How to permit WAN access only for a range of IPs?

Is it possible to limit access to WAN only for a range of IPs? I have some IoT wireless power sockets that I'd like to deny access to the LAN and allow them only to access the internet: their IPs are from to

I have an OpenWRT modem/router which doesn't have WiFi and 3 wireless access points (TP-Link Deco S4 mesh network). The router is the DHCP server and the IoT devices are on the same wireless network as the rest of my wireless devices. I'm a newbie to OpenWRT but would guess that I need to create a new zone in the Firewall settings and deny zone members access to the LAN: however, I'm not sure how to set up the zone so that only certain IPs would be in there. A VLAN might be another option but I don't know how to set this up when the router isn't providing WiFi.

In summary, I'm not sure where to start so some help would be appreciated.

As it is, you cannot limit the access of the iot devices. If they are in the same lan as your home devices, they can connect to them.
You'll need to add another network, say called iot, and assign the iot devices there. Then you can control that they will connect only to the internet and not to the lan.
The Deco S4 Access Points are running OpenWrt or stock firmware?

1 Like

Thanks trendy. The Deco S4 is running stock firmware.

Then it is out of scope for this forum. However if you can isolate on them the lan and the iot SSIDs in diffent vlans, then you could create the iot interface on the OpenWrt router on these vlans and accomplish your goal.

Hey @rest. Don't know if you got this issue resolved. I have Deco S4s as well. The only thing we can do with stock firmware is to set up the Guest Network and set the IoT devices on there. Then, turn on the switch "Isolate from Main Network". While it keeps all devices on the same vlan, it seems to do a good job of keeping each IoT device away from everything else while still allowing for access via PC/smart phone. Don't know if that helps but wanted to pass that along.

1 Like

Thanks @Pocket_Sevens, that's exactly what I did and it works well!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.