Charles Wilkinson
Occasional Visitor
I have some devices that I don't entirely trust (some cheap AliExpress cameras). I can use iptables to prevent them from reaching the internet, but I would also like to prevent them from opening connections to other devices on my network.
My Google-fu tells me that I would need to create a separate subnet, but I'm wondering if there is any alternative.
The problem with using a different subnet is that these are wired devices and I don't have enough cable runs to route them to a specific network port on the back of my router. They are connected to a switch on the first floor which then has a single ethernet cable down to the router.
Is there any way to enable some kind of 'internal firewalling' or to assign a device to a subnet based on its MAC address?
I suspect the answer is no to both, but ideas welcomed.
Router is Merlin RT-AC86U with Skynet installed.
Many thanks
EDIT: Looks like one way to solve this would be to replace the unmanaged PoE switch on the first floor with a 'cheap' managed switch like this: TP Link T1500G-8T. It looks like this would let me tag the devices with a VLAN based on their mac address or which port they are plugged into on the switch.
My Google-fu tells me that I would need to create a separate subnet, but I'm wondering if there is any alternative.
The problem with using a different subnet is that these are wired devices and I don't have enough cable runs to route them to a specific network port on the back of my router. They are connected to a switch on the first floor which then has a single ethernet cable down to the router.
Is there any way to enable some kind of 'internal firewalling' or to assign a device to a subnet based on its MAC address?
I suspect the answer is no to both, but ideas welcomed.
Router is Merlin RT-AC86U with Skynet installed.
Many thanks
EDIT: Looks like one way to solve this would be to replace the unmanaged PoE switch on the first floor with a 'cheap' managed switch like this: TP Link T1500G-8T. It looks like this would let me tag the devices with a VLAN based on their mac address or which port they are plugged into on the switch.
Last edited: