D-Link DIR-655 :: Access Control Policies IP Ranges?
Jan 9, 2010
I'm trying to block internet access to a range of IP addresses using the Access Control function of the DIR-655 router. Unfortunately, the router does not allow me to block a range of IPs. Instead, I can only create policies based upon individual IPs or MAC addresses. I have over 60 machines I want to block Internet access and I'd hate to have to type them in individually. How do I go about blocking all Internet access (HTTP/FTP/email/everything) for a range of IP addresses? They will have to be able to continue to use the internal LAN.
Using Microsoft IAS as the auth server, how do I get the ASA (v.8.2.1) to take different user groups defined in AD, and control access to different group policies on the VPN? We're setting up the ASA for many different vendors, and need to control access for each vendor with different policy.
For example, Vendor one is in AD group Vendor1 and will only be permitted access to a specific group of defined IPs in our network. Vendor two is in AD group Vendor2 and will only be permitted access to a different group of defined IPs in our network from Vendor1.
I have tried to setup access control by setting up a policy that restricts certain MAC addresses during a period during the day from certain websites. I set up the website filter and a schedule and selected them for the policy. Instead of blocking just the websites on the filter list during the time setup in the schedule, it blocks all websites all the time.I made sure that I setup the policy to 'block some access' NOT 'block all access'.The only thing that seems to work is that only the computers with the MAC address selected are effected.
I may be doing it incorrectly, but I'm trying to configure web access rules. I first set up access control and tell it to use the website filter. I've tried configuring it by both MAC address and IP address (separately, not simultaneously), but it still allows the listed sites in the web filter to get through. Is there something else I need to block or am I not doing something correctly? The network is on DHCP reservation, so IP addresses are always the same. MAC addresses, as I mentioned, don't work, either and they are fixed and logged in the router.
DIR655 with 1.33NA firmware. I'm trying to determine how to block access to the internet for a specific LAN computer when the user knows how to change a MAC address. I don't want to turn MAC control on and grant only to listed computers - the list doesn't accommodate enough MAC addresses, and the client has wireless and wired since it's a laptop. I also don't want to set static IPs on all of the devices since some cannot accommodate that feature.I'm thinking that reserving an IP address isn't ultimately the solution either, since assigning the IP isn't going to work if the MAC changes. how to use access control under these circumstances?
When attempting to configure access controls from the advanced menu I enable the access control checkbox. I then follow the configuration wizard completing each step as directed by the wizard. When I complete the wizard and try to save the rule I get the following error message regardless of how I complete the wizard. "Name can not be empty string". Yes, cannot is misspelled in the message. I have tried every combination of choices in the wizard and many combinations of naming the rule to no avail.
This did work properly on a previous firmware version, probably 1.04 or 1.05. I have not tried back loading to the previous versions to see where it did or did not work. I don't know how well the router goes back and don't really care to reload all the settings again by hand if the automatic recovery doesn't work.I want to use this feature to control what hours certain machines on the network have access to the internet.
I would like to use the web access control that is on the DIR-615 along with my 2Wire modem/wireless router. Is this possible? If not is is possible to put the 2Wire modem into bridge mode and purchase a second wireless modem to run along side the DIR-615 that I have so that I can have two separate wireless networks that have two different web access controls in place?
I want to do what I thought would have been a simple enough task - block my kids phone/computer after certain hours. Instead of blocking the specified MAC address(es), all my computers does not have internet access. As soon as I disable the policy, internet access is on again. Here's what I did:
My firmware is 1.35NA and have a schedule established. When I try to add a policy for access control, I can select a policy name but when I hit "next", I get an error stating "Internet Explorer has stopped working" and wants to close. I was able to add policies previously but can not any more.
Trying to set up a simple schedule for keeping the kids from staying up all night. I'd had this working on a Linksys WRT54G till it bit the dust. I just want it to block internet after midnight. My problem is that the schedule is triggering the block unpredictably.?
I have a situation where I have tenants connecting to my wireless network and paying towards the internet bill. I am able to control this by using MAC filtering, but I have just realised that this only works for wireless clients.
Is there a way to replicate this for the router's Lan ports? Or possibly even just disable Lan access. The router model is a D-link DSL-2750U.
Region : Austria Model : TL-MR3420 Hardware Version : V2 Firmware Version : ISP :
I'd like to make exception keywords in the Access Control but I don't know how I could possibly do this. E.g. I have put in the keyword "apple" to be blocked, so if a domain has the keyword "apple" in it, it will be automatically blocked. What can I do, however, if I want to make an exception for the domain "appletree.com"? I haven't found any way to make an exception to specific domains or keywords.
I have several laptops at home that connect via wireless connection tot he DIR_655. Using the MAC address of those laptops, I want to prevent them from going to certain websites.Under 'Advanced" and "Website Filter", I addes several domain names (websudoku.com for example). I selected "DENY computersaccess to ONLY these sites". I then saved settings.I then went to "Access Control". I clicked on "Enable Access Control".I clicked on "Add Policy" to cdreate a new policy for one of the laptops.When I boot the laptop and go to one of the websites, it still allows me access. The URL/domain name is correct.
Region : UnitedStates Model : TL-WDR4300 Hardware Version : V1 Firmware Version : 3.13.23 Build 121225 Rel.37950n ISP :
Setting up access control for one PC. I just want to block all internet access to one PC during a certain time. It seems like my only options in the Access Control page in the GUI is to block websites or domains.
For some reason I can't get Access Control/Webaccess Filters working on my Dir-655 w/ 1.35NA. I've tried it with MAC and IP Address without any success. I've also enabled/disabled/enabled DNS Relay, recreated the rules, recreated the filters, etc. Nothing.
I'm trying to set up a website filter on my DIR-601. I created a policy for 2 MAC addresses, with a schedule from 10AM-6PM, selected "Block some websites", and disabled logging. Under website filter, I added some entries, and selected "DENY computers access to ONLY these sites". When the policy is enabled, and I try to access one of the blocked websites, it gets blocked correctly ("The URL access was denied by administrator.") However, for all other websites, I get "server unexpectedly dropped the connection" errors, eg "Safari can�t open the page [URL] because the server unexpectedly dropped the connection. This sometimes occurs when the server is busy. Wait for a few minutes, and then try again." or in Chrome "No data received. Unable to load the webpage because the server sent no data." This happens with ALL non-blocked websites. I'm using hardware version A1, firmware version 1.01NA.
We have two device groups ASAs for VPN accessWireless ControllersThere are 2 AAA devices in each group.
We have 4 Identity Stores
ACS Internal User Store - This is used for external suppliers doing SSL VPN on ASAsExternal Radius server - this is a two factor authentication server that in turn looks up our AD and its own internal token database. This is used for IPSEC VPN access for internal employees.We have mapped AD groups - this is used for allowing access for wireless users.LDAP group mapped from other AD domain - used for allowing wireless access to an associated organisation. Our requirements
We need to create a rule for the VPN access that first of all looks through the ACS internal store - if a user is not found there then it checks the external Radius server. If no users are found there then access is denied.We needto create a similar rule for wireless users so that it will check AD - if a user is not found there then it checks LDAP. If no users are found then access is denied.
I am trying to configure a Unified Wireless solutions with ACS 5.1 and am having trouble with the access policies. We have corporate laptops authenticating via PEAP and 7921 phones authenticating using EAP-FAST.
I have one access service configured to allow PEAP and authenticate against AD and another access service configured to allow EAP-FAST and authenticate the 7921 phones against the "internal user" database.
I have configured 2 service selection rules. Each one points to one of the access services. The only condition I have currently configured is the "protocol" field to be RADIUS. Because both the 7921 phones and the client laptops are generating RADIUS requests I can only have one EAP type working depending which rule is at the top. Because the RADIUS protocol field is always matched, requests never get past the first rule.
how I modify the rule to be able to distinguis between VoIP handsets on one WLAN and client laaptops on another so that correct access policy is used for each device?
We just upgraded to ASA 220.127.116.11 and the latest CSD image, 3.6.6203. We currently have a DAP set up to scan one group policy for a secific AV but wanted to start implementing this for all group policies and including several different flavors of AV (so anyone could connect from anywhere as long as a pre-approved AV is installed). We are going to allow about 20 different versions of different AV's and I've tested a couple already and they're successful.
My issue right now is trying to allow (or deny) AV that is installed on an Android tablet (and potentially Apple devices). The tablet has avast Mobile Security installed, and even if I select Vendor: Alwil as a whole, it still does not recognize it and denies the user. I have tested on a PC and it works fine. Is there something that I am missing or are mobile AV programs not included in the DAP policies? Is this going to be considered for future versions of CSD or ASA or are we going to continue to consider Android and Apple devices "secure" and not in need of an AV?
After updating the firmware of my WRVS4400N from V 18.104.22.168 to 22.214.171.124 all traffic was blocked for all machines, even some not included in the list of PCs. As the log was showing that all traffic was blocked by access policies, I disabled the only rule I had (blocking access to some sites to some MAC address list) and everything worked fine.I tried creating a new, simpler rule but after activation it blocked again all traffic for all the LAN.After many trials, I decided to roll back to the previous V126.96.36.199 which solved this problem.
I'm trying to set up a S2S VPN between two ASA5505 SP units running ASA Version 8.2(1). I've ordered additional ADSL2 lines to handle this traffic and I'm having troubles with the configuration for the additional PPPoE connection. Here is are extracts from my current config; First the interface vlans
The result being that I can ping the OUTSIDE interface, but get no reply from the VPN interface. I've checked ADSL lines, they are up. The two PPPoE sessions are logged in and active. I can even see the ICMP packets hit the VPN interface, but there is no reply.
I have a Cisco 880 (supplied by my company and as such I have little access to the control panel). I have a Linksys (Cisco) E1200 to use as an access point. Cisco setup (love it!) but the simple setup gives the E1200 an ip range starting at 192.168.1.1 while the Cisco 880 range is 192.168.185.113. I need to have all connections in the same ip rage (192.168.185.xxx) for remote monitoring. What is the best way to accomplish this? Bridge mode (I don't need Guest Mode which I read is not possible in bridge mode)? Disable DHCP on the E1200?
We have ASA5500's deployed for remote access concentration.We use Cisco IPsec vpn client with a group policy the chacks for Network ICE BlackIce ersonal firewall.The powers-that-be wish to change to McAfee presonal Firewall ok..Now the Group Policy allows you to check for several pre- configured Firewalls, Cisco Integrated, Sygate, Zone Labs etc.So as McAfee are no listed then I am to assume we go for "Custom Firewall" and this is where I am struggling.To configure checking for a Custom Firewall I must have the Vendor ID and the Product ID.McAfee haven't the faintest idea what we're talking about when we ask them for these details.Or is there a way to extract them from the registry of a machine with the McAfee product installed?
I have the following config using a Cisco 1921. I am trying to get devices on the the native VLAN to get internet access via the gateway x.x.x.73.Any thing being routed from the other Vlans 15/20/30 can get access, but nothing from an internal IP address. Is there something I am missing.
The Xs replace the same 3 octets for each interface.I am trying to route from VLANs 15/20/30 to see VLAN 5. I have tried a few things, in terms of adding extra ip routes, but can't get anything to work. Each of those Vlans have another router on the other side of them, which I have also tried adding ip routes too, but nothing. One of the routers (Vlan15 is a Draytek 2830). [code]
We have a small office and already have a firewall in place that uses content filtering. I am looking for a low cost wireless access point that I can place behind my firewall that will allow me to control access by a username and password list, not just the passkey.
Does this exist without having to go to an Aruba or Ruckus type enterprise WIFI product?
I'm trying to set parental control for one of the kids in household, url...2gaming2Every Day 06:00 - 22:43 (meaning from 6am to 10:43pm he can acces ONLY those two sites, correct?)but, when I turn parental control on, all internet is off for him even allowed sites. Time right now is 21:44 gmt+2 and my router time is set right, so I don't know why it doest work?
For our children, we use the parental control feature of the DIR-615 (RevD, FW4.11b15), which works excellently. I use the whitelist feature, so only trusted web sites can be accessed. Unfortunately the DIR-615 only has 10 entries in that list and I will soon need more. So I wonder if there is another D-Link router that offers a bigger list with maybe 50 or even 100 entries?