Hi I would like to isolate a computer connected through ethernet from the rest of the lan, I don't want it to be able to communicate to the router and most important I don't want it to communicate with any other device connected to the router
What I would like to achieve is that when I do arp -a from this computer it shouldn't be able to see any other device connected to the router
You have guest networks exactly for that.
1 Like
What should I do to make it work?
Separate interface with VLAN will do the trick.
2 Likes
Setup a guest interface if it is only for ethernet then skip the wifi part:
Depending on your router you need vlans to separate an ethernet port and add it to the guest interface
Most routers use DSA for VLANs but some older ath79 routers still use swconfig.
For DSA see:
2 Likes
i have a flint 2
Excellent router I have one myself 
You need DSA indeed to separate the ethernet ports
1 Like
If I understood it right I should only follow the 3. Multiple networks using VLANs
step from the guide you provided?
1 Like
Yes that is what I should do but I am not the expert in vlans
Of course you also need to setup the firewall and that is where the Guest wifi wiki comes in handy so start with that.
Of course make a backup before you proceed 
2 Likes
Here is /etc/config/network from one of my setups which just so happens to be an MT6000. Treat it as reference. In this case all of the LAN ports are on the trusted VLAN 10 with the exception of the last one which is on VLAN 3 (my guest).
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd99:97d2:a14e::/48'
option dhcp_default_duid '0004c2a59b6b524d43c9ba936251352ae108'
option packet_steering '1'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'lan'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
option ipv6 '0'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan5:u*'
config bridge-vlan
option device 'br-lan'
option vlan '4'
config device
option name 'br-lan.10'
option type '8021q'
option ifname 'br-lan'
option vid '10'
option ipv6 '0'
config device
option name 'br-lan.3'
option type '8021q'
option ifname 'br-lan'
option vid '3'
option ipv6 '0'
config device
option name 'br-lan.4'
option type '8021q'
option ifname 'br-lan'
option vid '4'
option ipv6 '0'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'eth1'
option ipv6 '0'
config device
option name 'lan1'
option ipv6 '0'
config device
option name 'lan2'
option ipv6 '0'
config device
option name 'lan3'
option ipv6 '0'
config device
option name 'lan4'
option ipv6 '0'
config device
option name 'lan5'
option ipv6 '0'
config device
option name 'wg0'
config device
option type 'bridge'
option name 'lxcbr0'
option bridge_empty '1'
option ipv6 '0'
config interface 'guest'
option proto 'static'
option device 'br-lan.3'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
config interface 'iot'
option proto 'static'
option device 'br-lan.4'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
config interface 'lxc'
option device 'lxcbr0'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.0.4.1'
@darksky I do not think you have to explicitly define these so I think it is not necessary and you might be able to remove it:
Really? I have been using this configuration for a few years and I believe I set it up in LuCI not hacking it together. This device is located remotely so I don't want to mess with it but I am curious about your suggestion.
Well wait for the real guru's to chime in.
But I understand you do not want to mess with a remote system
Maybe i’m not getting what you want, but it seems like you’re asking for no connectivity ?!?! So the simplest thing to do would be not to plug it in at all then ? Or you mean that you still want it to have internet access but not access the routers web page and stuff ? In that case I get it and obviously you’re getting advice on how to do it.
1 Like
My primary router/firewall is an x86/64 box and I have physical access to it so I made the corresponding change on it (easy to revert with physical keyboard). After restarting the network, everything appears to be working.
--- a/etc/config/network
+++ b/etc/config/network
@@ -42,48 +42,6 @@ config device
list ports 'veth0'
list ports 'veth1'
-config device
- option name 'br-lan.3'
- option type '8021q'
- option ifname 'br-lan'
- option vid '3'
- option ipv6 '0'
-
-config device
- option name 'br-lan.4'
- option type '8021q'
- option ifname 'br-lan'
- option vid '4'
- option ipv6 '0'
-
-config device
- option name 'br-lan.5'
- option type '8021q'
- option ifname 'br-lan'
- option vid '5'
- option ipv6 '0'
-
-config device
- option name 'br-lan.6'
- option type '8021q'
- option ifname 'br-lan'
- option vid '6'
- option ipv6 '0'
-
-config device
- option name 'br-lan.7'
- option type '8021q'
- option ifname 'br-lan'
- option vid '7'
- option ipv6 '0'
-
-config device
- option name 'br-lan.10'
- option type '8021q'
- option ifname 'br-lan'
- option vid '10'
- option ipv6 '0'
-
config bridge-vlan
option device 'br-lan'
option vlan '3'