Basically, I want to block some cheap Chinese IOT devices from accessing my home network but be able to connect to the Internet (otherwise, they do not work).
To do this, I moved the Wi-Fi network to which those Chinese IOT devices are connected to a separate interface (named "badnetwork"). I assigned a different C class address to that interface. As a test, I connected my phone to that Wi-Fi network. The phone could connect to the Internet but also to my home network (named "lan"). How can I block devices connected to "badnetwork" from accessing devices connected to "lan"?
I was trying to follow this page but I could not understand it well. The firewall zone looks like this. "badzone" is the firewall-zone assigned to "badnetwork".
No. I thought adding the zones would be enough. But now that I looked the page again, the text does say that I have to add rules. So, basically I have to add rules that blocks "badzone" -> "lan" manually? I will try that.
Now when I tried to connect from "badzone" to "lan", I saw a message like this in Chrome: "The site can't be reached. ERR_CONNECTION_REFUSED". I guess I have achieved what I wanted. I just wish this thing was easier to do, since this is probably a lot of people would want to do. A wizard like "Create an isolated network" would have been helpful.
Network setting other than the default ones is really difficult for a novice. I have multiple Chinese IOT devices, so I have enabled a DHCP server on the "badnetwork" to which the IOT devices are connected. I did this so that those devices could get NAT addresses like "192.168.11.2", "192.168.11.3",..
In your settings, you mean that the devices on your guest network does not get a NAT address at all?
Well, at least it works or seems to work, so I will just leave it. The reason why I decided to do this is that those Chinese IOT devices kept sending a broadcast packet to the network at every second (probably trying to report its IP to the controller app) and polluted the Network History graph in my Linux system monitor. Since they are now in a different network, I don't see the packets anymore in the system monitor.