Restrict Lan client to Internet only

[clvk07]

Is it possible to restrict a wired lan client to internet only and block the device to connect to other devices on the lan?
For all the devices I don't want to connect to the Lan, I connect them to guest wifi and block lan access.

This device (IP camera) is connected to a switch and the switch to a Netgear Orbi router in AP mode which connects back to the AC86U. I do not want to block local access to the ORBI, only to the IP camera.

 

[dosborne]

Unless you have a managed switch, at a minimum, all devices plugged into it will be able to "see" each other.

You can run some fancy filters and such on your router to limit by IP, but personally I'd look at a different approach, like a separate hub/switch on the outside of my internal network, if I really cared to limit and isolate access. In fact, that is how I have all my IoT and less secure devices configured.

 

[EmeraldDeer]

I connect a guest wi-fi AP to a managed switch with "protected port" port isolation feature enabled.
Then I protect my network yet give internet access with the following access control list:

ip access-list extended GuestWiFi
permit udp any any 192.168.240.240 0.0.0.0 67-68 ace-priority 50 log-input
permit udp any any 192.168.50.1 0.0.0.255 ntp ace-priority 60
permit udp 192.168.240.250 0.0.0.0 any 192.168.50.200 0.0.0.0 syslog ace-priority 65
permit udp any any 192.168.50.1 0.0.0.0 domain ace-priority 70
permit tcp any any 192.168.50.1 0.0.0.0 domain ace-priority 71
deny tcp any any 192.168.240.240 0.0.0.255 any ace-priority 80
deny udp any any 192.168.240.240 0.0.0.255 any ace-priority 81
deny tcp any any 192.168.50.1 0.0.0.0 any ace-priority 90
deny udp any any 192.168.50.1 0.0.0.0 any ace-priority 91
deny ip any 192.168.100.1 0.0.0.0 ace-priority 92
deny ip any 192.168.50.128 0.0.0.127 ace-priority 100
deny ip any 192.168.50.64 0.0.0.63 ace-priority 110
deny ip any 192.168.50.32 0.0.0.31 ace-priority 120
deny ip any 192.168.50.16 0.0.0.15 ace-priority 130
deny ip any 192.168.50.8 0.0.0.7 ace-priority 140
deny ip any 192.168.50.4 0.0.0.3 ace-priority 150
deny ip any 192.168.50.2 0.0.0.1 ace-priority 160

See? Simple and cost-effective. Just kidding.

 

[clvk07]

ye very simple

I understand I will have to get another switch at some stages. The one I have now is POE for the cameras but it also serves other devices...

For now, is complex to set up filters by IP?

 

[clvk07]

I set up the rules below but I can still connect from my laptop (.55) to the camera (.67). Why iptables is allowing the connection?

admin@RT-AC86U-4960:/tmp/home/root# iptables -L | grep .67
DROP all -- 192.168.1.55 192.168.1.67
DROP all -- 192.168.1.67 192.168.1.55
DROP all -- 192.168.1.67 192.168.1.0/24
DROP all -- 192.168.1.67 192.168.1.0/24

 

[Maverickcdn]

I set up the rules below but I can still connect from my laptop (.55) to the camera (.67). Why iptables is allowing the connection?

IPtables doesnt work at the LAN level. Its LAN to WAN or WAN to LAN. The only way to block interLAN traffic is VLANs (not really possible with this Firmware), hence the recommendation of a managed switch or a new wireless router with VLAN support already