Firewall traffic rule to block IoT device from talking to other LAN hosts?

Need a little guidance here...

I have a few IoT devices that I would like block uni-directionally from communicating with other LAN devices (unless communication starts from other local host).

Would this be a simple Firewall Traffic rule where I select source zone LAN, source IP 'IoT device', destination zone LAN then action reject?

Another example of what I'm trying to accomplish...

I have DarkStat installed and would only want to allow 2 static hostnames/ips to be able to access the darkstat port on the LAN side. How do I block the darkstat port from all other local LAN hosts accept the 2 I specify?

Thanks.

https://openwrt.org/docs/guide-user/firewall/firewall_configuration#forwardings

@vgaetera
Ok I tried this example to block my cellphone from accessing darkstat when on my wifi:

config rule
	option name 'Deny Darkstat'
	option src 'lan'
	option dest 'lan'
	list dest_ip '192.168.1.1' # my router
	option dest_port '667'
	option target 'REJECT'
	list src_ip '192.168.71.112' #my static ip for cellphone
	option src_port '667'

I am still able to access Darkstat via my cell phone. Where did I go wrong?

Are you sure that the phone is using source port 667? Usually leave that unspecified, as the source port is chosen arbitrarily > 1024...

Are VLANs an option for you?

You can't use the firewall for this purpose as the traffic doesn't traverse the routing plane.

If they're WiFi, you may be able to use client isolation.

No experience with VLANs will have to look.

I see thank you.

Is it possible to create 2 LAN subnets?

Subnet 1 - Main LAN no restrictions
Subnet 2 - IoT devices, can access internet but unable to communicate with Subnet 1.

Have a look at the videos linked on the dumb accesspoint wiki page for VLANs. They are your best option.

1 Like

You could create a second Wifi just for Guest and IoT devices, that will have a seperate interface and seperate IP range - and client isolation. By using a seperate fw zone, you can then as well apply your fw rules as needed.

This sounds great. Do you have an example config file I could use as a guide to try?

You can follow this guide: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

1 Like