Block specific devices from reaching internet?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


Occasional Visitor
Hi guys! I have an Asus AC68U running Merlin v384.19. I have several devices which I don't trust, but which I'd still like to have internal LAN connectivity. But I don't want them reaching the internet, though. How could I do this? Is there any kind of IP or MAC block for this?
I also run a pi-hole, I reckon I can block there...but that would block DNS resolving, if a device (specially ahem, google ones) have their own DNS hard-coded they could still get around.

Last edited:


Very Senior Member
You could define Network Services Filters, or just create firewall rules (my preference).

iptables -I FORWARD -s -j REJECT
iptables -I FORWARD -m iprange --src-range -j REJECT
iptables -I FORWARD -m mac --mac-source 00:01:02:03:04:05 -j REJECT


Occasional Visitor
Holy cow...I was thinking complicated rules just like what you said. Apparently even the stock firmware includes this. On the network map screen, not clicking on View Clients, but on the bubble on top of it. This shows the clients on a column on the right, and you can block specific devices, permanently or at specific hours! I've had this router for like 4 years, just found out today!


Asuswrt-Merlin dev
Using Parental Control is another way of blocking Internet access (just don't provide them any allowed time slots).


Occasional Visitor
Thanks! I had no idea these options were so easily available! Thinking of adding some IoT devices, but they're to be controlled from a Home Assistant server, I don't want them exposed to the internet themselves.


Part of the Furniture
Go to the Network Map, click on the "Clients:" button to open the "Client status" tab on the right. Then click on the desired client and choose Block Internet Access:



Regular Contributor
Use the asus firewall to block a subnet portion and set such devices in this subnet. Easy peasy.

Last edited:


Occasional Visitor
I've been using the @Martineau method for some time (years I suspect), just to add to the number of methods :) It seemed a good method at the time as it allows cameras to be blocked from accessing the Internet but still remain accessible for remote viewing over the VPN.

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!