How can I drop http traffic to my printer?

[cucdolent]

I am running Asuswrt Merlin 384.5 on an RT-AC88U. My LAN is 172.20.1.0/24, with the router at 172.20.1.1 and a printer at 172.20.1.11. My issue is that my printer offers a web interface on both http and https, with no way to enforce only https. I know an easy solution would be to double check every time I connect to the printer, but that seems like a sloppy solution. What I would actually like to do is drop all tcp traffic to port 80 of my printer, so that no insecure connections can be established. I know iptables won't work for this as there is no routing being done, only bridging. I tried:

ebtables -A FORWARD -j DROP -p IPv4 --ip-destination 172.20.1.11 --ip-protocol TCP --ip-destination-port 80

but it doesn't seem to work. I don't know what else to try. Any help would be appreciated.

 

[RMerlin]

The router has no control over LAN traffic, since it's switched, not routed.

 

[coxhaus]

If you want to do this create a another VLAN with a different network IP. Route the traffic through a layer 3 device using ACLs to block http traffic.

 

[cucdolent]

The router has no control over LAN traffic, since it's switched, not routed.

If you want to do this create a another VLAN with a different network IP. Route the traffic through a layer 3 device using ACLs to block http traffic.

Thanks for the answers, now I understand why this is the only way to do this. I think it's not worth the trouble of changing the network topology, but it's great to know there is an option for cases like this.