DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Isolate IP address from the rest (2860)

  • gungey
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
04 Nov 2016 17:03 #1 by gungey
Isolate IP address from the rest (2860) was created by gungey
I've got a device with a fixed IP address (that I can't change) on my 192.168.1.x network and I'd like to isolate it from all other devices on the LAN (but allow WAN access). I'm using a Draytek 2860.

I've tried to add two LAN > LAN rules that block 192.168.1.xxx > 192.168.1.2-255 (and vise versa), but it is still accessible from other users on the network. Normally, I'd add it to another VLAN, but I can't change the fixed IP unfortunately.

Is there a reason my LAN > LAN firewall rules won't block the device being accessible from other LAN users? There is a port forward in place, but I doubt that should break anything.

Please Log in or Create an account to join the conversation.

  • footsore
  • User
  • User
More
04 Nov 2016 22:41 #2 by footsore
Replied by footsore on topic Re: Isolate IP address from the rest (2860)
Any reason you can't make the main network another subnet? E.g. 192.168.0.x

Please Log in or Create an account to join the conversation.

  • gungey
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
20 Nov 2016 15:11 #3 by gungey
Replied by gungey on topic Re: Isolate IP address from the rest (2860)
Unfortunately, this device has a fixed IP address that I'm unable to change - so I'd need to isolate it some other way. Should that be possible via the firewall?

Another problem is that even if I could change the IP address to another subnet, it's connected via a non-VLAN switch to one of the ports on the router that is set up for the 192.168.1.x subnet only. I guess there's not a way to force it on to 192.168.2.x that way even if I could change the IP?

Please Log in or Create an account to join the conversation.

More
21 Nov 2016 10:39 #4 by admin3
Replied by admin3 on topic Re: Isolate IP address from the rest (2860)
The firewall doesn't affect LAN communication within the same subnet because that traffic would not point to the LAN gateway. The best way to isolate it (in my opinion) would be a network switch with an access control list, aka a managed switch. That should allow you to control what can access what within the same physical network and subnet.

Forum Administrator

Please Log in or Create an account to join the conversation.

More
21 Nov 2016 17:30 #5 by jedi98
Replied by jedi98 on topic Re: Isolate IP address from the rest (2860)
Hold on, who in their right mind would supply or manufacture a device with a fixed ip address fo 192.168.1.x? It would not work on a good half of the default routers, many set their lan to 192.168.0. And what if you had to put two of the devices in?

It's not one of those annoying devices that picks up the subnet (somehow) then sticks itself onto address 250 on that subnet is it? I have seen some ip cameras that do that, it's really annoying but you can change the setup on those. If it does that then you can just set it up on another VLAN and it should pick up the different subnet.

Or I may have misunderstood the situation! Maybe the IP is fixed due do lack of access rather than design.

Please Log in or Create an account to join the conversation.