How to block LAN access for a wired device on ASUS Merlin (Firmware 3004.388.8_2)?

[kuposcar]

I have ASUS Merlin Firmware: 3004.388.8_2, and I have a device connected via Ethernet to a switch, and the switch is connected to the router. I want this device to have no access to the rest of my local network. Is this possible?
Thank you very much.

 

[rung]

I have it working with some scripts on my router. Not sure if it would work on other router types:
https://www.snbforums.com/threads/rt-ax86u-pro-lan-port-on-guest-network.91966/post-928266

Rung

 

[eibgrad]

I have it working with some scripts on my router. Not sure if it would work on other router types:
https://www.snbforums.com/threads/rt-ax86u-pro-lan-port-on-guest-network.91966/post-928266

Rung

But doesn't that assume the secondary switch will be dedicated to that LAN port on the primary router? IOW, *any* device on the secondary switch ends up isolated from the private network. Not sure if that's what the OP is looking for. Not unless the OP is willing/able to plug the device into that LAN port on primary router directly.

 

[rung]

But doesn't that assume the secondary switch will be dedicated to that LAN port on the primary router? IOW, *any* device on the secondary switch ends up isolated from the private network. Not sure if that's what the OP is looking for. Not unless the OP is willing/able to plug the device into that LAN port on primary router directly.

You are correct. Yes, everything on the switch would be isolated, but could still be useful for some but maybe not op.

 

[rung]

But doesn't that assume the secondary switch will be dedicated to that LAN port on the primary router? IOW, *any* device on the secondary switch ends up isolated from the private network. Not sure if that's what the OP is looking for. Not unless the OP is willing/able to plug the device into that LAN port on primary router directly.

Also, wouldn't a couple of managed switches work for that? I understand they are not expensive. Combine and uncombine two ports on the router: the isolated port and a regular port.

 

[eibgrad]

Also, wouldn't a couple of managed switches work for that? I understand they are not expensive. Combine and uncombine two ports on the router: the isolated port and a regular port.

Sure. Although if you go down the path of additional hardware, my first inclination would be to use an old router, esp. since I'm sure a lot of users have such hardware lying around doing nothing (consider all the ASUS AC routers soon to reach EOL). Even an old wireless G/N router will suffice in many instances, esp. for low bandwidth applications. That's the very point of having routers; to create isolation. You avoid messing w/ VLANs entirely.

Granted, it's not nearly as cool as VLANs, but esp. for the network challenged, it's probably easier to understand and manage (and cheaper).

 

[Tech9]

Or just unplug the Ethernet cable and connect this client wirelessly to a Guest Network. Worst case USB Wi-Fi adapter may be needed, not a new switch.

 

[kuposcar]

Thank you for your responses.
Of course, the difficult part was isolating it through its fixed IP or MAC address so I wouldn't have to dedicate a router port just for that or isolate everything on the switch. However, I think I won't have any other choice but to use additional hardware or dedicate a LAN port just for that.
Thank you very much!

 

[webreaper]

I'm trying to resolve a similar thing, so want to check if my understanding is correct. Here's my scenario:

1. There's an event in my village, which will need internet access for payment providers
2. I'm the nearest house to the event
3. So we're going to use powerline from my LAN, via a long extension cable to a powerline AP where the stands are going to be.
4. All that is working, but I want to limit access so that anyone connecting to the AP will only have access to the internet, and not to any of my network devices (in particular my NAS)
5. So I'd like to configure something so that anyone connecting via (say) IP 192.168.1.228 will be able to access the internet, but nothing else on the LAN (or, I'd block specific devices that I care about).

Is this possible at all? It sounds like not.

I'm guessing the simplest idea is to get another Powerline wifi unit and connect that to the guest network (which has wifi access but no access to the LAN).

 

[ColinTaylor]

Is this possible at all? It sounds like not.

No. Not unless you do some custom scripting (and testing), and reported results have been mixed AFAICT.

I'm guessing the simplest idea is to get another Powerline wifi unit and connect that to the guest network (which has wifi access but no access to the LAN).

That would only work if the new powerline Wi-Fi unit can work as a wireless client or bridge rather than as an access point. In theory you could just connect a wireless extender (aka repeater) to the existing powerline adapter that's in your home and configure it to connect to your main guest Wi-Fi. All of this is assuming that your point to point powerline link is isolated (physically or logically) from any other powerline virtual circuits that are in use.

 

[webreaper]

Thanks. Luckily I found a TPLink RE550 in a drawer, so now have:

Router ===> (guest wifi) ===> RE550 ===> (ethernet) ==> Powerline ==> (AC/mains cable) => Powerline AP ===> (wifi for event stalls)

It's a bit contrived, but it works. I was slightly confused how I could access my LAN devices from the Powerline AP wifi at first, and then went to check my guest network settings, and it turned out I must have enabled 'Intranet enabled' some time back. Flipped that back to disabled, and now my Powerline AP has internet access but can't see the LAN.

Cheers!

 

[ColinTaylor]

turned out I must have enabled 'Internet enabled' some time back.

That's "intranet" (aka LAN), not internet.

 

[webreaper]

That's "intranet" (aka LAN), not internet.

Thanks, you're correct - fixed my typo.