Tag Archive for 'ASUS WL-520GU'

How to Control Access Restriction Rules in Tomato by a Shell Script

Published on February 1, 2010 in Network and Routers. Closed Tags: , , , .

This week I got some time to delve deeper into the Access Restriction rules on my ASUS WL-520GU router running Tomato firmware version 1.27. I wanted to write a Bourne Shell script to turn any given Access Restriction rule on or off. Access Restriction rules are coded as pipe (|) separated strings and stored in nvram variables named rrule0, rrule1, rrule2 etc. To see what is in the first rule we can issue the following command at the shell prompt in Tomato:

nvram get rrule0

The returned string might look something like:

1|540|1140|62|||block-site.com$|0|New Rule 1

Let us take a closer look at what each of these nine fields separated by pipe (|) means.

The first field shows whether the rule is currently enabled or disabled – 1 means enabled, 0 means disabled.

The second field gives the start time, i.e. the time to start applying this rule, in minutes elapsed since midnight. In the above example start time is 540 meaning the router should enforce this rule starting at 9am.  The third field is the end time, i.e. the time to stop applying this rule, again coded the same way as the start time. Both the second and third fields will be -1 if you select the option ‘All Day’ in the control panel.

The fourth field is the days of week on which the rule should be applied and is coded in binary – 1 for Sunday, 2 for Monday, 4 for Tuesday and so on. For multiple days, add the corresponding numbers for each day. In the above example the fourth field is 62 which is equal to 2+4+8+16+32 – meaning the rule should be active on Mon, Tue, Wed, Thu, and Fri i.e. only on week days. If you had checked the option Everyday this value would be 127.

The fifth field shows the ip or mac address range in your network for which the rule should be applied – in case you don’t want all the computers on the network to be affected by this rule. The sixth field has the Port/Application information coded in it i.e. which ports numbers, protocols, layer 7 and p2p applications should be blocked by this rule.

The seventh field contains the domains or URLs you want to block and it partially supports regular expressions. In the above example, domain names ending in block-site.com are blocked. The eighth field stores as a binary coded value if ActiveX, Flash or Java need to  be blocked – 1 for ActiveX, 2 for Flash and 4 for Java. And finally the ninth field stores the name that you gave to this rule.

Now with this basic understanding about how the Access Restriction rules in Tomato work, we can write shell scripts to control the rules. Below is the script I wrote to enable or disable a rule. Two values are passed on the command line – the rule number and either a 0 or a 1 to disable or enable the service respectively. If you have jffs enabled in control panel you can copy the script under jffs directory and schedule it to run, if you want, as a cron job.

#!/bin/sh

#Wait if any service is currently being restarted

nvstat=`nvram get action_service`
while [ "$nvstat" != "" ]; do
echo
done

#Assume we are going to enable the rule
enable=1

#Was a 1 or 0 passed on the command line?
[ "$2" != "" ] && enable=$2

#Get the current setting of the rule.
#Rule number is passed as the first parameter on the command line.
rr=`nvram get rrule$1`

#Set the first field to the value in variable $enable
rr=$(echo $rr|sed "s/^./$enable/")
echo $rr

#Replace the old rule with the new value
nvram set rrule$1="$rr"

#Prepare to restart the service by killing the init process
nvram set action_service=restrict-restart

#kill the init process
kill -USR1 1

#Wait for the service to restart
while [ "`nvram get action_service`" == "restrict-restart" ]; do
echo
done

Configuring ASUS WL-520GU with Tomato

Published on January 27, 2010 in Network and Routers. Closed Tags: , , .

I recently bought an ASUS WL-520GU router from Newegg.com since I had serious problems with my NetGear WNR1000 router.  WNR1000 was dropping WLAN connections frequently and making my Blackberry reboot very often (for some strange reason). I couldn’t talk on my VoIP phone for more than a few minutes before it got disconnected.

ASUS WG54U has a built-in USB port to connect network strorage or printer and is DD-WRT ready. It cost me about $30 after a $10 rebate. I was originally planning to flash it with DD-WRT and did so. Later I found on some internet forums that Tomato has similar features plus more and a mod’ed version of Tomato called Teddy Bear supports USB drives and printers out of the box - all of this with a smaller memory foot print than DD-WRT.

Like DD-WRT, Tomato also is built on top of BusyBox embedded Linux. But unlike DD-WRT, Tomato configuration was not as smooth for me. Here are some of the lessons I learned in the process:

  • Before flashing with Tomato, I did not select the option to ‘Reset to Defaults’ on DD-WRT upgrade screen and did not note down the web admin password from nvram by issuing: 
    nvram get http_passwd

    After flashing I could not login to Tomato web admin page  since DD-WRT encrypts password stored in nvram but Tomato does not.  Had to reinstall DD-WRT and check the option ‘Reset to Defaults’ before re-flashing with Tomato.

  • Another problem was setting access restrictions (‘Access Restriction’ link on Tomato web admin page). I created a rule to block internet access from all computers on the home network from 9am to 7pm. Little did I realize that it will block all kinds of internet access – not just web access – and undermine my ability to access my home PC from outside. Had a tough time trying to figure out why Remote Desktop and ssh clients from my work PC are not able to access my home PC. So if you select ‘Block All Internet Access’ option while creating an Access Restriction rule all incoming and outgoing connections from your home network will be blocked.

  • Then there was another problem – but totally unrelated to Tomato – that prevented ssh connection to my router using Putty and public key authentication. Putty kept giving me ‘Server unexpectedly closed the connection’ error. It turned out that I had a badly formatted public key in my authorized_keys file in my <home>/.ssh directory on my home Linux server.  Removing the offending public_key made everything work like a charm.