Orbi WiFi 7 RBE973
Reply

Allowing Only Whitelisted IP per Device/Internal IP

FarHills
Aspirant

Allowing Only Whitelisted IP per Device/Internal IP

I have 2 wired devices connected to my wired network that I am trying to do very specific things with using my R7000:

 

A) I do NOT want these devices to have access to the rest of the internal network. To do this I have set up the router to bridge those devices by wired port (VLAN/Bridge Settings), and the switch plugged into that port ONLY has those 2 wired devices on it. Does this prevent them from accessing the devices on the other wired ports?

 

B) I want to set up a whitelist so that these devices can ONLY access a few external IP addresses and nothing else. I'm currently not sure how to do this using the router's firmware. Is it possible?

 

Thank you in advance for any help you can give!

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 1 of 5

Accepted Solutions
StephenB
Guru

Re: Allowing Only Whitelisted IP per Device/Internal IP


@FarHills wrote:


Thanks for the succinct explanation. If I disable the bridge, is there some hack-ish way of doing a whitelist?

Not that I know of.  If you want to control access by DNS names (not IP addresses) you could look into parental controls.  You could also look into open-source firmware (dd-wrt or tomato), and see if they have any options that look useful.

 

Isolating the devices from your local network is somewhat easier.  You could for instance use two routers (lan port of one connected to the wan port of the second), and then connect your special devices directly to the first router.  The NAT filewall in the second wirewall would block access to your home network.

View solution in original post

Message 4 of 5

All Replies
StephenB
Guru

Re: Allowing Only Whitelisted IP per Device/Internal IP

The VLAN/bridge setup connects that lan port directly to your ISP, disabling the NAT translation.  You can test this by connecting a PC to the switch, and observing the address you get.  You can then attempt to ping other devices on your home network, you shouldn't be able to reach them (unless they are reachable over the open internet). 

 

The router doesn't support whitelisting, and in any event with VLAN/Bridge you are turning off the NAT functions altogether.  The devices aren't protected by the router firewall rules at all, and no traffic is blocked in either direction.  So you will be relying on the security built into the devices.

 

 

Message 2 of 5
FarHills
Aspirant

Re: Allowing Only Whitelisted IP per Device/Internal IP


@StephenB wrote:

The router doesn't support whitelisting, and in any event with VLAN/Bridge you are turning off the NAT functions altogether.  The devices aren't protected by the router firewall rules at all, and no traffic is blocked in either direction.  So you will be relying on the security built into the devices.


Thanks for the succinct explanation. If I disable the bridge, is there some hack-ish way of doing a whitelist? I suspect I'm going to be needing a firewall or another router to accomplish this, but I'm an IT novice, so I'm not certain. Could I set up 2 separate sub-nets on this router maybe? I didn't see an option for that, but then again I may just have overlooked it.

Message 3 of 5
StephenB
Guru

Re: Allowing Only Whitelisted IP per Device/Internal IP


@FarHills wrote:


Thanks for the succinct explanation. If I disable the bridge, is there some hack-ish way of doing a whitelist?

Not that I know of.  If you want to control access by DNS names (not IP addresses) you could look into parental controls.  You could also look into open-source firmware (dd-wrt or tomato), and see if they have any options that look useful.

 

Isolating the devices from your local network is somewhat easier.  You could for instance use two routers (lan port of one connected to the wan port of the second), and then connect your special devices directly to the first router.  The NAT filewall in the second wirewall would block access to your home network.

Message 4 of 5
William10a
Master

Re: Allowing Only Whitelisted IP per Device/Internal IP

I have 2 wired devices connected to my wired network that I am trying to do very specific things with using my R7000:

 

A) I do NOT want these devices to have access to the rest of the internal network. To do this I have set up the router to bridge those devices by wired port (VLAN/Bridge Settings), and the switch plugged into that port ONLY has those 2 wired devices on it. Does this prevent them from accessing the devices on the other wired ports?

 

B) I want to set up a whitelist so that these devices can ONLY access a few external IP addresses and nothing else. I'm currently not sure how to do this using the router's firmware. Is it possible?

 

Thank you in advance for any help you can give!

 

Your talking a server with a preset limits to isolate your normal net work from the two wired devices may be more then the r7000 rounter can do I'am sure a home router has the horse power to all this but a computer placed between the router and devices running a server software could do it. Companies do for their different departments and also limit access to other websites tp protect them selves.

Message 5 of 5
Top Contributors
Discussion stats
  • 4 replies
  • 6746 views
  • 0 kudos
  • 3 in conversation
Announcements

Orbi 770 Series