As the title says, I have a hitron modem/router. I have some wifi devices that I would like to block from accessing anything outside of my LAN (or anything from outside my LAN accessing them either). How can I configure this?
Solved! Solved! Go to Solution.
Have a look at the Cisco Connect application that is loaded on the USB setup key that comes with the modem. It does have parental controls on it, but, I don't know if it has that capability on it. I suspect that it will just shut down all access for selected MAC addresses on your LAN. But, have a look to see what is there. I had a look at my Asus RT-AC68U and that has Parental controls but not to the level of blocking Internet Access while leaving the local LAN open. I suspect that Merlin firmware might have that available but I'll have to check. That also requires a router that accepts Merlin firmware.
Edit: I had a look at the Merlin Screenshots and documentation but can't find any indication of the capability that you want. That doesn't mean that its not there, just that its not detailed to the point that one can say, "yes, it will do that". What Merlin can do is specify different DNS for users on the local LAN, so, if you wanted to specifiy family friendly search DNS addresses for kids while using another DNS for yourself, you can do that.
Merlin is an adaptation of the Asus WRT used in Asus routers. Merlin is usually ahead of the game when it comes to bug fixes and implemtation of features that users are interested in. Here's a link for the Merlin firmware:
What you could do is sign onto the forum for Merlin and post a question, describing what you are trying to do and see what comes up for responses. Perhaps your query will generate an update that includes that capability if it doesn't already exist. I can't see a way to search the forum indicated below. Perhaps one has to sign in to be able to search the forum.
Yes, that's pretty accurate. To be more specific, I have some IP cameras, and I want to make sure they can only be accessed from other devices on my LAN.
@Datalink I was looking at the ASUSWRT options and it appears that this can be accomplished within the Firewall settings.
"The Network Services filter blocks the LAN to WAN packet exchanges and restricts devices from using specific network services.
For example, if you do not want the device to use the Internet service, key in 80 in the destination port. The traffic that uses port 80 will be blocked."
I don't want to take my Hitron out of bridge mode to see if it has a similar feature, but I assume if it exists it would also be within the firewall settings.
Unless there was any forwarding, etc going on.. nothing from the WAN side should be able to see the cameras.
But blocking otherwise... anything pluged in/wireless.. would potentially then have access to the cameras if they are connected inside your house.
(really only way i could see otherwise.. is segregated 'guest' network segregated from the rest of your LAN.. or getting into more advanced routing.. setting up seperate VLANS, etc )
Thanks for the replies Datalink and roxandreez.
Thing is I didn't want to block specific ports, because I'm not sure what the camera itself might open up using udp. I know the cameras have a phone home service (for "easy" login from anywhere), and I'm not sure what all ports to block. What I see in the current port forward list might not show intermittent port forwards triggered via upnp.
Also, the Service filter tab blocks ports for all LAN devices (not something I necessarily want to do, especially if I am blocking the full range).
Turns out the Device filter is what i was looking for. Although, the text description on the Device filter settings tab is a bit misleading
"You can block/allow the network access for specified devices here"
From this description, it sounds more like the device filter would act as a filter for LAN and WAN connectivity. i.e. filter the entire device to any type of network access. However, blocked devices on this list can still be accessed via LAN, but not externally from WAN side attempts.
Thats the question that I was wondering about, the "phone home service". I was wondering if these were just dumb cameras or had an embedded controller which would run such a function. As @Gdkitty indicated, they should not be be reachable from the the WAN side of the modem or router, but, if they are calling out, that might be a different matter. You should for now disable UPNP in the modem to be on the safe side I would think. Is there no indication anywhere online as to what ports these cameras use? I can't imagine that you're the only one with that question.
If you were running a router, you would be able to bring up a network management panel to see what address and port the cameras are connecting to, if any. So, that might be food for thought, going down the path of buying a router so that you have better control over network access.