1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Block access to internal LAN from wired device?

Discussion in 'Asuswrt-Merlin' started by htismaqe, Mar 26, 2020 at 10:30 AM.

  1. htismaqe

    htismaqe Very Senior Member

    Joined:
    Aug 1, 2010
    Messages:
    1,725
    Location:
    Fly Over Country
    I have a work device that I need to connect via wired (it's not wireless). Right now, I have all my work devices on a guest network since they only need Internet access and I don't want them to be able to see (or send malware) to my internal network.

    Is there a way to quickly and easily do this in the Merlin GUI, or will I have to dig into iptables via SSH?
     
  2. htismaqe

    htismaqe Very Senior Member

    Joined:
    Aug 1, 2010
    Messages:
    1,725
    Location:
    Fly Over Country
    I should note that I don't necessarily treat my work devices as untrusted. They're not a true attack vector in the sense that a hacker might use them to enter my network. I consider them more semi-trusted, since they have security software and the like that periodically scans things and I don't want my company scanning my private network nor do I want something that might infect my work machine via VPN to potentially infect my private network devices. It doesn't have to be elaborate, just IP blocking would be sufficient if I could figure out how to do it.
     
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,960
    Location:
    UK
    It's rather ironic that your security concerns are the reverse of what is normally the case. By that I mean that most companies are concerned that you will be connecting their "trusted" device to an untrusted network (your home LAN). The risk being that any malware on your LAN might infect the corporate network though the VPN. Side note: I've personally seen this happen and it's not nice when 2000+ PCs get infected.

    That aside, the problem with the older routers (like the RT-AC68U, et al.) is that all the Ethernet LAN connections are connected to the same switch chip. So LAN to LAN traffic goes directly between the devices. Nothing is routed so there is no opportunity to block traffic using something like iptables. There are convoluted ways around this but it requires complex scripts that use robocfg to separate out individual switch ports and create new subnets.

    I see you have an AX88U which I think is the HND platform. I don't know whether the LAN ports work in the same way as the older routers. Maybe there's an easier way to isolate LAN ports on that platform.
     
    martinr, htismaqe and GSpock like this.
  4. htismaqe

    htismaqe Very Senior Member

    Joined:
    Aug 1, 2010
    Messages:
    1,725
    Location:
    Fly Over Country
    I work for a security/IT company. Call it "mutual paranoia". :p

    In all seriousness, I'm not allowed to connect anything they didn't assign to me to the corporate LAN. That's their method of protecting themselves. They're all locked down so that I can change any settings that require elevated privs and of course, they don't allow us to have elevated privs.

    The flip side of this is that even though I can't go into an app and see what it's doing, I know what some of them do. There's remote management clients, network scanners, and other things installed. I don't want a machine that I didn't secure myself scanning my network. Makes my skin crawl. I just don't trust anybody other than me. :)

    I wonder if the AX88U supports VLANs?
     
    L&LD likes this.
  5. Makaveli

    Makaveli Very Senior Member

    Joined:
    Nov 4, 2016
    Messages:
    676
    Location:
    Canada
    i'm pretty sure I saw a post from Merlin today saying the Robocfg doesn't work on the HND platform as the switch is different.

    From what i've seen vlans are only available when you are using the guest wifi or iptv?

    This search has a bunch of results that maybe helpful.

    https://www.snbforums.com/search/1338685/?q=vlanctl&o=date&c

    And this thread.

    https://www.snbforums.com/threads/asus-ac-86u-vlan-utility.55664/#post-473352
     
    Last edited: Mar 26, 2020 at 12:51 PM
    L&LD and htismaqe like this.
  6. htismaqe

    htismaqe Very Senior Member

    Joined:
    Aug 1, 2010
    Messages:
    1,725
    Location:
    Fly Over Country
    Thanks, I was just getting ready to do a search.
     
  7. htismaqe

    htismaqe Very Senior Member

    Joined:
    Aug 1, 2010
    Messages:
    1,725
    Location:
    Fly Over Country
    After a quick glance, it appears a few people have made progress but nobody has really come up with a solution. I might have to just insert a firewall and implement filters on the far end where the machine connects.
     
  8. htismaqe

    htismaqe Very Senior Member

    Joined:
    Aug 1, 2010
    Messages:
    1,725
    Location:
    Fly Over Country
    Does OpenVPN only work on the outside interface of the router? If I could nail up an Open VPN tunnel between the router and the machine, that would isolate it. Of course, once I nail up the work VPN, then I'm double tunneled and CPU utilization is going to be heavily impacted.
     
  9. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    11,436
    Use an old router in Bridge mode. Connect to your Guest Network (wirelessly). Enjoy. :)
     
    martinr, Makaveli and htismaqe like this.
  10. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,420
    Location:
    Manchester, United Kingdom
    One of my OpenVPN servers is set to TCP (443); the other is udp. On my LAN I can set up an OpenVPN connection between a client device and the OpenVPN server set to TCP. However, I cannot similarly connect to the udp server inside the LAN.
     
    htismaqe likes this.
  11. htismaqe

    htismaqe Very Senior Member

    Joined:
    Aug 1, 2010
    Messages:
    1,725
    Location:
    Fly Over Country
    I'm getting too old for this crap. LOL. Can't believe I didn't think of this before.
     
    L&LD and martinr like this.
  12. Yota

    Yota Regular Contributor

    Joined:
    Mar 30, 2017
    Messages:
    88
    If you are looking for encryption of all traffic on your LAN, you should look at Cisco's MACsec feature. it is useful for enterprises, but it is too expensive for individuals, and it will only be more expensive as throughput increases.

    [​IMG]
     
  13. htismaqe

    htismaqe Very Senior Member

    Joined:
    Aug 1, 2010
    Messages:
    1,725
    Location:
    Fly Over Country
    Nah, I'm just wanting to isolate this one machine so that it can't see my internal LAN.