Network rules within a LAN

Rorschach · November 3, 2025, 2:53pm

Hello everyone,
I have a question about network configuration.
I'm running a Fritz!Box 7520 as a router and DHCP server with the latest operating system, version 24.10.4.
As clients, I have several Fritz!Box 7490s running the original Fritz!OS.
Since all telephony and the mesh Wi-Fi are managed through these boxes, this should remain the case.
This is also the reason why I can't use VLANs, as the Fritz!Boxes don't support them as clients.
Nevertheless, I'd like to restrict communication between individual devices on the LAN in a different LAN segment.
I'm just not sure how best to do this. Using a firewall rule doesn't seem to work within the same LAN segment.

For example, all IPs above .128 should not be allowed to communicate with IPs up to .127.
Does anyone have experience with this?

Mijzelf · November 3, 2025, 7:03pm

That probably can’t be done. The firewall in your router only works for traffic which actually goes through the router. But the clients inside you lan will talk directly to each other.

slh · November 3, 2025, 11:55pm

You can create multiple VLANs on your F!B 7520 running OpenWrt and deploy those untagged on the individual LAN(2-4) ports of your F!B. E.g. you can configure a separate network/ VLAN on LAN4 (untagged and remove this port from br-lan) and connect your F!B 7490 (IPoE client) to this port, this allows you all the firewalling you might be interested in.

Yes, Fritz!OS has (virtually-) no configurability for VLANs, meaning you can also only expose them to a single/ untagged network, but that doesn't need to intersect with your other VLANs on the OpenWrt 7520. Yes, without a managed switch, you're a bit short on ethernet ports on the 7520 (3+1), but better than nothing. Yes, there are no negative side effects to put the telephony/ SIP into a segregated network this way.

Rorschach · November 4, 2025, 6:39am

Thanks for the replies.
Yes, I could use a dedicated VLAN port on the 7520 for a single Fritz!Box Client, that would at least solve part of the problem.
Ideally, it could be set up similarly to the guest network in Fritz!OS, covering the entire Wi-Fi mesh network. But that would probably fail due to compatibility issues.
Maybe I'll experiment a bit with nftables and Fw4; perhaps there's a way to filter within a LAN. However, this is all quite new to me.