Semi-isolate a device in a network

xifi-kif · October 5, 2018, 3:40pm

Hi everybody,

I have a basic network at work:

############################
# Router OpenWRT           #
# 18.06.1 r7258-5eb055306f #
############################
 |     |      |      |
PC1   PC2   server printer


Device:   IP:
router    192.168.1.200
server    192.168.1.100
printer   192.168.1.150
PC1       192.168.1.1
PC2       192.168.1.2
PC3       192.168.1.3

every PC in the network can reach the server and connect to each other (shares). And this is fine.
Now I need to add a device (PC3) that must be limited to one resource (printer). So I'd like PC3 to be able to connect only to the printer but not to the server nor any other pc in the network.

Maybe I could do this limiting user's policies server side, but I would prefer doing this from the router, if possible.

Can somebody help me with this?

Thanks!

eduperez · October 5, 2018, 3:46pm

Fastest path is probably to add a guess-like network for PC3, and then allow traffic only from the guest network to the printer. Does PC3 and the printer need to be on the same network range?

xifi-kif · October 5, 2018, 3:50pm

Thanks!

No they don't need to. And if needed I can reserve a switch port of the router for PC3.

Can you be more specific please?

lleachii · October 5, 2018, 4:49pm

darksky · October 5, 2018, 4:54pm

@lleachii - There is also a more contemporary version based on my R7800 running 18.06.1: Error when attempting to setup a separate subnet on physical port4 under 18.06.1

xifi-kif · October 6, 2018, 8:07am

Ok so I'll make a new interface, assign it to switch port lan4.

then how to do this?

xifi-kif · October 7, 2018, 3:24pm

I created a vlan (4) and attached a new interface assigned to the phisical port to it.

Cattura

("Wan" port is already separated and has only internet access; real gateway is wireless in client mode)

Should I put it in bridge mode?

Should I assign a different ip class to it?