OpenWrt Forum Archive

Topic: Is there a way to disable a switch port in TP-Link TL-WDR3600 v1?

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
pastito
14 Mar 2017, 14:49

Hi folks!

I have a teenager who refuses to stop gaming all night. He has a wire attached to the router (Wi-Fi latency is not good enough for gaming).

I wrote firewall rules to block all but certain mac addresses by night (my cellphone and laptop)

Today I found out he is doing mac address cloning (my cellphone) in order to continue gaming.

Is there a way to disable a physical switch port with swconfig and put in crontab?

swconfig dev switch0 help
switch0: ag71xx-mdio.0(Atheros AR8327), ports: 7 (cpu @ 0), vlans: 128
     --switch
        Attribute 1 (int): enable_vlan (Enable VLAN mode)
        Attribute 2 (none): reset_mibs (Reset all MIB counters)
        Attribute 3 (int): enable_mirror_rx (Enable mirroring of RX packets)
        Attribute 4 (int): enable_mirror_tx (Enable mirroring of TX packets)
        Attribute 5 (int): mirror_monitor_port (Mirror monitor port)
        Attribute 6 (int): mirror_source_port (Mirror source port)
        Attribute 7 (string): arl_table (Get ARL table)
        Attribute 8 (none): apply (Activate changes in the hardware)
        Attribute 9 (none): reset (Reset the switch)
     --vlan
        Attribute 1 (int): vid (VLAN ID (0-4094))
        Attribute 2 (ports): ports (VLAN port mapping)
     --port
        Attribute 1 (none): reset_mib (Reset single port MIB counters)
        Attribute 2 (string): mib (Get port's MIB counters)
        Attribute 3 (int): enable_eee (Enable EEE PHY sleep mode)
        Attribute 4 (int): pvid (Primary VLAN ID)
        Attribute 5 (string): link (Get port link information)

Notice that there is no disable option.

Connected port is #5

Port 5:
        mib: Port 5 MIB counters
RxBroad     : 1126
RxPause     : 0
..
..
TxDefer     : 0
TxLateCol   : 0

        enable_eee: 0
        pvid: 1
        link: port:5 link:up speed:1000baseT full-duplex txflow rxflow auto


Any ideas?

Firmware Version    OpenWrt Chaos Calmer 15.05 / LuCI (git-15.248.30277-3836b45)

Thanks!

Regards

Post #2
mk24
14 Mar 2017, 15:03

I don't think you can completely "turn off" a port at the layer 1 level (i.e. link light goes out).  But it should work to remove it from all the VLANs, so packets go nowhere.

swconfig dev switch0 port 5 set pvid none

Return to the regular pvid (usually 1) to reconnect.

Post #3
golialive
14 Mar 2017, 16:58

According to documentation, there should be something like this:

swconfig dev switch0 port 5 set disable 1

Another idea would be to create a distinct teenanger network (vlan, IP-Range and Wifi) and set up firewall rules that block outgoing traffic when he should be sleeping.
https://wiki.openwrt.org/doc/uci/firewa … tain_times

You can even combine this with some traffic control rendering his vlan useless for gaming without completely cutting of the rest of the internet. Like "disable every routed traffic that is not port 80 or port 443" or something.

Post #4
pastito
14 Mar 2017, 19:05
mk24 wrote:

I don't think you can completely "turn off" a port at the layer 1 level (i.e. link light goes out).  But it should work to remove it from all the VLANs, so packets go nowhere.

swconfig dev switch0 port 5 set pvid none

Return to the regular pvid (usually 1) to reconnect.

Thanks! That works!

Post #5
pastito
14 Mar 2017, 19:07
golialive wrote:

According to documentation, there should be something like this:

swconfig dev switch0 port 5 set disable 1

Another idea would be to create a distinct teenanger network (vlan, IP-Range and Wifi) and set up firewall rules that block outgoing traffic when he should be sleeping.
https://wiki.openwrt.org/doc/uci/firewa … tain_times

You can even combine this with some traffic control rendering his vlan useless for gaming without completely cutting of the rest of the internet. Like "disable every routed traffic that is not port 80 or port 443" or something.

root@OpenWrt:/etc/config# swconfig dev switch0 port 5 set disable 1
Unknown attribute "disable"

disable attribute does not seem to exist

The idea of a vlan is good but he would spoof existing macs to circumvent around it.


Regards

Post #6
golialive
14 Mar 2017, 19:55

You wouldn't do anything with MAC addresses.
In addition to your current vlan 2 for WAN and vlan 1 for LAN you would create another vlan 3 for your son. And just as the current vlan 1 only passes your WAN port and your current vlan 1 only passes any other switch port except wan, you would pick a single distinct switch port which only passes your new vlan 3 but nothing else.
So there's really no MAC involved to mess around with.

Post #7
pastito
13 Apr 2017, 06:00

root@OpenWrt:/etc/config# swconfig dev switch0 port 5 set disable 1
Does not work

How can I setup a VLAN for my kid to isolate him and set him firewall rules with a schedule?
Thanks!

Post #8
pastito
13 Apr 2017, 06:56

I managed to get something working... I wrote a script to disable switch ports like this:

root@OpenWrt:~# cat disable_ports.sh
#!/bin/sh

uci set network.@switch_vlan[0].ports='0t'
uci commit network
/etc/init.d/network restart

And then cron it at certain ours. Then apply the reverse to enable the switch:

root@OpenWrt:~# cat enable_ports.sh
#!/bin/sh

uci set network.@switch_vlan[0].ports='0t 2 3 4 5'
uci commit network
/etc/init.d/network restart

Since he is the only wired computer it works.

The discussion might have continued from here.