Block interface1 from accessing interface2

Basically, I want to block some cheap Chinese IOT devices from accessing my home network but be able to connect to the Internet (otherwise, they do not work).

To do this, I moved the Wi-Fi network to which those Chinese IOT devices are connected to a separate interface (named "badnetwork"). I assigned a different C class address to that interface. As a test, I connected my phone to that Wi-Fi network. The phone could connect to the Internet but also to my home network (named "lan"). How can I block devices connected to "badnetwork" from accessing devices connected to "lan"?

I was trying to follow this page but I could not understand it well. The firewall zone looks like this. "badzone" is the firewall-zone assigned to "badnetwork".

The screen looks ok, did you add any firewall rules for this?

If so, can you post them?

1 Like

No. I thought adding the zones would be enough. But now that I looked the page again, the text does say that I have to add rules. So, basically I have to add rules that blocks "badzone" -> "lan" manually? I will try that.

No you do not!

You have to add rules to allow your devices to get an IP from the router, DNS, etc. I'm honestly not clear how that's working now.

1 Like

I added the following two things as the page says. I don't understand what these means but did anyway.

Now when I tried to connect from "badzone" to "lan", I saw a message like this in Chrome: "The site can't be reached. ERR_CONNECTION_REFUSED". I guess I have achieved what I wanted. I just wish this thing was easier to do, since this is probably a lot of people would want to do. A wizard like "Create an isolated network" would have been helpful.

Something is seriously wrong with your configs. You added those and it stopped working...weird.

1 Like

But that's what the page says.

I agree, and I also think you're misunderstanding.

  • The zone rules should have blocked all traffic (except to Internet)
  • but, you won't get an IP address or be able to look up
  • The 2 ALLOW rules permit name resolution and IP address assignment via DHCP

Something isn't working; because on your router, the opposite is true.


Devices in my Guest network cannot access the router nor other networks (except Internet). They can only get an IP and look up DNS names.

1 Like

Network setting other than the default ones is really difficult for a novice. I have multiple Chinese IOT devices, so I have enabled a DHCP server on the "badnetwork" to which the IOT devices are connected. I did this so that those devices could get NAT addresses like "", "",..

In your settings, you mean that the devices on your guest network does not get a NAT address at all?

In my settings, I won't get a NAT address until I add and enable the Allow-guest_DHCP rule above.

Well, at least it works or seems to work, so I will just leave it. The reason why I decided to do this is that those Chinese IOT devices kept sending a broadcast packet to the network at every second (probably trying to report its IP to the controller app) and polluted the Network History graph in my Linux system monitor. Since they are now in a different network, I don't see the packets anymore in the system monitor.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.