Blocking device to access LAN

[xusco]

Hi there,

I have a probably easy question but I couldn’t find the answer in the forum.

I have a GT-AX6000 as main router and I would like to block one device to access other devices in my LAN:

• Solar inverter with IP 192.168.1.115. It needs internet access for monitoring but I don’t want it to communicate with my LAN as I considere it not trusted.
• The Home Assistant with IP 192.168.1.10 should access the inverter for monitoring as well and the inverter should replay the request from Home Assistant, so the inverter is not “completely” isolated.
• Synology NAS with IP 182.192.1.100 should also access the inverter for the same reason.

Is there a easy way to do it from the GUI? I tried Network Services Filter unsuccessfully. Can I do it with Skynet or another add on? Can I do it by adding a smart switch like Tplink SG108E?

I’m running Merlin version 3.0.0.4.388_4 and I can’t upgrade yet to the newest version with VLANs until I will make some changes in my infrastructure.

Thank you in advance,

 

[Tech9]

Is there a easy way to do it from the GUI?

Can I do it with Skynet or another add on?

No.

After you update your router to 3006 firmware see this thread for reference:

Trying to understand Guest Network Pro limitations

Using an AX-86U Pro on FW 3006.102.4_beta1, I'm experimenting with Guest Network Pro and VLANs and I must be missing something. I've created a VLAN (tagged as 3) and set ethernet port 3 as an access port tagged with that VLAN. I've then created a new guest network with that same VLAN, turned on...

www.snbforums.com

 

[bbunge]

I have tested just what you want to do. First, you will need to upgrade your firmware as @Tech9 said.
I have several devices on an IoT Guest WIFI network using VLAN 52 on 192.168.52.0/24
I ran a home assistant on a RPI so I set a virtual network adapter to use VLAN 52 so the device could see both the 192.168.50.0/24 and 192.168.52.0/24 networks. (I wrote a how to set a virtual network adapter on a RPI)
My NAS has two LAN ports so I set one of those to use VLAN 52. I also set the NAS firewall to allow only connections on specific ports on VLAN 52.
No additional hardware was needed. You should be able to do the same or similar.

 

[xusco]

Thanks for your answers. I should mention that the inverter is connected via Ethernet cable, so I can’t use the guest wifi network. In fact, I’m using the wifi network to isolate the work laptop from my LAN as it only needs internet access.

In any case, by using different vlan, networks are isolated by default, right? How then a device in one network can communicate with another one in another network? Sorry if this is a stupid question, but I have a very general understanding of networking.

 

[Tech9]

When you update your router to 3006 firmware associating LAN port to Guest Network will become available. Then use the examples above to allow some of the traffic between VLANs. You have to customize the examples given to your needs.

 

[xusco]

Thanks again. Is it possible to accomplish it with iptables? I have n9 idea how to use it, but maybe I can find a basic tutorial online.

One of the biggest issues to upgrade the firmware is that I have an AC66U B1 as a mesh node, which can’t support vlans. I know it’s not good idea mix AC and AX models, but it was the only option I had. After finishing the house reconstruction and if I can’t find a solution, I probably will move to Ubiquiti system although I’m satisfied with my system performance.

@Tech9, as you are running some Unifi systems, do you think that adding a Cloud Gateway Ultra in front of the GT-AX6000 could solve it? I know I will have double NAT, but I’m in CGNAT anyway and I’m using Tailscale as VPN to have external access.

 

[Tech9]

do you think that adding a Cloud Gateway Ultra in front of the GT-AX6000 could solve it?

Just a Gateway won't solve the issue. Complete UniFi setup can do Inter-VLAN routing in Network application (WebUI). It's in more advanced networking category though. Examples can be found online and in documentation, you have to customize to your needs.

I’m using Tailscale as VPN

This one is called Teleport in UniFi world. Uses Tailscale in background as well, but I don't have experience with it. I know it works on Android, iOS, Windows, etc. clients via WiFiman application. Some user-friendly setup stuff. I don't use WiFiman on any device.

 

[xusco]

Thanks again @Tech9,

It seems that Asus doesn’t support interVLAN routing natively, so I will leave it as it is. Probably it’s possible using IPtables but I have no idea how to use and everything is working fine in my network apart of isolating the inverter