Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
15
Helpful
9
Replies

Internet filtering setup confusion (RVS-4000)

MaximumMinimum
Level 1
Level 1

‎01-11-2021 01:05 AM - edited ‎01-11-2021 01:07 AM

I'm trying to set up an Internet filter on the RVS-4000 router but am having problems getting it to work ("Internet access policy" section within "Firewall" when you log into the router administration from a web browser).

Here's a screenshot of my setup where I'm attempting to block certain sites for a specific computer on the network:

access_policy_RVS4000.png

 

And in the "list of PCs" section I've entered the PC I want to affect with its MAC address:

list_of_pcs.png

 

As far as I see, this should block google.com, amazon.com and ebay.com for the computer with the MAC address entered in the above screenshot ("list of PCs") but allow for access to any other site. All other computers on the network should be unaffected.
My setup is wired and consists of a cable modem going to the RVS-4000 router which then goes to a Zyxel GS-1100 switch. Each of those 16 switch outputs are wired to their own ethernet wall-socket.

 

It's confusing to pinpoint exactly what's happening but one thing I've noticed is that the other computers on the network are losing their WAN access while the filter is running. They still have their LAN address though, but I cant understand they being affected at all since I've only defined one MAC address in the filter.

Labels:
9 Replies 9

Georg Pauwen
VIP
VIP

‎01-11-2021 01:13 AM

Hello,

 

my first thought is: under 'Access Restriction' what if you select 'Deny' instead of 'Allow' ?

MaximumMinimum
Level 1
Level 1
In response to Georg Pauwen

‎01-11-2021 03:52 AM

OK, just tried your suggestion:

"Deny" (along with the MAC address of the PC I want to block) takes away WAN access for that PC only, while the other computers all work fine. So that looks to be working.

 

"Allow" on the other hand is acting strange....

1) WAN is lost for all other PCs (but they still have a LAN IP address). This should NOT be happening.

2) The PC I want to affect (defined in the "List of PCs" with its MAC address) has WAN (and LAN) IP numbers. In other words, it has Internet access, so this is good!

3) But the same PC appears to filter out only some of the websites defined in "Website blocking by URL address". I entered a handful of sites (I've also tried just one) and as far as I can see it only blocks those that have an HTTP address while the ones with an HTTPS address aren't blocked.

I had a hard time finding sites that are HTTP-only, but "example.com" is one, so that site is blocked when the filter is enabled while "amazon.com", "ebay.com", "youtube.com" and "google.com" are unaffected (not blocked).

 

So what's the deal with this? A bug?

I've already upgraded it to what I believe is the latest firmware version (2.0.3.4).

0 Helpful

Georg Pauwen
VIP
VIP
In response to MaximumMinimum

‎01-11-2021 05:13 AM

Hello,

 

the documentation on this device is not too good, it doesn't help that it is end of life. I think the logic behind the 'Deny' and 'Allow' is the same as of an access list. 'Deny' to allow the websites equals deny. 'Allow' allow websites equals allow. Does that make sense ?

 

What happens if you enter the full URL including the https:// ? Does that change the entry in the list (and block the https) ?

0 Helpful

MaximumMinimum
Level 1
Level 1

‎01-11-2021 10:08 AM

I didn't quite understand what you meants about allow and deny other than the whole thing is a mess (IMHO anyway).
I tried your suggestion (adding a full URL including https://) but an error alert popped up ("invalid URL. Please check the format of the URL).

I also tried adding a full address with http:// (i.e. not secure) and that worked, but changed nothing in terms of getting the filter to work as intended.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to MaximumMinimum

‎01-11-2021 12:42 PM

I do not have experience with this platform but do have a couple of ideas about what you describe:

-"Allow" on the other hand is acting strange....

1) WAN is lost for all other PCs (but they still have a LAN IP address). This should NOT be happening.

I wonder if it is applying the specified policy to a single PC if you need additional policies established for the other PCs in the network. (sort of like in configuring an access list if the first line permits (or denies) a specific host then you need another line to permit any)

- if you are doing layer 3 filtering I wonder if it would work any differently if you identify the PC by its IP address rather than by its mac address.

- it is very weird that the policy would work for HTTP but not HTTPS. I wonder if there is some setting somewhere else that sets that filter.

HTH

Rick
0 Helpful

MaximumMinimum
Level 1
Level 1
In response to Richard Burts

‎01-11-2021 02:02 PM - edited ‎01-11-2021 02:04 PM

@Richard Burts wrote:

I do not have experience with this platform but do have a couple of ideas about what you describe:

-"Allow" on the other hand is acting strange....

1) WAN is lost for all other PCs (but they still have a LAN IP address). This should NOT be happening.

I wonder if it is applying the specified policy to a single PC if you need additional policies established for the other PCs in the network. (sort of like in configuring an access list if the first line permits (or denies) a specific host then you need another line to permit any)

- if you are doing layer 3 filtering I wonder if it would work any differently if you identify the PC by its IP address rather than by its mac address.

- it is very weird that the policy would work for HTTP but not HTTPS. I wonder if there is some setting somewhere else that sets that filter.

I'm not sure what 3 layer filtering is, but are you saying that in addition to setting up the filter for that particular computer (as I've already tried to do) I simultaneously need to set up a filter for all the other computers on the network (to fully allow then go get access)?

I've also tried using and IP address but that didn't help. I was suggested by someone to use the MAC address instead because IP addresses can change (I suppose if you reset the router perhaps).

Also, if I define another filter (for all the other computers), is there a smart way to define "everything else" in terms of IP or MAC addresses? I don't want to reconfigure everything in case I temporarily add a laptop or reset the router.

I also found it strange that it won't accept HTTPS addresses in the filter. The router isn't THAT old, not being familiar with https! Anyone know what this can be caused by?

Oh, I also reset the router back to its factory settings just to be on the safe side.

0 Helpful

Georg Pauwen
VIP
VIP
In response to MaximumMinimum

‎01-11-2021 01:16 PM

Hello,

 

I somewhere recall there was something called a ProtectLink license that could be purchased with these routers, make sure you don't have that running somewhere (if you have, there should be a tab somewhere in the GUI).

 

Other than that, it might as well be a software bug/problem. I found the post below (unfortunately the download links are obsolete because the product is end of life)...

 

https://community.cisco.com/t5/small-business-support-documents/problem-with-rvs4000-blocking-websites/ta-p/3125198

MaximumMinimum
Level 1
Level 1
In response to Georg Pauwen

‎01-11-2021 02:13 PM - edited ‎01-11-2021 02:15 PM

@Georg Pauwen wrote:

Hello,

 

I somewhere recall there was something called a ProtectLink license that could be purchased with these routers, make sure you don't have that running somewhere (if you have, there should be a tab somewhere in the GUI).

 

Other than that, it might as well be a software bug/problem. I found the post below (unfortunately the download links are obsolete because the product is end of life)...

 

https://community.cisco.com/t5/small-business-support-documents/problem-with-rvs4000-blocking-websites/ta-p/3125198

Yeah, that's frustrating.

Fortunately I already downloaded the latest firmware when it was available, but I don't have the older 1.x firmware which would have been interesting to try out with the filter. Then again I know you should try to be up to date with network related gear for safety reasons....

As for Protectlink -I never had that, and just to be sure I checked it again. It's not enabled.

 

 

0 Helpful

MaximumMinimum
Level 1
Level 1

‎01-21-2021 12:09 PM - edited ‎01-21-2021 12:21 PM

Moving on... I've just tried setting up two filters and enabling them both:

Filter 1: the same setup as in the first posting in this thread. It allows a specific computer (a LAN IP address) for Internet access but certain websites aren't allowed

Filter 2: similar to the above filter. It allows Internet access and no sites are excluded. Here I haven't defined any IP addresses, assuming it would affect all other computers than the one using filter 1.

The result? Both computers used for testing lost their WAN access but kept their LAN IP number, so obviously this didn't work either. Anything more I can try, or is this filter functioned flawed in this particular router?

I'd love to hear from anyone with the same router who's got it working.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card