Blocking devices from accessing the Internet -- but not the local network
Hello there!
I'm having an issue, and it looks like I'm not the only one, but unfortunately I'm not finding a satisfying answer. Not here nor elsewhere on the Internet. I hope someone is able to help me out!
Here's the thing: like so many people I have devices in my network that are old, not updated anymore and untrustworthy, but that I do want to keep using. For example, my printer, my IP cameras, some LED controllers for lights and an old Android tablet. All of these things do not need Internet access to be useful, and I would really prefer to keep them off the open Internet for obvious security reasons. But I do need them to be able to access or be accessible on the local network. My IP cameras and LED lights communicate with my NAS, my printer and the Android tablet communicate with other computers in the network, et cetera.
I was fully expecting this to be a no-brainer, and to be able to set up a VLAN or an access control list or something with a few clicks in the web interface of my not-very-old Archer AX50 router.
However:
- Using "Access Control" under "Security" only allows to block clients from using the network entirely, and gives no option to allow traffic to flow on the local network. I really don't see the point of this feature at all for a home and small business router, if that's all it can do. I have control over the devices in my network, and I can usually just disconnect them client side. If this allowed for more fine-grained routing control, it could be super useful though!
- Setting up a group of devices using "Parental controls" only seems to be doing anything on the DNS or HTTP layer..? I have "paused" Internet access on a group with my test device, but the device is still able to ping Google. Using parental controls for this application was suggested in this thread, but as evidenced by this thread and my own experience it doesn't really block Internet traffic, so my devices are still very much not safe from hacking attempts.
Other people on this forum have experienced the same problem, if I do a super basic quick search. But there doesn't seem to be a proper solution, which is downright frustrating.
- https://community.tp-link.com/us/home/forum/topic/513678
- https://community.tp-link.com/us/home/forum/topic/544776
- https://community.tp-link.com/us/home/forum/topic/534038
- https://community.tp-link.com/us/home/forum/topic/95971
- https://community.tp-link.com/us/home/forum/topic/208252
- https://community.tp-link.com/us/home/forum/topic/164006
What's even more bizarre is that TP-Link employee Carl is suggesting here that:
Removing WAN access while keeping LAN access has not been a feature we have ever really looked into, at least not to recent memory. We can always send this up to our Design team, but I can't say for certain if it would ever come to be. In my nearly 5 years with the company you have been the only customer I have worked with that has even asked for such a feature. But none the less I will suggest it.
How can this be if my super basic quick search resulted in plenty other threads about this exact same issue? I realise we're talking about different routers, but the software and feature set are mostly the same, and even if they were not: customers are asking for this
I'm really hoping I'm just overlooking or not understanding something here. Otherwise I'd really like to request adding this feature to your firmwares!
Because if people really are trying to "secure" their network with parental controls -- that don't really block network connections -- then that's just downright a security vulnerability. I'm sure you'll all agree with that assessment and I'm sure we can do better!