ER605/How to block a device from internet access?
ER605/How to block a device from internet access?
Hi, I have a very simple setup, using the tp-link ER605 Omada as my home LAN router (single LAN). Within my LAN I have a device with fixed IP. I want that device's IP address to be blocked from inbound/outbound connections to the internet (WAN). What steps within the router's admin panel do I need to follow to achieve this? I spent a lot of time with the Firewall's Access Control menu trying to figure it out but I can't. Previously I owned the TL-R600VPN and doing this was very easy, but the admin panel of the ER605 is completely different, seems to be more intricate and less user friendly. Thanks for any suggestions.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Are you using Omada Controller?
I also have ER605 and I take a screenshot of the example settings you need:
- Copy Link
- Report Inappropriate Content
Hi Somnus, and thanks for your reply. No, as I posted I'm using the ER605's admin panel, I did not install Omada's Software Controller, but maybe the controller's gui is more intuitive.
In the screenshot that you show I don't see any IP that is specified (are they included in the "group"??). You only seem to block the LAN to WAN connections, I'd also add the WAN to LAN (outbound AND inbound)
Also, I do not understand what "source" and "Destination" refer to, and where it says "Type" you specify "group1"? If you can outline the steps to follow I'd appreciate.
- Copy Link
- Report Inappropriate Content
Below is how ive configured my VPN router to basically only allow VPN users access to AFP and SMB service to my NAS and block everything else, in standalone mode (no omada software)
this shows my custom port settings for my nas, which will be applied in ACLs
Although what im doing is different to what you want, it shows how each stage is configured and how it all ties togther. You should be able to adapt for your own needs. In your case, on the ACLs, you would be setting the "direction" as "WAN In" and "LAN>WAN"
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Yep, if you have only one IP you want to include in a group, its still considered a "range" so in my case i enter 10.0.0.82 in the From and To boxes.
When you set up a group, you give it a name, and then can select which IP "objects" you set up, you can have more than one if you want too
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi GRL again, I'm back after resolving my network issue
So I have a NAS at my LAN IP 192.168.1.3. I want to create a rule to have the ER605 block the NAS from Internet access (inbound and outbound).
So I followed your steps:
First I create the IP Address for the NAS in Preferences/IP Group/IP Address:
Then I create an IP Group to include this NAS IP Address:
And then I create the Access Rule in the Firewall:
The issue is the following: in the last screenshot, if I set "Direction" to include "[WAN] IN" and "LAN-WAN" the NAS will still have internet access. The only way to block the NAS from internet access is by choosing "ALL" as seen above. How come? And also, if I choose ALL which alos blocks LAN to LAN, then my PC in my LAN wouldn't be able to access the NAS, but it does have access. Can't get it.
- Copy Link
- Report Inappropriate Content
Problem with using IPGroup any is it will literally block any IP. WAN, LAN, All of them
Is your WAN a static IP ?
Also, try setting the "Source" as the NAS group
EDIT: might need two rules, one for Allow LAN<>LAN and one for blocking WAN, ill do some testing with a random device i have here
- Copy Link
- Report Inappropriate Content
GRL wrote
Problem with using IPGroup any is it will literally block any IP. WAN, LAN, All of them
Is your WAN a static IP ?
Also, try setting the "Source" as the NAS group
EDIT: might need two rules, one for Allow LAN<>LAN and one for blocking WAN, ill do some testing with a random device i have here
My WAN is supposed to be Dynamic, however unless I renew the connection it seems to always stay with the same WAN IP.
Yes, but even when setting IPGroup Any as source or destination and ALL as Direction, the PC in my LAN is able to connect to the NAS
I just tested setting NAS group as Source and IPGroup Any as Destination and now NAS is blocked from Internet when setting Direction WAN/IN and LAN/WAN (no need to set it to ALL), however PC in the LAN is still able to access de NAS
- Copy Link
- Report Inappropriate Content
Im not sure i follow you
I just tested the following ACL to my spare NAS
This sucessfully blocks the device from the WAN connection, but allows devices on my LAN to access it.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 11515
Replies: 11
Voters 0
No one has voted for it yet.