What's new

Block access to internal LAN from wired device?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

htismaqe

Very Senior Member
I have a work device that I need to connect via wired (it's not wireless). Right now, I have all my work devices on a guest network since they only need Internet access and I don't want them to be able to see (or send malware) to my internal network.

Is there a way to quickly and easily do this in the Merlin GUI, or will I have to dig into iptables via SSH?
 
I should note that I don't necessarily treat my work devices as untrusted. They're not a true attack vector in the sense that a hacker might use them to enter my network. I consider them more semi-trusted, since they have security software and the like that periodically scans things and I don't want my company scanning my private network nor do I want something that might infect my work machine via VPN to potentially infect my private network devices. It doesn't have to be elaborate, just IP blocking would be sufficient if I could figure out how to do it.
 
It's rather ironic that your security concerns are the reverse of what is normally the case. By that I mean that most companies are concerned that you will be connecting their "trusted" device to an untrusted network (your home LAN). The risk being that any malware on your LAN might infect the corporate network though the VPN. Side note: I've personally seen this happen and it's not nice when 2000+ PCs get infected.

That aside, the problem with the older routers (like the RT-AC68U, et al.) is that all the Ethernet LAN connections are connected to the same switch chip. So LAN to LAN traffic goes directly between the devices. Nothing is routed so there is no opportunity to block traffic using something like iptables. There are convoluted ways around this but it requires complex scripts that use robocfg to separate out individual switch ports and create new subnets.

I see you have an AX88U which I think is the HND platform. I don't know whether the LAN ports work in the same way as the older routers. Maybe there's an easier way to isolate LAN ports on that platform.
 
I work for a security/IT company. Call it "mutual paranoia". :p

In all seriousness, I'm not allowed to connect anything they didn't assign to me to the corporate LAN. That's their method of protecting themselves. They're all locked down so that I can change any settings that require elevated privs and of course, they don't allow us to have elevated privs.

The flip side of this is that even though I can't go into an app and see what it's doing, I know what some of them do. There's remote management clients, network scanners, and other things installed. I don't want a machine that I didn't secure myself scanning my network. Makes my skin crawl. I just don't trust anybody other than me. :)

I wonder if the AX88U supports VLANs?
 
i'm pretty sure I saw a post from Merlin today saying the Robocfg doesn't work on the HND platform as the switch is different.

I wonder if the AX88U supports VLANs?

From what i've seen vlans are only available when you are using the guest wifi or iptv?

This search has a bunch of results that maybe helpful.

https://www.snbforums.com/search/1338685/?q=vlanctl&o=date&c

And this thread.

https://www.snbforums.com/threads/asus-ac-86u-vlan-utility.55664/#post-473352
 
Last edited:
After a quick glance, it appears a few people have made progress but nobody has really come up with a solution. I might have to just insert a firewall and implement filters on the far end where the machine connects.
 
Does OpenVPN only work on the outside interface of the router? If I could nail up an Open VPN tunnel between the router and the machine, that would isolate it. Of course, once I nail up the work VPN, then I'm double tunneled and CPU utilization is going to be heavily impacted.
 
Use an old router in Bridge mode. Connect to your Guest Network (wirelessly). Enjoy. :)
 
Does OpenVPN only work on the outside interface of the router? If I could nail up an Open VPN tunnel between the router and the machine, that would isolate it. Of course, once I nail up the work VPN, then I'm double tunneled and CPU utilization is going to be heavily impacted.

One of my OpenVPN servers is set to TCP (443); the other is udp. On my LAN I can set up an OpenVPN connection between a client device and the OpenVPN server set to TCP. However, I cannot similarly connect to the udp server inside the LAN.
 
If you are looking for encryption of all traffic on your LAN, you should look at Cisco's MACsec feature. it is useful for enterprises, but it is too expensive for individuals, and it will only be more expensive as throughput increases.

330051.jpg
 
In regards of this topic, i wonder - does any of ASUS routers have full support of VLANs?
From what i understand - not in asuswrt or Merlin's. DDR-WRT maybe?
 
Last edited:
In regards of this topic, i wonder - does any of ASUS routers have full support of VLANs?
From what i understand - not in asuswrt or Merlin's. DDR-WRT maybe?

Tomato allows you to setup VLANs using the GUI. I had three VLANs setup on an ASUS N66 but I'm not sure about other ASUS router models.

If you want to maintain all the many features from Merlin then an inexpensive managed switch might be the way to go.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top