Smart Devices - Block LAN access - AC3200

[odiovidio]

Hi,

I'm starting to accumulate smart home devices and would like them to just have access to the WAN, and no access to other clients on the LAN. What is the best way to do this? Can I do it with my AC3200? Or would I need a seperate VLAN device.

1. Nest Thermostat - WiFi
2. Envisalink Home Alarm - LAN port 4
3. MyQ garage - LAN port 3

LAN ports 1,2 go to PCs/NAS that I would like to have shared LAN access as well as WAN.

 

[bilboSNB]

Hi,

I'm starting to accumulate smart home devices and would like them to just have access to the WAN, and no access to other clients on the LAN. What is the best way to do this? Can I do it with my AC3200? Or would I need a seperate VLAN device.

1. Nest Thermostat - WiFi
2. Envisalink Home Alarm - LAN port 4
3. MyQ garage - LAN port 3

LAN ports 1,2 go to PCs/NAS that I would like to have shared LAN access as well as WAN.

Put WiFi devices on the guest network and
https://www.snbforums.com/threads/f...guest-network-for-asus-merlin-rt-ac68u.18969/

 

[st3v3n]

Odiovido, I look at anything and everything related to our RT-AC3200, and saw your post re your smart devices. We had one issue a couple of years ago, with the only so-called smart-device we have. Our high-end Samsung curved-screen 4KUHD was transmitting and receiving streams of an unknown nature, to an unknown destination, which Samsung immediately disclaimed, since we'd never enabled or used any of their services. The TV was already isolated on a port and further on a managed switch. The streams had nothing to do with Netflix or Amazon, the only native apps on the TV we used. We filtered it out, but then later pulled the cable so now it's just a beautiful but dumb 4KUHD TV, streams all monitored on the PfSense box.
.
It can be disregarded as rampant conspiracy paranoia, until a smart/IoT widget in your home or a friend's causes near catasrophe. A TV is one thing, and I never gave it much thought until a friend's home almost burned to the ground; their network had been compromised, the alarm systems deactivated, and all the hackers managed was to crank the IoT thermostat all the way up. They didn't get any texts since the system had been bypassed, but neighbors saw smoke and called the fire department, saved most things. Forensics on the salvanged drive told the story. Scared me into a believer, and I'm not anyone's fool.

Seriously, for your devices, isloate them to the nth degree and you'll be fine with the information bilboSNB linked to. Probably. Watch them like a hawk. If you do wonder if you could ever be on the receiving end of a IoT bot attack, similar to the DVR incident last year, you could assign your widgets to your next-door neighbor's wifi for a while and bounce the data back to monitor them with wireshark, see how it goes, if the neighbor wouldn't mind.

Further factual data:

https://www.schneier.com/essays/archives/2017/01/click_here_to_kill_e.html and
https://fortunascorner.com/2017/07/...r-in-the-next-two-years-and-some-potential-c/

Good luck, Cheers.

 

[unsynaps]

This is all I did. Add it to /jffs/scripts/firewall-start

# block tv from accessing the internet
logger -t firewall-start:CustomScript "Blocking tv from accessing the internet."
iptables -I OUTPUT -s 192.168.1.26 -j DROP
iptables -I FORWARD -s 192.168.1.26 -j DROP

# block receiver from accessing the internet
logger -t firewall-start:CustomScript "Blocking receiver from accessing the internet."
iptables -I OUTPUT -s 192.168.1.27 -j DROP
iptables -I FORWARD -s 192.168.1.27 -j DROP

Replace the IP addresses with those of the devices.

Oh you wanted to do the exact opposite I did. Heh. Yeah this will block WAN but allow LAN.

 

[st3v3n]

Would that also work if the device runs on a vpn?
re,

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 10.xx.xx.xx
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 10.xx.xx.xx
iptables -t nat -L -v -n # shows nat table

 

[odiovidio]

Thanks guys, I was able to use bilboSNB's link to configure and use the guest network on port 4, where i plugged in a switch to connect all my current and future "smart" devices.
https://www.snbforums.com/threads/f...guest-network-for-asus-merlin-rt-ac68u.18969/

 

[Jane Doe]

This is all I did. Add it to /jffs/scripts/firewall-start

# block tv from accessing the internet
logger -t firewall-start:CustomScript "Blocking tv from accessing the internet."
iptables -I OUTPUT -s 192.168.1.26 -j DROP
iptables -I FORWARD -s 192.168.1.26 -j DROP

# block receiver from accessing the internet
logger -t firewall-start:CustomScript "Blocking receiver from accessing the internet."
iptables -I OUTPUT -s 192.168.1.27 -j DROP
iptables -I FORWARD -s 192.168.1.27 -j DROP

Replace the IP addresses with those of the devices.

Oh you wanted to do the exact opposite I did. Heh. Yeah this will block WAN but allow LAN.

 

[Jane Doe]

Hi I am not computer savvy but can anyone explain if and why someone would change all my devices addresses to 255.255.255.255 & 192.168.1.0.24 all the way from my tv not accessing the internet and should to phones withn different network carriers and a laptop connected thru my phone hotspot won' allows me to access things that I did the week before????

 

[st3v3n]

Excuse Jane Doe, could you rephrase that in a more logical procession?