I have set an IP Pool of 192.168.88.151 - 192.168.88.200.
I also have static IPs set for certain devices outside this pool.
Is there a way I can set Internet Only (NO LAN) for the address' in the above pool? And if someone needs access to the LAN I can just set a static IP outside this range.
I tried using a Firewall Rule using an "Internet only" address list in a forward rule, but still had access to LAN devices.
Thanks,
Re: Internet only (NO LAN) access for IP Pool
If you have two subnets on the router, or two vlans.............. then yes you can easily stop communication between the subnets at L3, via firewall rules.
If you mean that someone within 192.168.88.0/24 should NOT be able to access some else in 192.168.88.0/24, it cannot be done in firewall rules as that is layer2 traffic.
The easy answer is to add a separate subnet to separate users.
Since you didnt state the why........... its hard to understand what you need to accomplish trafffic wise.
If you mean that someone within 192.168.88.0/24 should NOT be able to access some else in 192.168.88.0/24, it cannot be done in firewall rules as that is layer2 traffic.
The easy answer is to add a separate subnet to separate users.
Since you didnt state the why........... its hard to understand what you need to accomplish trafffic wise.
Re: Internet only (NO LAN) access for IP Pool
I see.
The reason for the request is we have a media server that some need access to, and for everyone else they just need internet access. But only accessing the server IP and no other LAN stuff.
There's also some other LAN stuff that shouldn't be accessable.
I thought of trying VLANs again, but I would still need to have devices/users to access the media server without accessing other LAN stuff.
So I thought I could just static IP stuff that needs access to WAN and LAN, and the IP pool would just be for WAN access.
The last time I tried VLANs I had to reset the RB4011 to gain access.
The reason for the request is we have a media server that some need access to, and for everyone else they just need internet access. But only accessing the server IP and no other LAN stuff.
There's also some other LAN stuff that shouldn't be accessable.
I thought of trying VLANs again, but I would still need to have devices/users to access the media server without accessing other LAN stuff.
So I thought I could just static IP stuff that needs access to WAN and LAN, and the IP pool would just be for WAN access.
The last time I tried VLANs I had to reset the RB4011 to gain access.
Re: Internet only (NO LAN) access for IP Pool
I understand your angst and know of what you speak.
Putting the Media Server on its own vlan would be really easy since its a single device, could even be on a LAN port on the router.
Users depending might be more difficult to separate ( internet only users and then those that can have internet access and media access ).
VLAN5 - media server
VLAN10 - all users
OR
VLAN5 - media server
VLAN10 - users media server and internet
VLAN15 - users to internet only
To assist. To ensure users do not see each other they cannot be in the same subnet (aka the same vlan).
So create vlans to help you do that.
IN terms of access across vlans, EASILY handed in firewall rules.
We normally put a drop all rule at the end of the forward chain and thus all vlans are blocked from each other.
We make allow rules before this for the exceptions. One useful tool is firewall address lists.
One can make a list of users within a subnet requiring access and then a firewall rule is fast and easy.
IN terms of not getting shut out of the router again easily accomplished
Take one port ( hopefully unusesd, if used then temporarily assign it )
Take if off the bridge, give it an IP address and ensure its part of the trusted interface .
I can help get you there and then vlans are easy peasy
Would need to see your config prior though
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys etc. )
Putting the Media Server on its own vlan would be really easy since its a single device, could even be on a LAN port on the router.
Users depending might be more difficult to separate ( internet only users and then those that can have internet access and media access ).
VLAN5 - media server
VLAN10 - all users
OR
VLAN5 - media server
VLAN10 - users media server and internet
VLAN15 - users to internet only
To assist. To ensure users do not see each other they cannot be in the same subnet (aka the same vlan).
So create vlans to help you do that.
IN terms of access across vlans, EASILY handed in firewall rules.
We normally put a drop all rule at the end of the forward chain and thus all vlans are blocked from each other.
We make allow rules before this for the exceptions. One useful tool is firewall address lists.
One can make a list of users within a subnet requiring access and then a firewall rule is fast and easy.
IN terms of not getting shut out of the router again easily accomplished
Take one port ( hopefully unusesd, if used then temporarily assign it )
Take if off the bridge, give it an IP address and ensure its part of the trusted interface .
I can help get you there and then vlans are easy peasy
Would need to see your config prior though
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys etc. )
Re: Internet only (NO LAN) access for IP Pool
Thanks.
I'm gonna try VLANs again. RB4011 with a CRS328-24P-4S.
Trunk will be eth 2 on both router and switch.
I have everything plugged into the switch, server, APs, CCTV cameras, and various computers / TV tuners.
I have the CCTV NVR plugged into eth 4 on router, and the server idrac to eth 3 on router. Maybe they can also be plugged into the switch and isolated as well. And this would save CCTV camera traffic having to go from switch to router to be recorded to the NVR.
So I would like,
VLAN 10, on eth 10, on router as management port, with access to router and the rest of the network equipment. Isolated off bridge, with its own IP address DHCP,
VLAN 100, for Internet access and access to two IP addresses, one for the TV, the other for EMBY. Nothing else. Although the server is accessed via a different IP to service and configure, the TV and EMBY are on their own IPs.
VLAN 200 for access to all. I thought about just using VLAN 10 but that should should be for emergency only on eth 10 on router.
Also I will be using VLANs on SSIDs. So I will have access to VLAN 200 onu own SSID. And everyone else will be on VLAN 100 for access to the Internet and the 2 IP addresses for the services running on server.
I'm going to try and set this up tomorrow, no one will be home should I mess things up
I'm gonna try VLANs again. RB4011 with a CRS328-24P-4S.
Trunk will be eth 2 on both router and switch.
I have everything plugged into the switch, server, APs, CCTV cameras, and various computers / TV tuners.
I have the CCTV NVR plugged into eth 4 on router, and the server idrac to eth 3 on router. Maybe they can also be plugged into the switch and isolated as well. And this would save CCTV camera traffic having to go from switch to router to be recorded to the NVR.
So I would like,
VLAN 10, on eth 10, on router as management port, with access to router and the rest of the network equipment. Isolated off bridge, with its own IP address DHCP,
VLAN 100, for Internet access and access to two IP addresses, one for the TV, the other for EMBY. Nothing else. Although the server is accessed via a different IP to service and configure, the TV and EMBY are on their own IPs.
VLAN 200 for access to all. I thought about just using VLAN 10 but that should should be for emergency only on eth 10 on router.
Also I will be using VLANs on SSIDs. So I will have access to VLAN 200 onu own SSID. And everyone else will be on VLAN 100 for access to the Internet and the 2 IP addresses for the services running on server.
I'm going to try and set this up tomorrow, no one will be home should I mess things up
Re: Internet only (NO LAN) access for IP Pool
Great.
When done post config of both devices for review.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
When done post config of both devices for review.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)