What's new

How to block internet access for IP range

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

nospamever

Regular Contributor
My DHCP IP pool starts from 192.168.1.200 to 254. I manually assign IP addresses to known devices up to 192.168.1.199. So any unknown devices including guests will be assigned with IP 192.168.1.200 and above. Is it possible to use firewall to block IP range 192.168.1.200-254?
 
My DHCP IP pool starts from 192.168.1.200 to 254. I manually assign IP addresses to known devices up to 192.168.1.199. So any unknown devices including guests will be assigned with IP 192.168.1.200 and above. Is it possible to use firewall to block IP range 192.168.1.200-254?

Yes, extremely easy, right through the GUI. Click on firewall then the network services filter. To keep it easy, you'd want to use a subnet boundary (192.168.1.192/26 or 192.168.1.224/27) however you can do a few subnets to cover the range, like 192.168.1.200/29, 192.168.1.208/28, and 192.168.1.224/27. Just create 3 rules with those specified as source, and leave the other fields blank, select TCP. Then create the same 3 rules with UDP. Enable the filter, select deny list, save it.
 
Yes, extremely easy, right through the GUI. Click on firewall then the network services filter. To keep it easy, you'd want to use a subnet boundary (192.168.1.192/26 or 192.168.1.224/27) however you can do a few subnets to cover the range, like 192.168.1.200/29, 192.168.1.208/28, and 192.168.1.224/27. Just create 3 rules with those specified as source, and leave the other fields blank, select TCP. Then create the same 3 rules with UDP. Enable the filter, select deny list, save it.
Thank you so much!
 
I manually assign IP addresses to known devices up to 192.168.1.199.
As a rule, you can only manually assign 64 IP addresses of your choice to 64 MAC addresses, so there cannot be 197 assignments/bindings.
My DHCP IP pool starts from 192.168.1.200 to 254.
So any unknown devices including guests will be assigned with IP 192.168.1.200 and above. Is it possible to use firewall to block IP range 192.168.1.200-254?
The devices that you assume will use DHCP cannot use those 64 IP addresses, but they can use one of the remaining 135 IP addresses with a static IP entry. The other 64 devices can do the same.

If there is anything wrong with what I have written, please correct me.
 
As a rule, you can only manually assign 64 IP addresses of your choice to 64 MAC addresses, so there cannot be 197 assignments/bindings.


The devices that you assume will use DHCP cannot use those 64 IP addresses, but they can use one of the remaining 135 IP addresses with a static IP entry. The other 64 devices can do the same.

If there is anything wrong with what I have written, please correct me.
Actually my manual assign IP limit is 176

1670485306047.png
 
@nospamever Wow! Is the limit higher because of the router or because of YazDHCP? Anyway, still 197 IP addresses cannot be assigned manually. That leaves about 21 IP addresses available. With a little effort, the devices you are restricting access to the Internet can use those 21 IP addresses to bypass the 6 firewall rules you will add, right? I think I'm not wrong about that.
 
@nospamever Wow! Is the limit higher because of the router or because of YazDHCP? Anyway, still 197 IP addresses cannot be assigned manually. That leaves about 21 IP addresses available. With a little effort, the devices you are restricting access to the Internet can use those 21 IP addresses to bypass the 6 firewall rules you will add, right? I think I'm not wrong about that.
The higher limit is due to YazDHCP and I think the limit changes in response to the number of IP reservations. I started with only 128 limit and it went up to 176. Very happy with that.

What I wanted to achieve is to control DHCP automatically assigned devices which range from 192.168.1.192-254 from accessing internet. I set my DHCP start/end pool that way. DHCP server won't automatically assign addresses below 192.168.1.192 so technically I can have 192 manually assigned devices. But I only have about 70 at the moment. I tested it with a few iPads and works as intended. Very happy.
 
The higher limit is due to YazDHCP and I think the limit changes in response to the number of IP reservations. I started with only 128 limit and it went up to 176. Very happy with that.

What I wanted to achieve is to control DHCP automatically assigned devices which range from 192.168.1.192-254 from accessing internet. I set my DHCP start/end pool that way. DHCP server won't automatically assign addresses below 192.168.1.192 so technically I can have 192 manually assigned devices. But I only have about 70 at the moment. I tested it with a few iPads and works as intended. Very happy.
I think I understand better what the upper limit depends on.

Actually, I understand exactly what you are trying to do, I just wanted to point out that devices that will be assigned IPs from the DHCP server's IP pool can leave this pool and use existing IP addresses (those in the range 192.168.1.2-192.168.1.199 and not connected with any MAC address) and this can be a problem.

You can test this yourself if you want. For a device that you expect to use DHCP, select a static IP address in the device's connection settings.

I am actually looking for a solution similar to yours.
 
I think I understand better what the upper limit depends on.

Actually, I understand exactly what you are trying to do, I just wanted to point out that devices that will be assigned IPs from the DHCP server's IP pool can leave this pool and use existing IP addresses (those in the range 192.168.1.2-192.168.1.199 and not connected with any MAC address) and this can be a problem.

You can test this yourself if you want. For a device that you expect to use DHCP, select a static IP address in the device's connection settings.

I am actually looking for a solution similar to yours.
Hi, I understand now what you are saying. Bugger thought I had this figured out!
 
The higher limit is due to YazDHCP and I think the limit changes in response to the number of IP reservations. I started with only 128 limit and it went up to 176. Very happy with that.

What I wanted to achieve is to control DHCP automatically assigned devices which range from 192.168.1.192-254 from accessing internet. I set my DHCP start/end pool that way. DHCP server won't automatically assign addresses below 192.168.1.192 so technically I can have 192 manually assigned devices. But I only have about 70 at the moment. I tested it with a few iPads and works as intended. Very happy.

Not sure if Yaz works differently but your DHCP pool normally has to cover your manual assignment range, so you would need to manually assign every IP that you don't want automatically assigned out. So maybe reduce the size of your DHCP range, and create manual assignments (even dummy ones) for all the IPs you don't want assigned by DHCP. You can then replace dummy with real when you have another device to add.

In a previous thread you had, I had suggested some possible ways to do what you're looking to do, such as creating a huge subnet (like a /16) for your LAN and putting most of it into the DHCP pool. Randomly assign IPs to the devices you want to have manual reservations (make it really random, all over the place) and create "permit" firewall rules for those. Then any other IP that is automatically assigned won't be able to access the internet, and they're very unlikely to guess an IP that is permitted. You could take it one step further and create a whitelist for MAC addresses on your wifi so guests have to get you to allow them to even get an IP.

Or you could just stick with the default subnet and create two "permit" rules (one TCP and one UDP) for each manual assignment you create and hope that the things you're trying to block don't guess the range of IPs that are permitted and set a static for one of those. That would create an IP conflict if the other device is online but they would potentially be able to do some stuff.

I guess I'm a little confused though, why even have a guest network if you want to block all their access?
 
Not sure if Yaz works differently but your DHCP pool normally has to cover your manual assignment range...
With dnsmasq (which is what Asus uses) there is no requirement for DHCP reservations to be within any DHCP range (aka pool). The only requirement is that they are within the same subnet as some valid DHCP range.
 
Not sure if Yaz works differently but your DHCP pool normally has to cover your manual assignment range, so you would need to manually assign every IP that you don't want automatically assigned out. So maybe reduce the size of your DHCP range, and create manual assignments (even dummy ones) for all the IPs you don't want assigned by DHCP. You can then replace dummy with real when you have another device to add.

In a previous thread you had, I had suggested some possible ways to do what you're looking to do, such as creating a huge subnet (like a /16) for your LAN and putting most of it into the DHCP pool. Randomly assign IPs to the devices you want to have manual reservations (make it really random, all over the place) and create "permit" firewall rules for those. Then any other IP that is automatically assigned won't be able to access the internet, and they're very unlikely to guess an IP that is permitted. You could take it one step further and create a whitelist for MAC addresses on your wifi so guests have to get you to allow them to even get an IP.

Or you could just stick with the default subnet and create two "permit" rules (one TCP and one UDP) for each manual assignment you create and hope that the things you're trying to block don't guess the range of IPs that are permitted and set a static for one of those. That would create an IP conflict if the other device is online but they would potentially be able to do some stuff.

I guess I'm a little confused though, why even have a guest network if you want to block all their access?
For sure my DHCP pool is outside manually assigned IP. I can't explain it but that is how it is configured on my router.
TP-Link router I had before permitted huge subnet (think I set it to have 65k IP addresses) but don't think my RT-AC86U can do the same.
I usually disable my guest network when not needed but often my kids would introduce new devices on the network.
 
With dnsmasq (which is what Asus uses) there is no requirement for DHCP reservations to be within any DHCP range (aka pool). The only requirement is that they are within the same subnet as some valid DHCP range.

On my AC1900 (68U) it won't allow you to create reservations outside of the range, gives an error. That was my first instinct, to set up a totally separate range for the two purposes but had to change it when it wouldn't let me reserve any IPs.

Maybe it has changed in newer firmwares, I've had it set up that way for quite a while now.

EDIT - OK, looks like it has been changed. Mine lets me do it now (positive that it didn't used to, but that is probably back in 384 code base).
 
Last edited:
For sure my DHCP pool is outside manually assigned IP. I can't explain it but that is how it is configured on my router.
TP-Link router I had before permitted huge subnet (think I set it to have 65k IP addresses) but don't think my RT-AC86U can do the same.
I usually disable my guest network when not needed but often my kids would introduce new devices on the network.

Ok maybe yours is different, on my AC1900 I can use a /16 subnet mask and put the entire range into DHCP. I tested it when I first suggested it to you.

If your router lets you assign a DHCP pool of say 192.168.1.224 through 254 then you can create firewall rules to deny TCP and UDP for 192.168.1.224/27.

Of course as we've already discussed, this won't stop someone from setting a static IP outside that range (should they figure out that is what you're doing). I've given some suggestions on how you can deal with that, MAC filter, doing "permit" firewall rules only for the specific IPs you want to have access, etc.
 
Maybe it has changed in newer firmwares, I've had it set up that way for quite a while now.
Strange. I've never come across any restriction going all the way back to my RT-N66U in 2014. What firmware version are you using? What is the error message? It might be a bug/feature created by using a subnet larger than /24.
 
Strange. I've never come across any restriction going all the way back to my RT-N66U in 2014. What firmware version are you using? What is the error message? It might be a bug/feature created by using a subnet larger than /24.

Nah I'm using a /24 (10.0.0.0/24 maybe it didn't like that at some point for some reason, technically it isn't a valid subnet but most stuff ignores that fact these days). It works now or seems to. I don't recall the error, it probably would have been from back on 384 code. My "go to" has always been to have a range for static/reserved then create a DHCP range in a different part of the subnet, but when I got the Asus it did not like that, I had to change the range to cover my manual reservations too. Who knows. Wasn't a big deal.

Curious if I started from a factory reset if it would start giving me an error again. I guess next time there is a big code upgrade (if ever for this router) I'll find out.
 
Yes, extremely easy, right through the GUI. Click on firewall then the network services filter. To keep it easy, you'd want to use a subnet boundary (192.168.1.192/26 or 192.168.1.224/27) however you can do a few subnets to cover the range, like 192.168.1.200/29, 192.168.1.208/28, and 192.168.1.224/27. Just create 3 rules with those specified as source, and leave the other fields blank, select TCP. Then create the same 3 rules with UDP. Enable the filter, select deny list, save it.
For 192.168.1.11, I created two blacklist rules, 0.0.0.0/0 TCP and UDP, but I can ping 1.1.1.1 with the terminal and make DNS queries with nslookup. Shouldn't these be blocked as well? In the DNS director 192.168.1.11 is set as "router".

I have another question. I think for the blacklist rules that will work 24/7, we need to select all days of the week and write a time range of 00:00-23:59. The time range rule takes seconds into account, right?

It's been almost 11 months, but I still wanted to write here before opening a new topic.
 
For 192.168.1.11, I created two blacklist rules, 0.0.0.0/0 TCP and UDP, but I can ping 1.1.1.1 with the terminal
That's because pings are ICMP, not TCP or UDP.

and make DNS queries with nslookup. Shouldn't these be blocked as well? In the DNS director 192.168.1.11 is set as "router".
You're using DNS director to change the destination of the DNS queries from 1.1.1.1 to the router so they're not being blocked.

I have another question. I think for the blacklist rules that will work 24/7, we need to select all days of the week and write a time range of 00:00-23:59. The time range rule takes seconds into account, right?
Yes. 00:00-23:59 is a special case that means "all day". There isn't a one minute or one second gap if that's what you're asking.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top