What's new

How to block a range of local client (LAN) IP's from WAN/Internet

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Spere

New Around Here
Currently running a RT-AX88U with Asus Firmware 3.0.0.4.388_23748-g50a1620 in Wireless Router mode.

Use a mix of DHCP and Manual IP.

There is a block of local IP addresses that I would like to block from any WAN / internet usage.

Example: 192.168.25.0 to 192.168.25.63 aka: 192.168.25.1/26

The goal is to be able to activate / deactivate the entire block as a single unit, where all the IP's in the block would either be enabled or disabled from WAN access with minimum fuss.

There appears to only be the option to block WAN (internet) on a per IP basis; requiring each device to be toggled individually.

Ways that I have tried:
  • Firewall: Network Services Filter (does not appear to allow an ip range or cidr)
  • Parental Controls: Time Scheduling (does not appear to allow an ip range or cidr)
Related Links:

Thoughts?
 
Currently running a RT-AX88U with Asus Firmware 3.0.0.4.388_23748-g50a1620 in Wireless Router mode.

Use a mix of DHCP and Manual IP.

There is a block of local IP addresses that I would like to block from any WAN / internet usage.

Example: 192.168.25.0 to 192.168.25.63 aka: 192.168.25.1/26

The goal is to be able to activate / deactivate the entire block as a single unit, where all the IP's in the block would either be enabled or disabled from WAN access with minimum fuss.

There appears to only be the option to block WAN (internet) on a per IP basis; requiring each device to be toggled individually.

Ways that I have tried:
  • Firewall: Network Services Filter (does not appear to allow an ip range or cidr)
  • Parental Controls: Time Scheduling (does not appear to allow an ip range or cidr)
Related Links:

Thoughts?

Network services filter, put in source ip 192.168.25.0/26 (not 25.1, that's not a valid /26 subnet). Leave all other fields except protocol blank. Make one rule for TCP and one for UDP. They'll still be able to ping but not do anything else.

Set it to "deny list" which is the default.
 
Network services filter, put in source ip 192.168.25.0/26 (not 25.1, that's not a valid /26 subnet). Leave all other fields except protocol blank. Make one rule for TCP and one for UDP. They'll still be able to ping but not do anything else.

Set it to "deny list" which is the default.

Thank you for the reply.

After adding the IP subnet, when I click the Add/Delete button (the plus), the following modal error box pops up. (Note: IP addresses adjusted to this specific network -- it's not a typo :))

1696392862381.png
 
Thank you for the reply.

After adding the IP subnet, when I click the Add/Delete button (the plus), the following modal error box pops up. (Note: IP addresses adjusted to this specific network -- it's not a typo :))

View attachment 53448

That's odd, I just tried and it lets me add any subnet, whether it is on the router or not.

I'm running Merlin 386.11 but I don't think that should matter, but maybe he is the one that added subnetting ability. Up at the top does it say
"The IP address can be a simple IP (1.2.3.4), or use the CIDR format (1.2.3.4/24) to handle a whole subnet"?
 
Currently running a RT-AX88U with Asus Firmware 3.0.0.4.388_23748-g50a1620 in Wireless Router mode.

Use a mix of DHCP and Manual IP.

There is a block of local IP addresses that I would like to block from any WAN / internet usage.

Example: 192.168.25.0 to 192.168.25.63 aka: 192.168.25.1/26

The goal is to be able to activate / deactivate the entire block as a single unit, where all the IP's in the block would either be enabled or disabled from WAN access with minimum fuss.

There appears to only be the option to block WAN (internet) on a per IP basis; requiring each device to be toggled individually.

Ways that I have tried:
  • Firewall: Network Services Filter (does not appear to allow an ip range or cidr)
  • Parental Controls: Time Scheduling (does not appear to allow an ip range or cidr)
Related Links:

Thoughts?
Use the forum search feature and do a search for Network Services Filter. You will find a number of previous discussions about issues people are having with that feature. Issues very similar to yours where it won't save either the IP address or the CIDR address or says its not valid. It is possible earlier firmware versions may have working Network Services Filter but don't know how far one would have to roll back to find a firmware where it works.

One example past discussion:
 
The CIDR notation in Network Services Filter is only available in Merlin's firmware AFAIK. It's not supported by stock Asus firmware, unless they added it recently.
 
That's odd, I just tried and it lets me add any subnet, whether it is on the router or not.

I'm running Merlin 386.11 but I don't think that should matter, but maybe he is the one that added subnetting ability. Up at the top does it say
"The IP address can be a simple IP (1.2.3.4), or use the CIDR format (1.2.3.4/24) to handle a whole subnet"?
The upper description area does not mention specifics regarding the format at all. Here is a screenshot:

1696458753111.png
 
Use the forum search feature and do a search for Network Services Filter. You will find a number of previous discussions about issues people are having with that feature. Issues very similar to yours where it won't save either the IP address or the CIDR address or says its not valid. It is possible earlier firmware versions may have working Network Services Filter but don't know how far one would have to roll back to find a firmware where it works.

One example past discussion:
Well, isn't that special... Thank you! At least I can stop futilely trying variations now.
 
The upper description area does not mention specifics regarding the format at all. Here is a screenshot:

View attachment 53478

The yellow does mention a subnet so that implies it must be there somewhere. Try the wildcard notation mentioned above, or maybe try Merlin firmware if that doesn't work.
 
The yellow does mention a subnet so that implies it must be there somewhere. Try the wildcard notation mentioned above, or maybe try Merlin firmware if that doesn't work.
The problem with stock firmware is you can't specifiy anything smaller than /24 using their notation, which is what the OP was wanting to do.
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top