NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Port Isolation using IP ACL and no VLANs
Hi guys,
I run the GS324T with the latest firmware. My (and this is important) non VLAN-aware Router is connected to Port 24 to allow internet access to all connected devices.
My goal is to isolate one or more devices connected directly to a port via IP ACLs.
Basic idea is to create an IP ACL for a device with the IP 192.168.10.29 on port 18 that can only access the router under 192.168.10.1 and no other devices.
What I tried out in the last days is to create an IP ACL with the following rules for port 18 that
1) allows inbound IP packets from 192.168.10.29
2) allows inbound IP packets from 192.168.10.1
Deny everything else (the default invisible rule on bottom)
This should in my opinion restrict the ip traffic for port 18 between the IP adresses 192.168.10.1 and 192.168.10.29.
But: dependng on the submask it either blocks all traffic or allow also pings and access to other IPs like 192.168.10.23.
Does anybody have an example to follow? Is the isolation without VLANs and that switch I have even possible?
Thanks for your help!
3 Replies
bauerflo wrote:My goal is to isolate one or more devices connected directly to a port via IP ACLs.
So a port only allowing access to the router port resp. it's LAN interface?
bauerflo wrote:Basic idea is to create an IP ACL for a device with the IP 192.168.10.29 on port 18 that can only access the router under 192.168.10.1 and no other devices.
This is feasible - so no Internet for the devce on that port resp. that specific IP address?
bauerflo wrote:But: dependng on the submask it either blocks all traffic or allow also pings and access to other IPs like 192.168.10.23.
A single IP has per se the network mask 0.0.0.0 !
Thanks for answering schumaku !
For clarity I copied the ACL rule table from my router. (pictures seem not to work, so I put a copy below)
To your questions:
So a port only allowing access to the router port resp. it's LAN interface? --> correct
This is feasible - so no Internet for the devce on that port resp. that specific IP address? Internet should be possible via the 192.168.10.1, but isolated to other devices like 192.168.10.23. The isolation should be against other devices connected to the same switch.
I changed the network masked like you proposed.
Sequence Number Action Logging Assign Match Every
5 Permit False 192.168.10.29 0.0.0.0
20 Permit False 192.168.10.1 0.0.0.0I did it!
Can you confirm, that this is a good solution? (Screenshot below)
10 Allow the Router
20 Allow the Router
30 Deny the rest of the local network
40 Allow the rest
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
