Blocking devices from accessing the Internet -- but not the local network

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Blocking devices from accessing the Internet -- but not the local network

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Blocking devices from accessing the Internet -- but not the local network
Blocking devices from accessing the Internet -- but not the local network
2022-12-22 23:46:15
Model: Archer AX50  
Hardware Version: V1
Firmware Version: 1.0.11 Build 20210730 rel.54485(4555)

Hello there!

 

I'm having an issue, and it looks like I'm not the only one, but unfortunately I'm not finding a satisfying answer. Not here nor elsewhere on the Internet. I hope someone is able to help me out!

 

Here's the thing: like so many people I have devices in my network that are old, not updated anymore and untrustworthy, but that I do want to keep using. For example, my printer, my IP cameras, some LED controllers for lights and an old Android tablet. All of these things do not need Internet access to be useful, and I would really prefer to keep them off the open Internet for obvious security reasons. But I do need them to be able to access or be accessible on the local network. My IP cameras and LED lights communicate with my NAS, my printer and the Android tablet communicate with other computers in the network, et cetera.

 

I was fully expecting this to be a no-brainer, and to be able to set up a VLAN or an access control list or something with a few clicks in the web interface of my not-very-old Archer AX50 router.

 

However:

  • Using "Access Control" under "Security" only allows to block clients from using the network entirely, and gives no option to allow traffic to flow on the local network. I really don't see the point of this feature at all for a home and small business router, if that's all it can do. I have control over the devices in my network, and I can usually just disconnect them client side. If this allowed for more fine-grained routing control, it could be super useful though!
  • Setting up a group of devices using "Parental controls" only seems to be doing anything on the DNS or HTTP layer..? I have "paused" Internet access on a group with my test device, but the device is still able to ping Google. Using parental controls for this application was suggested in this thread, but as evidenced by this thread and my own experience it doesn't really block Internet traffic, so my devices are still very much not safe from hacking attempts.

 

Other people on this forum have experienced the same problem, if I do a super basic quick search. But there doesn't seem to be a proper solution, which is downright frustrating.

 

  • https://community.tp-link.com/us/home/forum/topic/513678
  • https://community.tp-link.com/us/home/forum/topic/544776
  • https://community.tp-link.com/us/home/forum/topic/534038
  • https://community.tp-link.com/us/home/forum/topic/95971
  • https://community.tp-link.com/us/home/forum/topic/208252
  • https://community.tp-link.com/us/home/forum/topic/164006

 

What's even more bizarre is that TP-Link employee Carl is suggesting here that:

 

Removing WAN access while keeping LAN access has not been a feature we have ever really looked into, at least not to recent memory.  We can always send this up to our Design team, but I can't say for certain if it would ever come to be. In my nearly 5 years with the company you have been the only customer I have worked with that has even asked for such a feature.  But none the less I will suggest it.

 

How can this be if my super basic quick search resulted in plenty other threads about this exact same issue? I realise we're talking about different routers, but the software and feature set are mostly the same, and even if they were not: customers are asking for this smiley

 

I'm really hoping I'm just overlooking or not understanding something here. Otherwise I'd really like to request adding this feature to your firmwares!

 

Because if people really are trying to "secure" their network with parental controls -- that don't really block network connections -- then that's just downright a security vulnerability. I'm sure you'll all agree with that assessment and I'm sure we can do better! laugh

  3      
  3      
#1
Options
5 Reply
Re:Blocking devices from accessing the Internet -- but not the local network
2022-12-24 11:10:24 - last edited 2022-12-24 11:19:23

  @Timendus 

 

The functionality you're looking for was possible to implement with the old Green UI routers - check this story. After the UI has been changed, the new Access Control feature doesn't allow that anymore. You can file a feature request for implementing this functionality here:

 

If this was helpful click once on the arrow pointing upward. If this solves your issue, click once the star to mark it as a "Recommended Solution".
  3  
  3  
#2
Options
Re:Blocking devices from accessing the Internet -- but not the local network
2022-12-30 20:28:13

  @terziyski 

 

Thank you for your reply! I have submitted this as a feature request here: https://community.tp-link.com/en/home/forum/topic/594090 Curious to see what kind of reply this will get and what the chance of it actually being implemented will be :)

  1  
  1  
#3
Options
Re:Blocking devices from accessing the Internet -- but not the local network
2023-01-19 21:41:57

Hey guys, I just saw your posts. I also made a feature request (https://community.tp-link.com/en/home/forum/topic/596306) and I upvoted yours @Timendus. Hopefully they implement some time soon. To me this seems like a very basic feature and it's really surprising that they decided to not include it in an otherwise very nice an feature-rich UI.

  1  
  1  
#4
Options
Re:Blocking devices from accessing the Internet -- but not the local network
2023-01-21 10:35:26

Same for me. I even had another thread for it here.

  1  
  1  
#5
Options
Re:Blocking devices from accessing the Internet -- but not the local network
2023-04-11 09:59:51

  @Timendus 

 

Just trying to help here, ist possible configure the network settings on the devices you are trying to secure? If so, remove the gateway ip address and that should theoretically isolate them from tha outside, while still maintain intranet connectivity.

  0  
  0  
#6
Options