Advise needed: best way to block internet access to LAN devices


I have some devices which I want to have on my LAN (printers, for example) but I don't trust enough on theirs firmware to be connect to the internet.

I can think of either:

  • block theirs MAC addresses - which I don't trust either;
  • making another network (and SSID in this case).

I would move to making another network but after querying you about this.
Do you know any better solution for this? If not, is this solution good enough to block all outgoing connections?


If you really do not trust the devices, blocking the MAC is pointless: the firmware can always make up a new address on the spot and off they go.

I'd make a separate network / ssid with a dedicated firewall zone. That should take care of free spirits.


How do you allow one network (eg PC's) to access the other network (printers etc)?

Use the forward policy if the networks are in the same zone, otherwise configure forwardings.

1 Like