NAT rule for local LAN limitation

Greetings,

how can I define a rule or multiple ones that will limit a host to local lan only?

Thanks,

Dagg

Don't provide gateway via DHCP.

won't this prevent me from accessing other machines in the internal lan?

Lazy way would be to have FW rules that do REJECT/DROP on a specific source/destination IP in zone LAN with WAN or any other zone set as source/destination. Nothing preventing your host from changing IP address or spoofing MAC and bypassing.

Probably better to setup a separate subnet/VLAN for any hosts you want to cordon off, add interface to new zone, and setup your forward or deny rules based on that. (Allow forward to zone LAN, but not WAN, etc.).

1 Like

no it won't, assuming they're in the same subnet.

1 Like

the host is managed by me only, the same goes for the router so I don't think the scenario in which the host changes mac addr is likely.

so what I need to do is the following?

uci set dhcp.tag1="local_lan_only"
uci set dhcp.tag1.dhcp_option="3,0.0.0.0"
uci add dhcp host
uci set dhcp.@host[-1].name="utils_server"
uci set dhcp.@host[-1].tag="local_lan_only"
uci commit dhcp
/etc/init.d/dnsmasq restart

will this work?

you need to provide the MAC as well ....

so:

uci set dhcp.tag1="local_lan_only"
uci set dhcp.tag1.dhcp_option="3,0.0.0.0"
uci add dhcp host
uci set dhcp.@host[-1].name="utils_server"
uci set dhcp.@host[-1].mac="xx:xx:xx:xx:xx:xx"
uci set dhcp.@host[-1].tag="local_lan_only"
uci commit dhcp
/etc/init.d/dnsmasq restart

?

isn't this what I need?

uci set dhcp.mac1="mac"
uci set dhcp.mac1.mac="00:FF:*:*:*:*"
uci set dhcp.mac1.networkid="vpn"
uci add_list dhcp.mac1.dhcp_option="3"
uci add_list dhcp.mac1.dhcp_option="6,192.168.1.3"
uci commit dhcp
/etc/init.d/dnsmasq restart

Probably ony need the mac and dhcp_option.

yeah, networkid seems unrelated.

what should be the dhcp_option 6 value? the router's ip?

Doesn't really matter, unless you have a DNS in your network.

Since there's no GW, it won't be able to communicate with anything outside your LAN anyway.