0
My only router is a billion 7800n connected to the internet using the ewan port. I have 4 computers connected to it 2 wired and 2 using wifi. I want to isolate one of the wired ports from seeing the other computers but I still want all of them to access the internet. It seems impossible to setup using the web gui but i can access a busybox prompt. Any suggestions on how I would do that.
Thanks Dan
Dan Harris
Posted 2013-10-24T10:01:40.843
Reputation: 1
0
You will have to use iptables. Let us assume your router is 192.168.1.1, your normal clients are 192.168.1.2-4, and the one you want to isolate is 192.168.1.100. Then the following rules will do:
iptables -A FORWARD -s 192.168.1.100 -d 192.168.1.2 -j DROP
iptables -A FORWARD -s 192.168.1.100 -d 192.168.1.3 -j DROP
iptables -A FORWARD -s 192.168.1.100 -d 192.168.1.4 -j DROP
In line of principle this should be enough. But if the person using 192.168.1.100 has access (even physical!) to the other machines, it might make sense to prevent the establishment of reverse tunnels, in which case I would add these rules:
iptables -A FORWARD -s 192.168.1.2 -d 192.168.1.100 -j DROP
iptables -A FORWARD -s 192.168.1.3 -d 192.168.1.100 -j DROP
iptables -A FORWARD -s 192.168.1.4 -d 192.168.1.100 -j DROP
There are two conditions for this to work: first, it is essential that the communications through 192.168.1.100 pass through the router. In other words, you must connect 192.168.1.100 to the router, not to a switch. If you connect it to a switch, since it is internal traffic, the switch will be able to forward the communication attempts from 192.168.1.100 to the other pcs connected to the switch without passing through the router, i.e., directly, and the above commands will never be applied. Second, the pcs must always have the same IP addresses; you can achieve this either with static IPs, or with reserved IPs, a feature which is set in your router GUI.
EDIT:
According to Wikipedia,
In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN or VLAN.
A situation where "packets can only pass between them via one or more routers" is exactly the one I just described. Only difference is 192.168.1.100 would be able to intercept broadcast traffic. Not much use for that here, bt I can still amend the iptables rules in such a way to obtain that effect, if you wish me. Otherwise, the solution I descrive above is identical to the one you are referring to in your comment.
MariusMatutiae
Posted 2013-10-24T10:01:40.843
Reputation: 41 321
I was thinking more of a port based solution so if the isolated computer was on port 4 it would not be able to access the router web gui or if a computer connected on port one only that computer could access the router gui. I thought that might be possible using vlans but I am not sure? – Dan Harris – 2013-10-24T16:19:34.657
What I should have said in my original question is that i will have no control of the isolated computer attached to my 7800n It will be going to my neighbour so in theory he could change the ip address. I could use mac address but I just think there may be a better more secure solution using bridge, vlan maybe, I dont know. The fact that people bank online probably in hindsight letting an untrusted possibly virus infected machine onto a local network was not a good idea. But for the time being i am stuck with it. – Dan Harris – 2013-10-24T19:15:44.577