How to block internet access for IP range

nospamever

Regular Contributor
My DHCP IP pool starts from 192.168.1.200 to 254. I manually assign IP addresses to known devices up to 192.168.1.199. So any unknown devices including guests will be assigned with IP 192.168.1.200 and above. Is it possible to use firewall to block IP range 192.168.1.200-254?
 

drinkingbird

Very Senior Member
My DHCP IP pool starts from 192.168.1.200 to 254. I manually assign IP addresses to known devices up to 192.168.1.199. So any unknown devices including guests will be assigned with IP 192.168.1.200 and above. Is it possible to use firewall to block IP range 192.168.1.200-254?

Yes, extremely easy, right through the GUI. Click on firewall then the network services filter. To keep it easy, you'd want to use a subnet boundary (192.168.1.192/26 or 192.168.1.224/27) however you can do a few subnets to cover the range, like 192.168.1.200/29, 192.168.1.208/28, and 192.168.1.224/27. Just create 3 rules with those specified as source, and leave the other fields blank, select TCP. Then create the same 3 rules with UDP. Enable the filter, select deny list, save it.
 

nospamever

Regular Contributor
Yes, extremely easy, right through the GUI. Click on firewall then the network services filter. To keep it easy, you'd want to use a subnet boundary (192.168.1.192/26 or 192.168.1.224/27) however you can do a few subnets to cover the range, like 192.168.1.200/29, 192.168.1.208/28, and 192.168.1.224/27. Just create 3 rules with those specified as source, and leave the other fields blank, select TCP. Then create the same 3 rules with UDP. Enable the filter, select deny list, save it.
Thank you so much!
 

Caesar the Dictator

Occasional Visitor
I manually assign IP addresses to known devices up to 192.168.1.199.
As a rule, you can only manually assign 64 IP addresses of your choice to 64 MAC addresses, so there cannot be 197 assignments/bindings.
My DHCP IP pool starts from 192.168.1.200 to 254.
So any unknown devices including guests will be assigned with IP 192.168.1.200 and above. Is it possible to use firewall to block IP range 192.168.1.200-254?
The devices that you assume will use DHCP cannot use those 64 IP addresses, but they can use one of the remaining 135 IP addresses with a static IP entry. The other 64 devices can do the same.

If there is anything wrong with what I have written, please correct me.
 

nospamever

Regular Contributor
As a rule, you can only manually assign 64 IP addresses of your choice to 64 MAC addresses, so there cannot be 197 assignments/bindings.


The devices that you assume will use DHCP cannot use those 64 IP addresses, but they can use one of the remaining 135 IP addresses with a static IP entry. The other 64 devices can do the same.

If there is anything wrong with what I have written, please correct me.
Actually my manual assign IP limit is 176

1670485306047.png
 

Caesar the Dictator

Occasional Visitor
@nospamever Wow! Is the limit higher because of the router or because of YazDHCP? Anyway, still 197 IP addresses cannot be assigned manually. That leaves about 21 IP addresses available. With a little effort, the devices you are restricting access to the Internet can use those 21 IP addresses to bypass the 6 firewall rules you will add, right? I think I'm not wrong about that.
 

nospamever

Regular Contributor
@nospamever Wow! Is the limit higher because of the router or because of YazDHCP? Anyway, still 197 IP addresses cannot be assigned manually. That leaves about 21 IP addresses available. With a little effort, the devices you are restricting access to the Internet can use those 21 IP addresses to bypass the 6 firewall rules you will add, right? I think I'm not wrong about that.
The higher limit is due to YazDHCP and I think the limit changes in response to the number of IP reservations. I started with only 128 limit and it went up to 176. Very happy with that.

What I wanted to achieve is to control DHCP automatically assigned devices which range from 192.168.1.192-254 from accessing internet. I set my DHCP start/end pool that way. DHCP server won't automatically assign addresses below 192.168.1.192 so technically I can have 192 manually assigned devices. But I only have about 70 at the moment. I tested it with a few iPads and works as intended. Very happy.
 

Caesar the Dictator

Occasional Visitor
The higher limit is due to YazDHCP and I think the limit changes in response to the number of IP reservations. I started with only 128 limit and it went up to 176. Very happy with that.

What I wanted to achieve is to control DHCP automatically assigned devices which range from 192.168.1.192-254 from accessing internet. I set my DHCP start/end pool that way. DHCP server won't automatically assign addresses below 192.168.1.192 so technically I can have 192 manually assigned devices. But I only have about 70 at the moment. I tested it with a few iPads and works as intended. Very happy.
I think I understand better what the upper limit depends on.

Actually, I understand exactly what you are trying to do, I just wanted to point out that devices that will be assigned IPs from the DHCP server's IP pool can leave this pool and use existing IP addresses (those in the range 192.168.1.2-192.168.1.199 and not connected with any MAC address) and this can be a problem.

You can test this yourself if you want. For a device that you expect to use DHCP, select a static IP address in the device's connection settings.

I am actually looking for a solution similar to yours.
 

nospamever

Regular Contributor
I think I understand better what the upper limit depends on.

Actually, I understand exactly what you are trying to do, I just wanted to point out that devices that will be assigned IPs from the DHCP server's IP pool can leave this pool and use existing IP addresses (those in the range 192.168.1.2-192.168.1.199 and not connected with any MAC address) and this can be a problem.

You can test this yourself if you want. For a device that you expect to use DHCP, select a static IP address in the device's connection settings.

I am actually looking for a solution similar to yours.
Hi, I understand now what you are saying. Bugger thought I had this figured out!
 

drinkingbird

Very Senior Member
The higher limit is due to YazDHCP and I think the limit changes in response to the number of IP reservations. I started with only 128 limit and it went up to 176. Very happy with that.

What I wanted to achieve is to control DHCP automatically assigned devices which range from 192.168.1.192-254 from accessing internet. I set my DHCP start/end pool that way. DHCP server won't automatically assign addresses below 192.168.1.192 so technically I can have 192 manually assigned devices. But I only have about 70 at the moment. I tested it with a few iPads and works as intended. Very happy.

Not sure if Yaz works differently but your DHCP pool normally has to cover your manual assignment range, so you would need to manually assign every IP that you don't want automatically assigned out. So maybe reduce the size of your DHCP range, and create manual assignments (even dummy ones) for all the IPs you don't want assigned by DHCP. You can then replace dummy with real when you have another device to add.

In a previous thread you had, I had suggested some possible ways to do what you're looking to do, such as creating a huge subnet (like a /16) for your LAN and putting most of it into the DHCP pool. Randomly assign IPs to the devices you want to have manual reservations (make it really random, all over the place) and create "permit" firewall rules for those. Then any other IP that is automatically assigned won't be able to access the internet, and they're very unlikely to guess an IP that is permitted. You could take it one step further and create a whitelist for MAC addresses on your wifi so guests have to get you to allow them to even get an IP.

Or you could just stick with the default subnet and create two "permit" rules (one TCP and one UDP) for each manual assignment you create and hope that the things you're trying to block don't guess the range of IPs that are permitted and set a static for one of those. That would create an IP conflict if the other device is online but they would potentially be able to do some stuff.

I guess I'm a little confused though, why even have a guest network if you want to block all their access?
 

ColinTaylor

Part of the Furniture
Not sure if Yaz works differently but your DHCP pool normally has to cover your manual assignment range...
With dnsmasq (which is what Asus uses) there is no requirement for DHCP reservations to be within any DHCP range (aka pool). The only requirement is that they are within the same subnet as some valid DHCP range.
 

nospamever

Regular Contributor
Not sure if Yaz works differently but your DHCP pool normally has to cover your manual assignment range, so you would need to manually assign every IP that you don't want automatically assigned out. So maybe reduce the size of your DHCP range, and create manual assignments (even dummy ones) for all the IPs you don't want assigned by DHCP. You can then replace dummy with real when you have another device to add.

In a previous thread you had, I had suggested some possible ways to do what you're looking to do, such as creating a huge subnet (like a /16) for your LAN and putting most of it into the DHCP pool. Randomly assign IPs to the devices you want to have manual reservations (make it really random, all over the place) and create "permit" firewall rules for those. Then any other IP that is automatically assigned won't be able to access the internet, and they're very unlikely to guess an IP that is permitted. You could take it one step further and create a whitelist for MAC addresses on your wifi so guests have to get you to allow them to even get an IP.

Or you could just stick with the default subnet and create two "permit" rules (one TCP and one UDP) for each manual assignment you create and hope that the things you're trying to block don't guess the range of IPs that are permitted and set a static for one of those. That would create an IP conflict if the other device is online but they would potentially be able to do some stuff.

I guess I'm a little confused though, why even have a guest network if you want to block all their access?
For sure my DHCP pool is outside manually assigned IP. I can't explain it but that is how it is configured on my router.
TP-Link router I had before permitted huge subnet (think I set it to have 65k IP addresses) but don't think my RT-AC86U can do the same.
I usually disable my guest network when not needed but often my kids would introduce new devices on the network.
 

drinkingbird

Very Senior Member
With dnsmasq (which is what Asus uses) there is no requirement for DHCP reservations to be within any DHCP range (aka pool). The only requirement is that they are within the same subnet as some valid DHCP range.

On my AC1900 (68U) it won't allow you to create reservations outside of the range, gives an error. That was my first instinct, to set up a totally separate range for the two purposes but had to change it when it wouldn't let me reserve any IPs.

Maybe it has changed in newer firmwares, I've had it set up that way for quite a while now.

EDIT - OK, looks like it has been changed. Mine lets me do it now (positive that it didn't used to, but that is probably back in 384 code base).
 
Last edited:

drinkingbird

Very Senior Member
For sure my DHCP pool is outside manually assigned IP. I can't explain it but that is how it is configured on my router.
TP-Link router I had before permitted huge subnet (think I set it to have 65k IP addresses) but don't think my RT-AC86U can do the same.
I usually disable my guest network when not needed but often my kids would introduce new devices on the network.

Ok maybe yours is different, on my AC1900 I can use a /16 subnet mask and put the entire range into DHCP. I tested it when I first suggested it to you.

If your router lets you assign a DHCP pool of say 192.168.1.224 through 254 then you can create firewall rules to deny TCP and UDP for 192.168.1.224/27.

Of course as we've already discussed, this won't stop someone from setting a static IP outside that range (should they figure out that is what you're doing). I've given some suggestions on how you can deal with that, MAC filter, doing "permit" firewall rules only for the specific IPs you want to have access, etc.
 

ColinTaylor

Part of the Furniture
Maybe it has changed in newer firmwares, I've had it set up that way for quite a while now.
Strange. I've never come across any restriction going all the way back to my RT-N66U in 2014. What firmware version are you using? What is the error message? It might be a bug/feature created by using a subnet larger than /24.
 

drinkingbird

Very Senior Member
Strange. I've never come across any restriction going all the way back to my RT-N66U in 2014. What firmware version are you using? What is the error message? It might be a bug/feature created by using a subnet larger than /24.

Nah I'm using a /24 (10.0.0.0/24 maybe it didn't like that at some point for some reason, technically it isn't a valid subnet but most stuff ignores that fact these days). It works now or seems to. I don't recall the error, it probably would have been from back on 384 code. My "go to" has always been to have a range for static/reserved then create a DHCP range in a different part of the subnet, but when I got the Asus it did not like that, I had to change the range to cover my manual reservations too. Who knows. Wasn't a big deal.

Curious if I started from a factory reset if it would start giving me an error again. I guess next time there is a big code upgrade (if ever for this router) I'll find out.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top