What's new

Restrict Lan client to Internet only

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

clvk07

Senior Member
Is it possible to restrict a wired lan client to internet only and block the device to connect to other devices on the lan?
For all the devices I don't want to connect to the Lan, I connect them to guest wifi and block lan access.

This device (IP camera) is connected to a switch and the switch to a Netgear Orbi router in AP mode which connects back to the AC86U. I do not want to block local access to the ORBI, only to the IP camera.
 
Unless you have a managed switch, at a minimum, all devices plugged into it will be able to "see" each other.

You can run some fancy filters and such on your router to limit by IP, but personally I'd look at a different approach, like a separate hub/switch on the outside of my internal network, if I really cared to limit and isolate access. In fact, that is how I have all my IoT and less secure devices configured.
 
I connect a guest wi-fi AP to a managed switch with "protected port" port isolation feature enabled.
Then I protect my network yet give internet access with the following access control list:
Code:
ip access-list extended GuestWiFi
permit udp any any 192.168.240.240 0.0.0.0 67-68 ace-priority 50 log-input
permit udp any any 192.168.50.1 0.0.0.255 ntp ace-priority 60
permit udp 192.168.240.250 0.0.0.0 any 192.168.50.200 0.0.0.0 syslog ace-priority 65
permit udp any any 192.168.50.1 0.0.0.0 domain ace-priority 70
permit tcp any any 192.168.50.1 0.0.0.0 domain ace-priority 71
deny tcp any any 192.168.240.240 0.0.0.255 any ace-priority 80
deny udp any any 192.168.240.240 0.0.0.255 any ace-priority 81
deny tcp any any 192.168.50.1 0.0.0.0 any ace-priority 90
deny udp any any 192.168.50.1 0.0.0.0 any ace-priority 91
deny ip any 192.168.100.1 0.0.0.0 ace-priority 92
deny ip any 192.168.50.128 0.0.0.127 ace-priority 100
deny ip any 192.168.50.64 0.0.0.63 ace-priority 110
deny ip any 192.168.50.32 0.0.0.31 ace-priority 120
deny ip any 192.168.50.16 0.0.0.15 ace-priority 130
deny ip any 192.168.50.8 0.0.0.7 ace-priority 140
deny ip any 192.168.50.4 0.0.0.3 ace-priority 150
deny ip any 192.168.50.2 0.0.0.1 ace-priority 160
See? Simple and cost-effective. Just kidding.
 
ye very simple :)

I understand I will have to get another switch at some stages. The one I have now is POE for the cameras but it also serves other devices...

For now, is complex to set up filters by IP?
 
I set up the rules below but I can still connect from my laptop (.55) to the camera (.67). Why iptables is allowing the connection?

admin@RT-AC86U-4960:/tmp/home/root# iptables -L | grep .67
DROP all -- 192.168.1.55 192.168.1.67
DROP all -- 192.168.1.67 192.168.1.55
DROP all -- 192.168.1.67 192.168.1.0/24
DROP all -- 192.168.1.67 192.168.1.0/24
 
I set up the rules below but I can still connect from my laptop (.55) to the camera (.67). Why iptables is allowing the connection?

IPtables doesnt work at the LAN level. Its LAN to WAN or WAN to LAN. The only way to block interLAN traffic is VLANs (not really possible with this Firmware), hence the recommendation of a managed switch or a new wireless router with VLAN support already
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top