1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Block local LAN access on 1 device

Discussion in 'Tomato Firmware' started by GhaladReam, Dec 6, 2011.

  1. GhaladReam

    GhaladReam Network Guru Member

    I'm having trouble figuring this out. What I would like to do is block 1 local LAN IP address on my network ( from accessing any other devices on the local LAN (, I do however want to be able to access the internet fully, just not have any access to LAN resources at all. This client is wireless. I know I can enable AP Isolation, however I believe this setting affects all WLAN clients, and I just want this to be applied to this one client. I also prefer not to have to set up a VLAN to accomplish this, as I do want this client to be on the same LAN as the other devices, just not be able to access anything except WAN resources.

    I've been doing some research but I can't seem to find the best solution for this. I'm running Shibby's Tomato 1.28.RT5x v83v on an Asus RT-N16.
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    iptables -t filter -I FORWARD -s -d -j DROP
    in your firewall script.
  3. GhaladReam

    GhaladReam Network Guru Member

    Unfortunately this didn't work.. I put the firewall script in and rebooted the router.. However is still able to ping/access machines on the LAN.

    To be honest, is actually a 2nd router in Gateway mode running Gargoyle 1.5.1 (I probably should have mentioned this). I have set it up as a guest router for wired and wireless clients, and I chose gargoyle because it's able to recieve its WAN connection wirelessly. I even tried putting the machines connected to the Gargoyle router on a different subnet, but that didn't help.
  4. humba

    humba Network Guru Member

    Why would intra-subnet traffic pass through iptables? There's no routing being done for that kind of traffic so I suspect you'd need ebtables (working on layer2) (and then you'd restrict traffic by mac address, not ip address)
    Why would you want to place a client that should not be able to communicate with any other clients on the same subnet in that subnet? It should logically reside in a different subnet or at least vlan (in most cases, different vlans do imply different subnets though). So, in your scenario I'd use multi ssid... put the client in question into the different ssid, separate it from communicating with lan (and the other wlan) using vlans, and you'll be all set. You might even be able to configure dhcp to use the same range on multiple vlans (not entirely sure on that though, I've only ever done different subnets on different vlans/bridges)
  5. mstombs

    mstombs Network Guru Member

    I don't think the traffic between WLAN and WAN requires iptables - the virtual Ethernet ports vlan0 and eth1 are bridged in the lan bridge br0.
  6. GhaladReam

    GhaladReam Network Guru Member

    I didn't think Tomato supported multiple SSID's. The Gargoyle router does broadcast its own SSID for guests, but even clients connected to that are able to ping and access devices connected to my main router. My Setup:

    Cable Modem----WIRED TO WAN PORT---->ASUS RT-N16 (which has several wireless devices, and 4 wired devices) ----WIRELESS--->Gargoyle router (in gateway mode, so it has its own LAN)----WIRELESS/WIRED----->Guests

    Any device connected either wired or wireless to the Gargoyle router (which has its own ssid) can access the 4 wired, and any wireless clients connected to the RT-N16's SSID. I want any guest device connected to the Gargoyle router to be 100% isolated from the RT-N16's LAN, but still have access to the internet. As it stands, all guests can still ping and access any device connected to the RT-N16, even though the Gargoyle router is a seperate LAN altogether. This is where I'm unsure of what to do next.

    According to the Gargoyle router's WAN settings, its IP address is, which is an IP that the RT-N16 assigned to it via DHCP. The Gargoyle router shows up in the RT-N16's device list as a wireless client (which is what I want).
  7. GhaladReam

    GhaladReam Network Guru Member

    Ok, so it's not my ideal solution (as i'd rather have something set up on the RT-N16's side) but I think I've come up with something that seems to work. I've set up a simple access restriction on the Gargoyle router's GUI so that clients connected to it are denied access to, which is the entire LAN segment of my RT-N16. I've tested it, and now any client connected to the gargoyle router ( cannot ping or access the entire block, with the exception of, which is Gargoyle's WAN IP, which is fine.

    I've also enabled remote administration on the Gargoyle router so I can still access it from its WAN side on my primary RT-N16's LAN.

    My question is, does this sound like a feasible solution, and will it cause any complications or issues down the road?
  8. ReDaLeRt

    ReDaLeRt Networkin' Nut Member

Share This Page