ASUS WRT-Merlin Selective Block All Devices

Cormac O'Mahony

2 min read

The “Block All Devices” feature in Asuswrt-Merlin is a handy tool for quickly cutting off internet access to all wired and wireless devices in your home. It’s perfect for situations where you want to unplug the entire household from the internet with a single click.

However, there’s a catch: this feature isn’t selective. It indiscriminately blocks internet access for all devices, including critical ones like security cameras, smart home hubs, and other essential devices you may want to keep online.

In this post, we’ll guide you on how to exclude specific devices from the “Block All Devices” configuration to ensure your critical systems stay connected while the rest of the network goes offline.

Fortunately, you can configure exceptions by making use of custom scripts, that run after firewall rules are changed. However, to do this, you first need to enable the JFFS partition, which allows you to store custom scripts and configurations.

Step 1. Enable JFFS on Asuswrt-Merlin

  • Log in to Your Router’s Admin Panel
    • Open a web browser and navigate to your router’s IP address (commonly 192.168.0.1).
    • Enter your username and password to log in.
  • Navigate to the Administration Section
    • Select the System tab
  • Enable JFFS
    • Find a section label Persistent JFFS2 partition
    • Set “Enable JFFS custom scripts and configs” to Yes.
    • If this is your first time enabling JFFS, also set “Format JFFS partition at next boot” to Yes. This will ensure the partition is properly initialized.
  • Reboot Your Router
    • Save the changes and reboot the router. The JFFS partition will be formatted (if selected) and enabled.

Step 2. Create a firewall-start Script

The firewall-start script is a custom script supported by Asuswrt-Merlin firmware. It is specifically designed to execute user-defined commands or rules whenever the router’s firewall (iptables rules) is reloaded or modified. This allows you to customize the behavior of your router’s firewall beyond the default configurations provided in the web interface.

  1. Use a SSH client to log into your router using its IP address and admin credentials using its IP address and admin credentials.
ssh <username>@192.168.0.1 
  1. Create the firewall-start script and make it executable
touch /jffs/scripts/firewall-start
chmod +x /jffs/scripts/firewall-start
  1. Edit the firewall-start script
vi /jffs/scripts/firewall-start
  1. Add some rules to whitelist your devices using MAC addresses
#!/bin/bash

# If the DROP rule is at the start of the FORWARD chain block all is enabled 
# The DROP rule is normally comes after:
# 1    IPSEC_DROP_SUBNET_ICMP  all  --  0.0.0.0/0            0.0.0.0/0
# 2    IPSEC_STRONGSWAN  all  --  0.0.0.0/0            0.0.0.0/0

drop_rule_num=$(iptables -L FORWARD -n --line-numbers | awk '/ DROP/ {print $1; exit}')

if [ "$drop_rule_num" -gt 4 ]; then
    exit 0
fi

# Add whitelisted devices before the DROP rule
iptables -I FORWARD $drop_rule_num -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
iptables -I FORWARD $drop_rule_num -m mac --mac-source YY:YY:YY:YY:YY:YY -j ACCEPT

Read more