how do I restrict music streamer's access to certain devices on my LAN

[pacoinconn]

I have a Auralic Aries music streamer connected (wirelessly and wired) to my home network and would like to "isolate" it's access to a NAS drive containing music files. I control the Aries through an iPhone and iPad app. I'm not quite sure how to do this or if it's even possible using my set up. Why do I want to isolate it: the manufacturer uploads firmware updates automatically and there is no option to prevent automatic updates. If it's going to be automatically updated, I would like assurances that no one can access the rest of my network.

I run an Asus RT-AC1900P as my main router. All devices, including the Aries, are assigned IP addresses through the Asus. I also have two Netgear EX-7000 extenders running as wireless access points (not extending wi-fi but wired into network and creating wi-fi network with same SSID/password as Asus). Lastly, I have a guest wireless network.

In addition to the NAS containing music files I have several other NAS drives containing backup files, etc. I've changed admin usernames/passwords on all NAS drives and run firewalls on our MacBooks as well as the Asus.

Any help to fully isolate the Aries while letting me control it from my phone/iPad would be appreciated. Thx.

 

[degrub]

The IOS devices have to be on the same subnet as any other device they talk to. It is the way Apple assumes networks are set up.

Is there a firewall rule you can put in place to block WAN access for the Aries ? You would have to assign a static IP to the device. That would turn off any outside access. Might be an issue if you are streaming from the WAN side, but maybe those are on a different port that you could keep open in the firewall ?

You may have to put the NAS on a separate subnet with a VLAN or you could block access in a managed switch.
You could put the Aries on a separate VLAN, but any device that needs to access it would have to be on the same VLAN or need static routing set up in the router.

Not sure why you are concerned about the NAS only. The other devices on the same subnet as the Aries are just a vulnerable.

You do have multiple independent backups of the NAS, right ?

Just a couple ideas.

 

[pacoinconn]

The IOS devices have to be on the same subnet as any other device they talk to. It is the way Apple assumes networks are set up.

Is there a firewall rule you can put in place to block WAN access for the Aries ? You would have to assign a static IP to the device. That would turn off any outside access. Might be an issue if you are streaming from the WAN side, but maybe those are on a different port that you could keep open in the firewall ?

You may have to put the NAS on a separate subnet with a VLAN or you could block access in a managed switch.
You could put the Aries on a separate VLAN, but any device that needs to access it would have to be on the same VLAN or need static routing set up in the router.

Not sure why you are concerned about the NAS only. The other devices on the same subnet as the Aries are just a vulnerable.

You do have multiple independent backups of the NAS, right ?

Just a couple ideas.

1. I can implement a firewall rule (I think) through the ASUS? I see options for whitelist and blacklist and ways to block specific ip addresses from using services. I'm not an IT person so don't know which ports/services to "block".

2. The Aries and all other devices on the network have static IP addresses.

3. Not sure what you mean by "if you are streaming from the WAN side". The Aries is only used to stream files from the NAS.

4. The NAS is connected to a Netgear GSS108E – ProSAFE 8-port Gigabit Click Switch...as is the Aries (wired) connection to the network.

5. You're correct...I don't want the Aries to have access to any other devices on the LAN...it should only have access to the NAS drive.

6. Yes, I have another NAS that copies the original NAS files + on a regular basis I have a USB drive to which I manually copy the original NAS files (and return to the bank safe).

If I set up a VLAN for the Aries and NAS should I also add the Comcast cable boxes and internet connected TVs (which are only connected periodically to check for firmware upgrades)? How would I set up "static routing in the router"? As noted above, I already have static IP addresses for all devices on the LAN (including cable boxes, web-connected TVs, laptops, phones, etc.).

I'm not a tech person but familiar with operating systems, LANs, etc. an intermediate level. Thx for your questions and help.

 

[degrub]

If you don’t use the Aries to stream from internet services, then just set a firwall rule to deny access from it’s static address to the WAN.

The rest you can leave alone unless you want to do something different.

When you want to update the firmware in the Aries, just turn off the firewall rule, let it update, and the turn the rule back on.

Your earlier description made it sound like you did not want the Aries to talk to the NAS. I don’t believe you can have it both ways unless you go to the protocol/services level in the firewall rules. If you need to do that, then you may want to consider a different setup for the firewall - one of the psfense or untangle types.

 

[pacoinconn]

If you don’t use the Aries to stream from internet services, then just set a firwall rule to deny access from it’s static address to the WAN.

The rest you can leave alone unless you want to do something different.

When you want to update the firmware in the Aries, just turn off the firewall rule, let it update, and the turn the rule back on.

Your earlier description made it sound like you did not want the Aries to talk to the NAS. I don’t believe you can have it both ways unless you go to the protocol/services level in the firewall rules. If you need to do that, then you may want to consider a different setup for the firewall - one of the psfense or untangle types.

degrub,
Thx. I've selected all of the network services the Asus allows me to select. I'm assuming that the days/times I've chosen effectively shut off access to the WAN...correct? Thx.

 

[degrub]

You should ask in the ASUS forum here. I am not familiar with that implementation.

 

[pacoinconn]

You should ask in the ASUS forum here. I am not familiar with that implementation.

Okay...thx.