local IP, and I want to block some IP's from the LAN.
I read the quick manual that cames with the router but I did not find any info.
Thanks ! |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
1 edit | What I would do is use the content filter menu area.
Block all services and put those LANIps you wish to have available in the exempt area.
I stand corrected. There is only the ability to set one IP as exempted NOT a range :-( |
|
luciangutu
join:2004-03-22
romania | reply to luciangutu
So, there isn't another way to block several LAN IP's ??
That is dumb  |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS | reply to luciangutu
There should be a way in the manual filtering. Its just more time intensive. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | jbibe, is this possible using command-line interface? |
|
jbibe
Premium,MVM
join:2001-02-22 | It should be possible, particularly if static DHCP was used to control the IP addresses (or fixed LAN IP addresses were used). |
|
jbibe
Premium,MVM
join:2001-02-22
| reply to luciangutu
said by luciangutu  :
How can I block an IP to be routed trough the P334 router ? The router has 192.168.0.1 as local IP, and I want to block some IP's from the LAN.
Can you give me an example of what you would like to do? How many IP addresses do you want to allow? Do you plan to block services for all LAN computers for part of the day? |
|
luciangutu
join:2004-03-22
romania
2 edits | Here is the router config :
WAN : 81.196.25.103
LAN : 192.168.0.1
GW : 81.196.25.1
NETMASK : 255.255.255.0
Now, I want to be able to access the Internet the clients from 192.168.0.2 to 192.168.0.10 always, and the rest of the class (192.168.0.11-192.168.0.254) whenever I want/allow.
This means that I want to block all from 192.168.0.11 to 254.
I do not use DHCP.
I hope I made myself clear.
Thank you again.
P.S.
"Do you plan to block services for all LAN computers for part of the day?"
No |
|
jbibe
Premium,MVM
join:2001-02-22
| The only relatively-foolproof method for restricting access to the web is to build LAN-input generic filter, based on the Source MAC addresses. If you don't want to worry about someone on the LAN changing the IP address of their computer to one of the allowed IP addresses, then you can do the following:
1. (Firewall -> Setting tab) -- If you want to log blocked outbound events, change the LAN to WAN logging to Log Blocked, and press Apply.
2. (Firewall -> Services tab) --
a. Add Any(TCP) and Any(UDP) to Blocked Services
b. Enable Everyday in Day to Block
c. Enable All Day in Time of Day to Block
d. Press Apply
At this point, no computer on the LAN will have access to the web. Next, modify rule 1 in the LAN-WAN firewall set (set 1) to identify the IP addresses to be blocked (192.168.0.11 to 192.168.1.254). This will allow the remaining computers (192.168.0.2 to 192.168.0.10) to operate in the normal manner.
3. Telnet to the P334 and open menu 24.8
4. Use the config commands to change the source address of rule 1 in firewall set 1:
config retrieve firewall
config edit firewall set 1 rule 1 srcaddr-range 192.168.0.11 192.168.0.254
config save firewall
5. Verify that rule 1 is changed as desired:
config retrieve firewall
config display firewall set 1
or you can use the following command to look at the changed rule in set 1:
6. Assuming that the rule has been modified as desired, you are done, except for ensuring that the LAN computers have the correct IP address. |
|
whitefishdj
Premium
join:2001-12-27
Alameda, CA
 ·Comcast
| reply to luciangutu
Why not put clients 1 through 10 on a different subnet and then use a single source ip filter, applied to LAN input? When you want to allow access, remove the filter from the LAN input list.
If others see a flaw in my thinking, then please point it out. I haven't tried this on my rp334 and I may have missed a reason why this approach won't work.
Set LAN clients for Internet access with addresses, 192.168.0.2 - 192.168.0.11 or what ever upper limit you need. Set the netmask to 255.255.0.0 !!
Set LAN clients without Internet access to with addresses
192.168.10.2 to 192.168.10.XXX, also netmask 255.255.0.0
Set the router LAN netmask to 255.255.0.0 but leave the LAN IP as 192.168.0.1
Now create a filter in its own set that forwards any packet with a source ip of 192.168.0.0, netmask 255.255.255.0, but goes to next rule for any other packet. Now add a second filter to the set that drops any packet with a destination IP that is not 192.168.0.0, mask 255.255.0.0
Edit any existing filter sets that are applied to the LAN input so that they go to next rule rather than forwarding the packet. Make the new filter set the last one in your LAN input filter list.
If you haven't backed up your config (rom-0) before monkeying with the filters, then do so. If the unit locks up, you can always use the reset button to return to factory configuration, then upload your backed up rom-0 file to return to prior state. I've used that feature more than once when experimenting with new filters. |
|
jbibe
Premium,MVM
join:2001-02-22
| Firewall rules and protocol filters can be used interchangeable in most cases. Your protocol filter has exactly the same problem as the firewall method. It is not foolproof.
When I have a choice, I use firewall rules, but if you prefer packet filters, use them. |
|
luciangutu
join:2004-03-22
romania
| reply to luciangutu
Thank you jbibe !!!
It worked.
Two more questions :
1. Where can I get the docs for configuring my router from telnet (24.8) ?
2. What is the easiest way to allow, when I want - from time to time, the blocked IP's (all IP's from 192.168.0.11 to 192.168.0.254) to access the Internet ? |
|
jbibe
Premium,MVM
join:2001-02-22
| The CI Command List for the P334 is in the Release Notes. The Release Notes are included in the firmware zip file with the firmware and factory default configuration file. A copy of the zip file is available at the ZyXEL web site.
You can allow everyone access by making rule 1 inactive, as follows:
config retrieve firewall
config edit firewall set 1 rule 1 active no
config save firewall
Later you can restrict access, as follows:
config retrieve firewall
config edit firewall set 1 rule 1 active yes
config save firewall
If you want to remove the restriction permanently, remove Any(TCP) and Any(UDP) from the Firewall Services screen and press Apply. |
|
luciangutu
join:2004-03-22
romania | reply to luciangutu
Thank you very much.
You've been a great help |
|
jbibe
Premium,MVM
join:2001-02-22 | You are welcome. |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
| Jbibe the magician 
So basically you apply block services to all traffic (in the web gui) and then use the manual method of delineating which IPs this block services actually refers to??
Thus any IPs not so identified do not have these restrictions applied!
--
Ain't nuthin but the blues! "Albert Collins". Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner" |
|
