DCHP for wireless network with WRT54GL and DD-WRT

[Benny Hill]

Hi there!

I would like to have a network organized as following:

The aim of this is to best control traffic of the smartphones. I would like to analyse the outgoing traffic...

Would this be possible? If not, any solution that could do it would be appreciated.

Thanks!

 

[DelJo63]

I understand what you are attempting (mostly).

I don't understand the TOWER between the second firewall and the cellphone.

When the cell makes a call, it is to a cellphone service provider and thence outward to websites et al
(not inward). If your Deban at192.168.0.15 has a server, your drawing is NOT how it would occur.

So how would the cellphone make a connection to your WiFi router as apposed to connecting to any other website?

 

[Benny Hill]

Hello Jobeard!

The tower should have been a "wireless antenna" hehe... Let's just say the wireless connection.

The cellphone is on the drawing, because using the wi-fi possibility and connect to the Internet.

I would like to analyse / lock the outbound traffic of the wireless devices with iptables. I get some annoying ads on some applications. I would like to be able to block the outgoing connection to the ad servers.

Does this sound more clear to you?

Thanks for your time.

 

[DelJo63]

Ok, I understand. HOWEVER, when you use the cellphone to Make An Internet Connection, it is NOT going to look for you local WiFi - - the connection is cellphone-->service Provider-->WAP service-->ISP service.

Use your phone, make any connection you can (I doubt you will even get a prompt for your SSID) get the browser on the phone and the access http://www.whatismyip.com/

you can then use the command prompt and TRACERT to the address shown and you should verify it does not traverse ANY ipaddress on your lan.

 

[Benny Hill]

Ok hehe If we forget about the cell phone, and say that it is just a Galaxy Tab... The cellular network does not have a place in the drawing here hehe

Having this on the wireless router, I can not block the connections from the Galaxy Tab (no GSM, wi-fi only) to the add servers as I would like... Example:

root@WRT54GL:~# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
DROP      tcp  --  GalaxyTab.wrt54gl    anywhere
DROP      tcp  --  GalaxyTab.wrt54gl    173.194.0.0/16
DROP      tcp  --  GalaxyTab.wrt54gl    host18416900.direcway.com/16
ACCEPT    0    --  anywhere            anywhere

 

[DelJo63]

Your tablet, can connect to your wifi just like any other PC.

I can not block the connections from the Galaxy Tab (no GSM, wi-fi only) to the add servers as I would like

This raises the question, How do you block ads on your PC now? You should be able to use the same method for the tablet.

There are two standard ways to filter content allowed on your LAN

1. add filtering on the specific machine (aka blacklists, av or firewall software or dummy 127.0.0.1 specific.domain.name to your hosts file {very effective}
2. serialize connections so that the upstream system is effectively a blocking proxy

The drawback on (1) is each machine must be uniquely configured / maintained and if there's frequent changes, that's a pain in the A**.

Type (2) is like router----(nic#1)PC_A(nic#2)---- other system(s) and the firewall on PC_A becomes the single point of control. Clearly PC_A must always be running. Also, any device(s) downstream from nic#2 must have static TCP configurations (unless PC_A is a Windows Server with DHCP service) and PC_A will need routing table entries to get data to flow.

 

[DelJo63]

Btw: my drivers\etc\hosts contains 29K records of which 1029 are to block domains starting with AD. or ADS.

 

[Benny Hill]

On the PCs, I use the plugin addblock for Firefox

Thanks for your proposal. I will check how I can apply this here...

 

[DelJo63]

See this for a hosts file

 

[Benny Hill]

Hello,

I did not reply to your last post... Thanks for the file.

I just wanted to let you know that I succeeded doing this by:

- installing a Squid on the Debian
- set an iptable rule on the routeur, redirecting the traffic of define IP addresses:

iptables -t nat -I PREROUTING -p tcp -s 192.168.0.30 --dport ! 443 -j DNAT --to 192.168.0.12:3128