Need to HIDE my router from lan users

Discussion in 'Tomato Firmware' started by mbryan718, Dec 4, 2018.

  1. mbryan718

    mbryan718 Networkin' Nut Member

    On some of my public networks, I need the ability to hide my router ..

    Sometimes we get users who like to tinker by scanning out hosts on the LAN .. My router serves certain functions, but is NOT the DHCP router on the network .. Here's my setup: - Cisco 800 Series Router (DHCP/DNS) - 172.16.199 - DHCP HOST RANGE - Linksys WRT54GL (FTP/HTTP) no dhcp running

    I need to block ICMP on the LINKSYS .. I want to make it less easy to locate by local users doing ping / port scans on the lan.. Is there an IPTables command that can do this?

    To sum it up, if a user tries to ping, I'd like them to get a timeout response.

    Any help is appreciated!!

  2. linkiTom

    linkiTom New Member Member

    place the on the wan link, done. Obviously, you are going to say: "I mana do..."

    yeah, no! is the answer. otherwise, proceed as per design.
  3. mbryan718

    mbryan718 Networkin' Nut Member

    Wow .. what a weird answer ..

    As a seasoned network engineer with over 25 years under my belt, I could not make heads or tails of what you just said..

    I have very little experience with Linux and IPTables .. if this was any other platform I would not be asking how to block local ICMP to my LAN interface. Cisco, HP, Mikrotik, and even Windows OS can block itself from being pinged. Placing it on the WAN link?? I don't know how you came up with that..

    Please go back to the kiddie pool ... this area is for adults.
  4. Yim Sonny

    Yim Sonny Serious Server Member

    You should be able to do it with access restrictions. Here is a screen shot of a config that would probably do it. Sorry for not testing first to confirm. This config would block all pings to and through that router, on both the LAN and WAN interfaces. Since it is not your gateway router that probably would not be an issue. You could also specify exceptions for certain devices if you did want to allow something to ping.

    Attached Files:

  5. ezinex

    ezinex New Member Member

    I think there's an option to block ICMP on the "firewall option".
    The other thing is maybe you can spoof the mac to be a IoT or a wifiHDD (storage) instead of a router.
  6. Yim Sonny

    Yim Sonny Serious Server Member

    There is that option but it applies only to the WAN.
    Are there special MAC addresses that will not allow an interface to respond to PING ? I'll have a Google at that, but have not yet heard of such a thing.
  7. ruggerof

    ruggerof Network Guru Member

    I think that the Access Restrictions only applies to the WAN.
  8. Yim Sonny

    Yim Sonny Serious Server Member

    You may be correct. I'll test it now and report back shortly.

    Update :
    You are correct. Only applies to traffic through. Not to LAN. So much for my bright ideas. I did Google up a couple of possible command sets that I did not understand very well. I'll tinker with it a bit to see if I can shake something out.

    Edit 2 :
    All I could find was to possibly exorcise the entire protocol from the router. It got a little deeper than I would be useful goofing with but maybe would work if applied properly.
    # echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all
    Last edited: Dec 5, 2018
    mbryan718 and ruggerof like this.
  9. ruggerof

    ruggerof Network Guru Member

    This works!

    @mbryan718: Drop the below line in Tools-Execute System Commands of your router and test.

    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    mbryan718 and Yim Sonny like this.
  10. Bird333

    Bird333 Network Guru Member

    Try this
    iptables -I INPUT -p icmp -d -j REJECT --reject-with icmp-admin-prohibited
    iptables -I INPUT -p icmp -d -j REJECT
    May need to use FORWARD instead of INPUT. If you only want to block certain IPs on the lan you can add a source to the rules like this.
    iptables -I INPUT -p icmp -s 172.16.0.* -d -j REJECT
    kille72 and mbryan718 like this.
  11. jerrm

    jerrm Network Guru Member

    All rather pointless on a LAN. Too many other ways to quickly find active hosts.


    REJECT won't be a timeout, it responds enough to know something is there. DROP would be the "invisible" target.
  12. Bird333

    Bird333 Network Guru Member

    Quite right.
  13. ruggerof

    ruggerof Network Guru Member

    True. In this regards the only way to hide it is to assign the 54GL a fixed IP outside of the network range.
  14. mbryan718

    mbryan718 Networkin' Nut Member

    It works!! This is exactly what I was looking for. I dropped it in my INIT script and now the router is permanently unpingable from LAN.

    Thanks for all of your help and comments!! I will also try the iptables command and post back my results.

    Thanks again .. Merry Christmas and Happy New Year!
    Yim Sonny likes this.
  15. mbryan718

    mbryan718 Networkin' Nut Member

    This also worked! Clients receive "Destination net unreachable" when attempting to ping the router, which is just as effective.

    Thanks so much for your help!!
  16. jerrm

    jerrm Network Guru Member

    Not really. The REJECT lets folks know something is there and they should probe further. Either DROP the traffic or use the tunable.

    But again - all of this is pointless on a LAN for anyone with more than rudimentary skills.
    rs232 likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice