Q on ASUSWRT 5.0, AX86U Pro app vs GUI settings for access control

[routerq]

RT-AX86U Pro, Firmware Version:3.0.0.6.102_34336

I installed the Asus Android app and I can see many per device settings like block internet access etc..

I cant find them on the Web GUI, i think I remember that on my RT-AC86U with Merlin FW, i could do that in the network map client list.

Is there a way to do it on the official 3.0.0.6 FW?

 

[bennor]

Did you check under Parental Controls > Time Scheduling? That's typically where the WAN block rule is created for LAN clients when using the Network Map method of blocking Internet Access. For Guest Network Pro clients see the settings under Guest Network Pro. One may not see a block internet access depending on which GNP preconfigured entry they select.

 

[visortgw]

Try this: Network Map tab >> click on Clients button >> select device under Client status list (right side of window).

 

[routerq]

Try this: Network Map tab >> click on Clients button >> select device under Client status list (right side of window).

perfect this worked...

I was trying by clicking on the "View List" button ... never thought of clicking on the client button....

 

[routerq]

I just noticed today that:

1) I can't block internet access for devices that are on the Guest SDN by clicking on the Network Map>Clients>Client List > Client button.

2) Wireless MAC filter does not work on devices that are on the Guest SDN

I have a devices that I cant find a way to disconnect from my wifi or factory reset it and need to block its internet access. For now I have used Parental Controls > Time Blocking set to block it. But I am not sure if that is also functioning.

Looking for inputs / options.

 

[bennor]

@routerq make sure to use the stock firmware's Feedback page (Administration > Feedback) to send feedback to Asus on it if you haven't done so already. Being unable to block internet access to Guest Network Pro clients appears to be just one more quirk with the feature among a number of others.

Edit to add: I guess one option is to use IPTables and create a new entry via SSH to block the specific Guest Network Pro client. But that method likely won't survive a router reboot or firewall restart.

 

[routerq]

@routerq make sure to use the stock firmware's Feedback page (Administration > Feedback) to send feedback to Asus on it if you haven't done so already. Being unable to block internet access to Guest Network Pro clients appears to be just one more quirk with the feature among a number of others.

Edit to add: I guess one option is to use IPTables and create a new entry via SSH to block the specific Guest Network Pro client. But that method likely won't survive a router reboot or firewall restart.

Thanks , I will report to Asus.

1Q) Since this is an IOT device, and I have blocked access using Parental Control feature. How do I check that no traffic is going out form it OR reaching it?

 

[bennor]

1Q) Since this is an IOT device, and I have blocked access using Parental Control feature. How do I check that no traffic is going out form it OR reaching it?

Connect a mobile device to the Guest Network Pro and test.

Blocking using Parental Control didn't seem to work for me in a quick and dirty test on a RT-AX86U Pro running 3.0.0.6.102_34336.

 

[routerq]

Note: Parental Controls also don't work, I blocked, my kids PC Internet using the App, app shows internet blocked, web GUI shows internet blocked ... but kid is happily playing online games

Kid is on his own guest SDN

Just came back form a trip, looks like my wife is going to have a tough conversation with me once she has fed me lunch and fattened the pig ......

 

[routerq]

Follow up: I raised a case with Asus Technical Support for:
1) Internet Blocking not working for devices on SDN using block internet access on android app
2) Block internet access not available on web GUI for devices on sDN
3) MAC block not working

I got a call from supposedly Level 2 Agent, but on talking to him, I felt like he was just another Agent reading form a script. His first response was this is not a bug. And when I told him that what is the point of Kids network if you can't block internet access OR IOT network if you cant control things. His response was please wait to see if our team fix it in the next FW release.

He also asked em to raise this in the router Feedback page. Which I have already done.

Not too confidence inspiring ...

My request to people who are on devices on 3.0.0.6 FW, and facing these issues, please raise tickets on asus and also submit feedback on the router feedback page...

 

[bbunge]

The Guest network has scheduling. Have you tried that?

 

[routerq]

The Guest network has scheduling. Have you tried that?

It has but you can't control individual device ...

 

[bbunge]

It has but you can't control individual device ...

That is OK if it is for the kids. A filtering DNS server can also be used.
The other thing is to be a parent...

 

[routerq]

That is OK if it is for the kids. A filtering DNS server can also be used.
The other thing is to be a parent...

Appreciate all your inputs, but i am also looking to block the internet access to a rogue IOT Device....

I believe the point of this forum/thread is to find technical answers and not preach parenting hacks / capabilities.

 

[bennor]

Appreciate all your inputs, but i am also looking to block the internet access to a rogue IOT Device....

I believe the point of this forum/thread is to find technical answers and not preach parenting hacks / capabilities.

A possible solution to your issue was posted in the other discussion thread you are participating in. Have you tried it?
https://www.snbforums.com/threads/asus-rt-ax88u-pro.93727/#post-944264

Hi, I want to share my workaround to disallow devices in VLAN from accessing Internet, when Parental Control is buggy and Asus has not fixed that yet.

The real problem of Parental Control failure is the router does not create correct iptables rule. It only drops packets from br0 (the main network), but any packet from vlan will be from br{your_vlan_id}, which won't match this rule. However, the iptables work correctly for VPN. So I created a dummy WireGuard server in the vlan and disabled its ipv4 forwarding. Then in the Guest Network Pro section, enable VPN and point the vlan to the dummy WireGuard. It acts as a black hole to drop all IoT traffic from phoning home.

One thing I'm not sure about is do we really need that dummy server. Theoretically we can just create a dummy WG profile but I haven't tested it yet. Hope this workaround can help you.

 

[routerq]

A possible solution to your issue was posted in the other discussion thread you are participating in. Have you tried it?
https://www.snbforums.com/threads/asus-rt-ax88u-pro.93727/#post-944264

yes, that is on the cards for the weekend when Wife and Kid don't need the wifi and wont mind the interruptions ....

 

[routerq]

I just experimented by creating a new Guest SDN with the setting "Use same subnet as main network" and this is the result:

1) On the Web GUI there is still no way to block the internet access (i.e. clicking on clients > device icon > no Block Internet button

2) On the Android Router App , I can block the devices' internet access and it does block the internet access.

I then moved the devices to a Guest SDN with its own Subnet

NOTE: even though this is the Pro version and I saw in some other thread that You can sue the Asus Expertwifi app with AX86U Pro router, when I tried, the app refused and showed the message to use the normal Asus app.