Ways to isolate client from internet without vlan

sorry, i know, this again...
i read around in the forums and documentation already, but i have a hard time to understand the opportunities with my current setup and would appreciate to get some direction - links and keywords are fine enough. i then can read again :slight_smile: at the moment it seems to go in the diection of a bridged device and bridged firewall rules/forwards. but how exactly? do i need another dongle for a 3rd ethernet port on the raspi...? also: i can work with cli, but prefer luci in openwrt.

config pictured below.

goal: i want to isolate my nas (synology) from www, but have it accessible for all lan clients.
reason: i just need file distribution in lan, nothing else and the nas does not need any internet services. also a very old nas is hanging around here and can not be updated anymore.
why not vlan?: it's too much for my goal and - to be honest - too complicated. managed switch, nas (and the fritzbox) are capable to do it, but e.g. i can not access the switch's admin interface until today. i don't need it.

(stretch goal: make the insecure (hackable) old hue bridge accessible via wifi (smartphone app), but let it not access lan or internet. so nobody can enter my lan via a zigbee lightbulb...)

thanks for any hint and help :slight_smile:

You can block all traffic from your nas to anything except your local network in the firewall, and vice versa.

1 Like

One simple firewall rule will do the trick:

source zone lan
source ip < ip address of nas >

Optionally you can add destination zone wan (but that wouldn’t be necessary).

1 Like

The easiest way to solve your problem is to simply not define a gateway device on the NAS for IPv4. If you are using IPv6 you'll need to be careful about what your router advertises; I'm pretty sure, though do not recall off the top of my head, that link-local addresses are not that usable on a lan.

1 Like

i tried that already (firewall rules) but also read about, why this will not really work. maybe i messed up isolating with block wan or so...
going to try this right now - thank you so far!
[edit] gateway device - will have a look on that as well! [/edit]

This will work provided you can setup your NAS w/o a gateway and there's why.

LAN traffic is layer 2 (MAC based traffic) and routing is layer 3 (IP based traffic). When an ethernet frame is being constructed there are many fields but four we care about for this discussion: src MAC, dst MAC, src IP, dst IP; src == source, dst == destination. When constructing the packet the system sending the packet looks at the dst IP and makes a determination as to whether that address is on its LAN or not. It uses the netmask to make this determination. If it is determined that the dst IP is on the same LAN then the sender will populate the dst MAC with the MAC address of the remote machine and the src MAC with its MAC. The packet is sent to the switch, the switch sees that the MAC is on its LAN, and it sends the packet on to its destination.

For the case where the dst IP if off LAN - the sender can not know the MAC address of the remote machine b/c MAC addresses are layer 2 and do not traverse LANs. In this instance we have to involve a router (gateway) device. The ethernet frame is populated with the dst MAC of the router and dst IP of the true destination. The packet is sent to the switch and the switch sees that the it has to do something with the packet b/c of the dst IP. The router will alter fields in the ethernet frame and forward on as needed. This happens all the way across the internet until the packet finally reaches the destination LAN on which the remote machine resides.

If my network stack does not know who to use as a router, then it can not craft the ethernet frame correctly (dst MAC of router) and the packet can never be sent. *nix based OSes will return 'destination unreachable' as the error. You still need to be careful about SLAAC and router advertisements in IPv6. The easiest thing here is to disable IPv6 on the NAS device. If it's that old it might be a good idea anyway as early implementations of some IPv6 stacks were somewhat broken.

1 Like

and again i like the openwrt community (here and on reddit), answering noob questions even after the 20th occurence. and explain the underlying principles. that's great! thank you :slight_smile:

so, the according option for my question is traffic rules, right? seems to work, the nas is not getting an outbound connection anymore.

there is no rule needed to block incoming traffic, since this is blocked by default by the firewall, like in every standard router, right?

Yup... this is exactly what I was suggesting.


If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

Thank you! And solved status applied as well :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.