[Help] How to restrict internet access to client devices after connecting PB to home router.

Hi,
I need to block internet access to client devices when my PB is connected to home router and need internet access to PB to sync data from server.
so please suggest me a detail how to for achieving this.

Thanks and regards,
Rahul.

Hi,
as I already pointed out in a different thread:

1. change network config to:

/etc/config/network 

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

After that, your PirateBox takes automatically the correct configuration from your home router and has internet access on the box.

2. Fix IP on PirateBox interface:

vi /opt/piratebox/conf/piratebox.conf

find

 #Network
 NET=192.168.1

And change it to

 #Network
 NET=192.168.2

3. disable the dns fix (not needed for PirateBox 1.0)

sed  's,pb_use_local_dns="yes",pb_use_local_dns="no",g' -i /etc/piratebox.common

After doing

reboot

the box should restart.
On wifi network, you should be able to ssh/telnet against 192.168.2.1
There you can lookup how the box's LAN ip is..

If after that you still can PING i.e. 8.8.8.8 from wifi
Check, if your IP is really a 192.168.2.x at the client, and if YES , then modify /etc/config/firewall:

config zone
        option name             lan
        option network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT


# config forwarding
#        option src              lan
 #       option dest             wan

(don't remove everything, only comment the parts and double check the zone part)

This is written without testing it. No warranties

regards
Matthias



Edited 1 time(s). Last edit at 08/19/2014 05:21PM by Matthias.

Thanks Matthias.. you are genius... It worked for me

Thanks and regards,
Rahul.

I'm happy that it is finally working

I am working through the instructions here and ran into a snag on the following step.

Quote
3. disable the dns fix sed 's,pb_use_local_dns="yes",pb_use_local_dns="no",g' -i /etc/piratebox.common

The piratebox.common file does not seem to exist in the current version piratebox. I realize this thread is a little old. Is there a more current guide for accomplishing what OP wanted or any advice?

Thanks



Edited 1 time(s). Last edit at 08/19/2014 03:07PM by MarthaSpeaks.

Hi,
for a for me unknown reason, I dropped that function on the way to 1.0.
So you don't need that command anymore.

I adjusted the steps above

Matthias

---

This is only my signature.



Edited 1 time(s). Last edit at 08/19/2014 05:21PM by Matthias.

Tried changing the network and the firewall but its not working. I don't want clients connected to the box to access internet. Here is my firewall setting: But clients can still access internet.

config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1

config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward REJECT

config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1

config rule
option src lan
option src_mac 00:00:00:00:00:00
option dest wan
option proto tcp
option target REJECT

# We need to accept udp packets on port 68,
# see [dev.openwrt.org]
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4

# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT

# Allow DHCPv6 replies
# see [dev.openwrt.org]
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT

# include a file with users custom iptables rules
config include
option path /etc/firewall.user

remove that line

 option src_mac 00:00:00:00:00:00

and retry after a reboot.

edit: How is your homenetwork connected to your PirateBox? Which PirateBox do your have?

best regards
Matthias



Edited 1 time(s). Last edit at 05/03/2017 08:15PM by Matthias.