Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 4224 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block local LAN access to a specific IP/MAC

Shrav

Hello all,

1st post but have done tons of reading but can't seen to find a clear answer.

I have a NAS on my LAN and want to block access to it from most LAN addresses (except a few).

I thought this would be a simple firewall rule but I can't get anything to work.

I set the device with a static IP and have tried to block any access to it. I can still ping it and access the web interface.

I even set a firewall rule blocking my laptop IP to the NAS (both on the same LAN) but it doesn't work.

Am I missing something simple here?

I do have a spare home router that I can put in access point mode and connect it to an unused interface (after configuring it to a different subnet) but that seems like a lot of extra work and adding extra hardware for no great reason.

Is there a simple solution to my issue that I haven't found yet?

 

Thanks in advance for your time.

 

Glenn



This thread was automatically locked due to age.
Parents
  • 0
    Hi Glenn, thatˋs quite simple. You cannot block internal subnet traffic with a gateway firewall since that traffic doesnˋt pass it. In the same subnet the traffic goes from host A to host B without even touching the gateway. If you want to block the access to it you have to put your NAS into another subnet, that is only reachable from the LAN by passing the firewall. Easiest way would be another interface that directly ends on the NAS, if you don‘t have any free interfaces left you can use a VLAN or simple (but unsecure) just another interface alias on the firewall‘s LAN interface. Unsecure because a client that changes it‘s IP to the new alias‘ subnet can reach the NAS directly again. To avoid that you could use a /30 network mask for the new subnet, where the firewall and the NAS are using the only 2 free addresses. VLAN would be more secure but requires some knowledge of tagged and trunk ports and - of course - a VLAN capable switch.
  • 0 in reply to kerobra_retired

    Thanks for the reply Kerobra!

    I don't have a vlan capable switch but am loving the idea of using an interface alias on the LAN interface using CIRD30. I have set the alias up on the existing LAN interface but don't see where to set the DHCP (I want to assign a static IP to the device actually). Any hints would be appreciated.

     

    Again, thanks for your help!

     

    Glenn

Reply
  • 0 in reply to kerobra_retired

    Thanks for the reply Kerobra!

    I don't have a vlan capable switch but am loving the idea of using an interface alias on the LAN interface using CIRD30. I have set the alias up on the existing LAN interface but don't see where to set the DHCP (I want to assign a static IP to the device actually). Any hints would be appreciated.

     

    Again, thanks for your help!

     

    Glenn

Children
  • 0 in reply to Shrav

    Hello Shrav,

    DHCP would be complicated using alias as the DHCP request is a broadcast and would not determine for which the alias IP is the request for. It would be answered/replied by the main interface IP.

    The reason you would neeed a switch is becuase the traffic needs to be tagged to correspond to the correct DHCP configured for that VLAN or you may simply configure static IP on each machines and use Alias IP for different network. So if you need to communicate with another subnet it would go through the firewall.