I have my parents set up with an AC87U running Merlin’s excellent fw. I manage their LAN remotely by logging into to an OpenVPN server running on the router.
What with all the recent VPNFilter stuff, I’ve been on a bit of a security purge.
One of my patents devices is a monitor for a solar panel they have on the roof, installed by their electrician/engineer. This device is connected to the internet so that you can see stats online etc.
Ideally I would like this device cordoned off from the rest of the LAN. It seems to be running a full linux system, and from what I can tell by the inofrmation I can get from it without logging in, has not been updated in almost 2 years (despite it having a constant internet connection).
Unfortunately, there doesn’t seem to be an easy way of doing this remotely. This isn’t helped by the fact the monitor’s settings can only be changed by the engineer, who has an authorized app.
If I were there, I would probably get the engineer round and get him to connect the monitor to a Guest WiFi network, and not enable LAN access on that WLAN. Unfortunately this isn’t an option.
So is there any way I can go about getting a similar result, by only using the software on the router’s web UI / ssh?
I have thought about adding the devices IP to the Network Services Filter blacklist, and adding the LAN subnet as the destination. But the NSF seems to be LAN to WAN. Would it work LAN to LAN? Apart from anything, by blocking the LAN subnet, I assume I would also be blocking it from accessing the router itself, and seeing as that’s the gateway, I’m guessing it would by extension also block it from the internet too?
Any tips would be appreciated
What with all the recent VPNFilter stuff, I’ve been on a bit of a security purge.
One of my patents devices is a monitor for a solar panel they have on the roof, installed by their electrician/engineer. This device is connected to the internet so that you can see stats online etc.
Ideally I would like this device cordoned off from the rest of the LAN. It seems to be running a full linux system, and from what I can tell by the inofrmation I can get from it without logging in, has not been updated in almost 2 years (despite it having a constant internet connection).
Unfortunately, there doesn’t seem to be an easy way of doing this remotely. This isn’t helped by the fact the monitor’s settings can only be changed by the engineer, who has an authorized app.
If I were there, I would probably get the engineer round and get him to connect the monitor to a Guest WiFi network, and not enable LAN access on that WLAN. Unfortunately this isn’t an option.
So is there any way I can go about getting a similar result, by only using the software on the router’s web UI / ssh?
I have thought about adding the devices IP to the Network Services Filter blacklist, and adding the LAN subnet as the destination. But the NSF seems to be LAN to WAN. Would it work LAN to LAN? Apart from anything, by blocking the LAN subnet, I assume I would also be blocking it from accessing the router itself, and seeing as that’s the gateway, I’m guessing it would by extension also block it from the internet too?
Any tips would be appreciated