HELP Wan restriction on asus RT-n68u merlin firmware

[stoffer6666]

I have a asus router and really like it i just have one problem i don't know if it is possible to do a ip Restriction on the wan interface.
I have tried to do it in the gui and it works but a little to good it blocks my entire lan from access the web-gui of my router.
Is there a specific line i can add so it tells the firewall that the lan side is ok but every outside ip address that is not listet on the list should be blocked.
I have seached the forums with no luck of finding a answer.

I have the newest merlin firmware on it.

 

[martinr]

If I have understood you correctly, the way to block WAN access to the web GUI, but still allow LAN access is:

Administration tab > System tab > Enable web access from WAN, set to NO. (It's 4th setting from the bottom).

And if I have misunderstood, apologies.

 

[stoffer6666]

Hey thanks for your reply.

But you misunderstood.

Yes i know i can block webaccess from wan.
But the problem is i want to access the router from the web but limit it to 3 different wan ip address and i can do that.
But when you set a limit on specific ip adresses the router blocks the access from all ip-adresses on the lan.
So you can't connect to the router via lan unless you define a singel ip address in your lan scoop, but when you have computers running dhcp and have different ip address every day it is not a good option.
So i was hoping that i could type in a line that will keep the lan access active on the wan interface or something

 

[martinr]

It doesn't solve your problem, but it looks as if this has been noted before: http://www.snbforums.com/threads/administration-system-only-allow-specific-ip.11352/#post-70836

There may well be someone who could tell you how to do this by specifying in iptables the external IP addresses you want to give access to and dropping all others. And possibly, if WAN access in the Admin section was left set to Yes, LAN access would still be permitted? Alternatively, do you mind fixed internal IP addresses, specify the one device you allow LAN access, and use the other 3 for external permitted IP addresses? But I'm certain you already figured that out and rejected it.

 

[stoffer6666]

It doesn't solve your problem, but it looks as if this has been noted before: http://www.snbforums.com/threads/administration-system-only-allow-specific-ip.11352/#post-70836

There may well be someone who could tell you how to do this by specifying in iptables the external IP addresses you want to give access to and dropping all others. And possibly, if WAN access in the Admin section was left set to Yes, LAN access would still be permitted? Alternatively, do you mind fixed internal IP addresses, specify the one device you allow LAN access, and use the other 3 for external permitted IP addresses? But I'm certain you already figured that out and rejected it.

 

[stoffer6666]

Hi Martin

Yeah that i could do but most customers i use it for is set as dhcp and get a dhcp address so it would be very nice if the router did not restict lan side from accessing the webgui. I'm thinking that it must be a fault or a bug from asus.
Do you know any one who could make a little guide for me doing the ip tabels i am not a specialist in linux but i know my way in telnet.