Configuring URL blocking policy on the Cisco WRVS4400N

This is a weird one and doesn’t really make a lot of sense – but posted here all the same if it helps someone. Part of the Cisco WRVS4400N‘s feature set is a configurable internet access policy, allowing the administrator to schedule internet access hours and permitted sites for discrete LAN clients. The latter is managed by updating a domain blacklist in the admin BUI.

The manual makes out that this is as simple as creating a new policy, adding clients, specifying whether it’s for blocking or allowing access, and adding URLs to the blacklist – but in practice it doesn’t work like this at all. In my case, configuring an “Allow” policy for a single client and adding entries to the blacklist resulted in all internet access being shut off entirely for all machines including the client in question. Looking at the Cisco Small Business support forums, there seems to be equal confusion on this from both customers and Cisco support personnel alike. One Cisco technician mentioned for example in a forum thread on the issue that any clients not defined in an “Allow” rule would be denied by default – but this nugget of information doesn’t seem to have been included in the reference manual.

Anyway, to get a simple website blocking policy in place for one LAN client, here’s what I had to do.

1) Configure an “Allow” policy for the client

In this policy we are allowing the client 24/7 internet access, but not permitting her to access the domain apple.com:

Configuring a internet access policy rule.

You’d think this would do the trick, but no. If your experience is the same as mine, this will shut off internet access entirely – so we move onto step 2.

2) Configure a second “Allow” policy for every other device

In this policy we are specifying an IP address range – which also covers the address of the machine above. Like the above policy, it’s for 24/7 internet access:

Configuring another internet access policy rule.

On saving this rule (you don’t need to reboot the router), you should have full access to all websites except for apple.com for the client defined in the first rule. All other LAN clients should have normal full access.

 

The WRVS4400N is now end-of-life. In my time with it it’s generally been a useful device, but marred by a number of issues which created the impression of a somewhat half-baked or half-heartedly-supported product (possibly due to its Linksys lineage which Cisco are selling off to Belkin). Counter-intuitive interfaces like the one described above, wireless performance which was pretty slow all around (really not living up to the advertised 802.11n), Cisco QuickVPN software which was great if you were only on Windows (with Cisco not interested in versions say for Mac OS), IPS signature files which failed to block Skype (counter to the advertised feature set), and so on. I have a Cisco SRP547W being made available soon hopefully to replace this unit which I will post some impressions on.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s