How to block a device from access to other devices on a LAN?

meimeishu

New Around Here
Hi,

Is it possible to allow a device access to the internet/WAN but block its access to other devices on the LAN?

Thanks.
 

eibgrad

Part of the Furniture
The router's IP firewall (i.e., iptables) only works when routing takes place, which for all practical purposes means when traffic is moving between the LAN and WAN. But devices on the same LAN are *bridged*, and therefore the router's IP firewall doesn't play a role. LAN devices need to manage their own personal firewalls to control access between them.

That's why some routers support VLANs, where LAN devices can be separated into different ethernet/IP networks, which requires routing for devices to communicate across those VLANs. And the router's IP firewall can once again be used to control access between the VLANs.

All that said, there are such things as ethernet firewalls (e.g., ebtables) for managing access among devices on the same LAN/VLAN. But most firmware on consumer-grade routers don't make that readily accessible. It's assumed there's an inherent trust among such devices. And if for some reason you need to have exceptions, you should use personal firewalls.

That's why the lack of VLAN support on these consumer-grade ASUS routers is such a big deal. It severely limits your ability to isolate LAN devices in ways that are useful and meaningful. But that adds considerably to the complexity of the router, so the OEM is reluctant to support it, and why third-party firmware is sometimes the better/only option.
 

itpp20

Senior Member
Define a different static IP/subnet address using the default gateway, without a routing statement for the existing subnet traffic will not flow between them.
 

develox

Regular Contributor
Define a different static IP/subnet address using the default gateway, without a routing statement for the existing subnet traffic will not flow between them.
Could you please expand on this? If I correctly understand that might be a simple solution for my WiFi Thermo/Igro meter for example.
 

cptnoblivious

Senior Member
Why not use the Guest network with client isolation?

Mind you, I've not used the stock Asus firmware for a while so I'm not 100% sure this option is available without Asus-Merlin.
 

meimeishu

New Around Here
Then your solution is very easy. Sort of the whole point of Guest WIFI.

The isolation is not unbreakable/perfect but more than enough to provide decent security.
The problem with the Guest WiFi is that it doesn't go through the VPN which it needs to...

As someone suggested:
Define a different static IP/subnet address using the default gateway, without a routing statement for the existing subnet traffic will not flow between them.

Would be great if someone could provide a link with some info on this.
 

itpp20

Senior Member
If your default subnet is 192.168.100.* (.1 as gateway) manually assign to this device 10.10.10.10 with the current gateway (ignore warnings), if there are no explicit routing rules both subnets can''t see each other but can use the gateway. On some (router) devices you can assign 2 LAN subnets which makes it easier as that also has an 'allow routing' toggle.
If for some reason local routing happens (because thats the basic function of a router, duh) you can blackhole that via iptables.
 

robmlr

New Around Here
Define a different static IP/subnet address using the default gateway, without a routing statement for the existing subnet traffic will not flow between them.

[unlike the OP I want to do this for more than just WiFi, and prefer not to use a guest network]

If I understand the above correctly, the idea here is the new subnet is not known by the router so devices on it are 'hidden' from the rest of the network. The hidden network goes through the default gateway and can get to everything on the 'normal' local network, but as @eibgrad alluded to there's no more 'meaningful' control like being able to have more than one hidden network with access between them short of adding another router. Seems like this makes the hidden subnet 'second class' but I can't yet see disadvantages for hosts on it. (I'm running dnsmasq on another host so can still resolve local hostnames)

Since (in my mind at least :)) Merlin is 3rd party firmware, is there something I can add or do to get ebtables or the iptables functionality I want? I'm looking for:

- everybody and their brother has the wifi password and can plug into open cat5 sockets (so basicly public) and want them to only go outside network
- I have some family devices like NAS that I want family hosts to see e.g. for photo storage
- would like to get into home automation with those devices not going outside the network or probably seen by public on network
- probably some set of infrastructure/switches etc that family shouldn't have acces to control interfaces for
- my own hosts that are all-powerful and can connect to anything (or at least the non-public hosts)

Dnsmasq identifies all the non-public devices I care about and assigns IPs based on MAC address, so at least I have that control.

Did I spec the wrong router (GT-AX11000) for my public-access house to do this? :eek:
 

cptnoblivious

Senior Member
The problem with the Guest WiFi is that it doesn't go through the VPN which it needs to...

As someone suggested:
Define a different static IP/subnet address using the default gateway, without a routing statement for the existing subnet traffic will not flow between them.

Would be great if someone could provide a link with some info on this.

I have no problem using VPN Director together with YazFI, routing guest networks through VPN.
 

itpp20

Senior Member
With that your better of with a switch like a GS1900 and vlan the sh*t out of it. And deploy more than one AP.
Here I do almost the same with an additional router between a trusted LAN and Wifi, VLAN & Zone segmented with very specific routing via the second router to bridge specific flows between VLAN's (ea. printer sharing).
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top