TechSpot

DCHP for wireless network with WRT54GL and DD-WRT

By Benny Hill
Jan 12, 2013
Post New Reply
  1. Hi there! :)

    I would like to have a network organized as following:

    [​IMG]

    The aim of this is to best control traffic of the smartphones. I would like to analyse the outgoing traffic...

    Would this be possible? If not, any solution that could do it would be appreciated.

    Thanks! :)
     
  2. jobeard

    jobeard TS Ambassador Posts: 13,446   +324

    I understand what you are attempting (mostly).

    I don't understand the TOWER between the second firewall and the cellphone.

    When the cell makes a call, it is to a cellphone service provider and thence outward to websites et al
    (not inward). If your Deban at192.168.0.15 has a server, your drawing is NOT how it would occur.

    So how would the cellphone make a connection to your WiFi router as apposed to connecting to any other website?
     
  3. Benny Hill

    Benny Hill TS Rookie Topic Starter

    Hello Jobeard! :)

    The tower should have been a "wireless antenna" hehe... Let's just say the wireless connection.

    The cellphone is on the drawing, because using the wi-fi possibility and connect to the Internet.

    I would like to analyse / lock the outbound traffic of the wireless devices with iptables. I get some annoying ads on some applications. I would like to be able to block the outgoing connection to the ad servers. :)

    Does this sound more clear to you? :)

    Thanks for your time. ;)
     
  4. jobeard

    jobeard TS Ambassador Posts: 13,446   +324

    Ok, I understand. HOWEVER, when you use the cellphone to Make An Internet Connection, it is NOT going to look for you local WiFi - - the connection is cellphone-->service Provider-->WAP service-->ISP service.

    Use your phone, make any connection you can (I doubt you will even get a prompt for your SSID) get the browser on the phone and the access http://www.whatismyip.com/

    you can then use the command prompt and TRACERT to the address shown and you should verify it does not traverse ANY ipaddress on your lan.
     
  5. Benny Hill

    Benny Hill TS Rookie Topic Starter

    Ok hehe If we forget about the cell phone, and say that it is just a Galaxy Tab... :) The cellular network does not have a place in the drawing here hehe

    Having this on the wireless router, I can not block the connections from the Galaxy Tab (no GSM, wi-fi only) to the add servers as I would like... Example:

    Code:
    root@WRT54GL:~# iptables -L OUTPUT
    Chain OUTPUT (policy ACCEPT)
    target    prot opt source              destination
    DROP      tcp  --  GalaxyTab.wrt54gl    anywhere
    DROP      tcp  --  GalaxyTab.wrt54gl    173.194.0.0/16
    DROP      tcp  --  GalaxyTab.wrt54gl    host18416900.direcway.com/16
    ACCEPT    0    --  anywhere            anywhere
     
  6. jobeard

    jobeard TS Ambassador Posts: 13,446   +324

    Your tablet, can connect to your wifi just like any other PC.
    This raises the question, How do you block ads on your PC now? You should be able to use the same method for the tablet.

    There are two standard ways to filter content allowed on your LAN
    1. add filtering on the specific machine (aka blacklists, av or firewall software or dummy 127.0.0.1 specific.domain.name to your hosts file {very effective}
    2. serialize connections so that the upstream system is effectively a blocking proxy
    The drawback on (1) is each machine must be uniquely configured / maintained and if there's frequent changes, that's a pain in the A**.

    Type (2) is like router----(nic#1)PC_A(nic#2)---- other system(s) and the firewall on PC_A becomes the single point of control. Clearly PC_A must always be running. Also, any device(s) downstream from nic#2 must have static TCP configurations (unless PC_A is a Windows Server with DHCP service) and PC_A will need routing table entries to get data to flow.
     
  7. jobeard

    jobeard TS Ambassador Posts: 13,446   +324

    Btw: my drivers\etc\hosts contains 29K records of which 1029 are to block domains starting with AD. or ADS.
     
  8. Benny Hill

    Benny Hill TS Rookie Topic Starter

    On the PCs, I use the plugin addblock for Firefox

    Thanks for your proposal. I will check how I can apply this here... :)
     
  9. jobeard

    jobeard TS Ambassador Posts: 13,446   +324

  10. Benny Hill

    Benny Hill TS Rookie Topic Starter

    Hello,

    I did not reply to your last post... Thanks for the file.

    I just wanted to let you know that I succeeded doing this by:

    - installing a Squid on the Debian
    - set an iptable rule on the routeur, redirecting the traffic of define IP addresses:

    iptables -t nat -I PREROUTING -p tcp -s 192.168.0.30 --dport ! 443 -j DNAT --to 192.168.0.12:3128

    :)
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.