Access Restriction settings question

Discussion in 'Tomato Firmware' started by Livin, Feb 2, 2013.

  1. Livin

    Livin Serious Server Member

    I'm trying to use Access Restriction to block all communications/ports between two specific devices on the same LAN.

    I want to block Device A from communicating with Device B while still allowing Device A to talk to the rest of the LAN.

    I have tried doing this several ways but it is not working. Can someone tell me exactly what needs to be set... a screenshot would be highly appreciated too!

    In case you are interested...
    Device A is a MiCasaVerde Vera 3
    Device B is an Onkyo receiver with ethernet
    The issue I'm having is the Vera is responding to DHCP and we think uPnP communications from the Onkyo. The Vera is somehow sending back something causing the Onkyo's networking to stop working completely. We can see in packet traces if we do not block the DHCP the Onkyo never gets a response. It we block the Vera the DHCP completes fine... but even then, if we only block port 67, the Onkyo gets an IP address but its web server never responds.
    Since the two devices do not need to communicate for any reason I'd like to simply block all communications. I know it sounds strange but several Vera/Onkyo users of several different models have confirmed this issue. A few users are subnetting the Vera but it seems to me using Access Restriction might be easier to setup & manage?

    thx in advance!
  2. Livin

    Livin Serious Server Member

    No one can help?
  3. Livin

    Livin Serious Server Member

    guess i'll keep bumping until someone who can help sees this
  4. gfunkdave

    gfunkdave LI Guru Member

    The reason nobody is replying is that what you want is impossible. The router doesn't route packets that originate and are destined for the same LAN - there's no routing involved since it's a direct connection between the two devices.

    Either put them on different VLANs or, better yet, configure them to behave correctly on the network.
  5. koitsu

    koitsu Network Guru Member

    I make no promises, but possibly the ebt_mac (for ebtables) or ipt_mac (for iptables) modules would allow filtering at this level. My vote would be for ebt_mac / ebtables since it affects bridging, and br0 would be the relevant bridge interface. However, it might not work given how the hardware-level switching fabric works; I really don't know. I don't have familiarity with Linux at layer 2 (Ethernet/MAC/ARP), I'm used to actual managed hardware switches (i.e. ProCurve).

    My recommendation, as always, is to apply KISS principle as much as possible: get rid of the MiCasaVerde Vera 3 device, problem solved. Figure out how to get rid of the device (i.e. get your router to do whatever this thing does, if possible), or find a different brand of device. It's really a better solution in the long run anyway.
  6. Livin

    Livin Serious Server Member

    I cannot get rid of the Vera device. Until they fix it I can try VLANs... anyone have a pointer to a good tutorial on how to do VLANing... still need all the devices to see both the Onkyo & Vera... but I need to block them from talking to each other.

    thx for the help!
  7. koitsu

    koitsu Network Guru Member

    Please see the first paragraph of my previous reply for avenues to go down (use of ebtables, blocking traffic between two MAC addresses).

    The second part is that you still haven't given a good explanation for why you can't remove that device from the LAN; "I can't" really isn't sufficient, especially if the reason is technical (maybe your router can accomplish the same task) -- it's akin to going to a doctor and saying "it hurts when I stab myself in the leg", to which the doctor will reply "well then stop stabbing yourself...?!" Sorry if that sounds harsh, but I'm going purely off of what's been stated so far.
  8. Livin

    Livin Serious Server Member

    The Vera is my home automation and security device. If VLAN will remove the problem, until Vera fixes the issue, then that is fine for me. It is 1000x less work, and who knows how much less cost, than replacing the Vera with an equal device/software.

    I'll look into the ebtables, I don't know anything about them but will research today. I thought the Access Restriction (AR) section would be blocking the traffic since it specifically asks for MAC address - and when I have AR block port 67 from the Vera, the Onkyo gets an IP via DHCP - otherwise it does not.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice