Good day gents, I have a setup with two Netgear R7800 routers running:
OpenWrt 24.10.0 r28427-6df0e3d02a / LuCI openwrt-24.10 branch 25.014.55016~7046a1c
In Mesh.
Lets say router 1 is connected to the ISP router via LAN and router 2 is wireless connected to router 1 via mesh. DHCP is done by the ISP router, they are all in same vlan.
I need to block internet access to one device on the network. I created a rule in router 1, but still have connectivity. What am I doing wrong?
there's no firewall in the lan zone, traffic have to pass through wan (be routed) for firewall rule to work.
As frolic said your trying to use a layer 3 blocking approach when you need to use a layer 2 blocking approach, you can't mix the 2.
Here are some approaches you can use:
Set a static ARP entry in OpenWRT for the MAC address to a different IP address than the LAN client actually is using.
Set a static MAC address in the ARP table that is different than the MAC address the LAN client is using to the same IP address the LAN client is using.
Both of these screw with normal operation of the LAN client and of course, are simplistic hacks dependent on the LAN client having a static IP address, and the LAN client being run by a complete idiot who knows nothing about networking. They are easy to defeat by the LAN client if they are even a simple bonehead by merely changing their IP address, or changing their MAC address.
OpenWRT: Create a WiFi MAC Whitelist or Blacklist
Setup your DHCP server in OpenWRT to hand out a DHCP response packet to this specific MAC address that lacks a default gateway. Once more it depends on the owner of the LAN client being a bonehead who can't figure out how to statically assign a default GW IP address
Give this up as stupid and buy a managed switch, then setup Port Security and layer 2 MAC filtering in the switch - that is, you know what port the client is on you know what MAC the client is using, lock down that port to that MAC, filter based on that MAC, and make sure that your client is stupid enough not to just hunt around for another port in the office to plug into, and put the ethernet switch into a locked room
In summary, if you have no control over the device on your network, then there's nothing you can do to block a knowledgeable attacker from your network other than layer 2 authentication that blocks them from the network completely - it's impossible to secure a network that you allow an attacker physical access to - you can't give out your wifi password to everyone and their dog then block their dog from surfing the web if their dog is smarter than you - and by definition, that is true if you think you can block an attacker you have given physical access to your network.
If you HAVE control over the device on your network you want to block from surfing the web then there's tons more effective ways of doing this by modifying that device, rather than messing with your router.
Thank you lads, its actually a solar DEYE inverter I wish to block, separate from internet access. I do have access to it, but not onsite however I have remote access to the LAN network so was thinking its possible to do it remotely.
If you're trying to block this solar inverter from reaching the internet, the solution is very simple...In your original firewall rule (with the MAC or IP already specified):
A better approach would be to use the rule with a source IP address (instead of MAC). So, if you're currently using the MAC, setup a DHCP reservation so that the inverter's IP address is known and constant. This will use the MAC address as the basis for issuing the desired IP address. Then, use that IP address in the firewall rule for the source address.
If both Netgear R7800 routers are configured as access points or similar, any traffic filtering has to be done on the ISP router.
Good catch. I missed that the actual router is upstream. That makes my comment entirely irrelevant.
There is another way, but you may not find it suitable and it all depends on the detail of the network, number of users etc etc.
You can approach the problem the other way round. Block everything with a captive portal. Users can then log in and get Internet access, but IoT devices are too dumb to log in so stay blocked.
A variation on this theme is to get a tiny travel router class device eg a gl-mt300n-v2 and run the captive portal on it, connecting only the IoT device to the portal - then the users will not be effected or even know.
You can do port forwarding for access and other fancy stuff, giving full control of the IoT device access, regardless of its mac address or ip address... Just a thought.
Basic "out of the box" OpenNDS on a mt300n-v2 would do the job.
Are there other IoT devices? Battery bank monitoring, etc?
A captive portal isn't really necessary... all that is needed is a routed solution where the device(s) can be blocked from internet access. So, using the existing hardware, it would be possible to simply create a new subnet and SSID, and attach the solar inverter to that SSID. Then you can simply not allow access to the internet from there. Access from the main network to the new one would need to be considered -- this could be as simple as port forwarding (with NAT enabled) or if the upstream router supports static routes, it can be fully symmetric.
Yes, that too 
Where the cheap-and-cheerful-mini-router solution wins is if the ethernet port of the inverter plugs into the mini-router (inverters often have a usb port that can power the mini-router). It can be configured before going on site, and enabling is just "unplug, plug, plug" unless the inverter has a static ip address.... .... The OP did not mention if the inverter was wireless or ethernet, I think both are optional on DEYE. Wireless would be pretty simple also. Minimal hardware cost ~$30 maybe, but not free.
Whereas adding a config to the existing router might be free as far as hardware is concerned.
