I am trying to create a simple rule to block specific devices on the network from accessing the Internet. I enter the following traffic rules and only some of the devices are blocked.
Device 1: Server PC (blocked)
Device 2: iPhone (not blocked)
Device 3: Linux VM on Server PC with a static LAN IP on the same subnet (not blocked)
Here's the rule configured from Luci
config rule
option name 'BlockDeviceNetTest'
option dest 'wan'
list src_ip '192.168.1.12'
list src_ip '192.168.1.183'
list src_ip '192.168.1.175'
option src 'lan'
option target 'DROP'
list proto 'all'
I've tried both REJECT and DROP. Why would the iPhone and VM still be able to access the WAN, but the server machine not?
A few more reasons can be that devices are using IPv6, they are using ephemeral mac addresses and acquire different IP from the DHCP server, there is some other rule allowing the traffic with precedence.
Thanks. I had suspected IPv6 as a possibility. The traffic rule indicates "restrict to address family" as both IPv4 and IPv6, so I thought that would handle it. Is there a quick way to disable IPv6 in Luci or via config? I've seen a list of UCI commands, but not comfortable inputting a bunch of commands I've yet to understand.
In any case, the server has IPv6 off in Windows config, and I'd much rather handle the issue in the firewall instead of on a per device basis.
It is indeed IPv6 that's the issue. I have to add one of the IPv6 addresses to the block list for it to work. This works, but due to the fact that there are multiple addresses it isn't always as simple as picking a MAC or IP.
I'll look into the feasibility of disabling the WAN6 interface. Thanks.