Restrict WAN access to home automation devices

[cdikland]

Is it possible to restrict remote access to my wifi devices such as thermostat, cameras and light switches? By restrict I mean limit access to a specific IP (i.e similar to "Only Specific IP" option under Admin/System), completely disable any remote access to all or any of these devices and/or password protect remote access?


Router N66U FW:3.0.0.4.374.39_0-em
AP AC66U FW:3.0.0.4.374.39_0

 

[sinshiva]

i think the easiest way to do this would be to use a second router in a double nat configuration, then connect your devices to that network. keep users on the primary lan. to access the devices on the secondary, you'd have to use port forwarding with the primary lan ip of the double nat router. the secondary lan router could then block access to all devices from the outside except whomever.

then, you can do things like set a different wpa key, hide ssid, etc.

 

[thiggins]

You could also add a smart/managed switch and put them on their own VLAN.

 

[cdikland]

You could also add a smart/managed switch and put them on their own VLAN.

This is very new/foreign to me so please bear with me as I try to understand. First of all, most of the devices I am talking about are all wireless. How would I add each of these devices to a vlan? Assuming I have them all i a separate vlan, how woudl an authorized user on the outside access them?? Any help would be appreciated.

 

[cdikland]

the secondary lan router could then block access to all devices from the outside except whomever.

then, you can do things like set a different wpa key, hide ssid, etc.

Sorry... You lost me here. How would the 2nd router block this access? In other words, where/how would this be defined??

 

[thiggins]

I think your knowledge level is too low for simple or short explanations. Sinshiva's advice is probably better and easier to implement.

 

[sinshiva]

to block access for a port to all but one IP, i believe this is correct;

iptables -A INPUT -i eth0 -s ! 8.8.8.8 --dport 21 -j DROP

use that to block all but one IP (8.8.8.8 in the example) on the outside router.

with a double nat, you'd portforward to the devices' web interfaces on the secondary router. you'd portforward those ports again from the primary router to the secondary

then, to block access from the lan to your devices, you could use the same command as above with the IP set for the primary router's IP, such as 192.168.1.1

if you wanted more than 1 IP to access the devices, such as 192.168.1.1 for outside access and say one more local IP, you'd have to stagger the rules a bit, something like;

iptables -A INPUT -i eth0 --dport 21 -j DROP
iptables -A INPUT -i eth0 -s 192.168.1.1 --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.33 --dport 21 -j ACCEPT