DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Vigor 2862 - Selective Intra-LAN communication
- ecm200
- Topic Author
- User
-
21 Feb 2018 21:21 #7
by ecm200
Replied by ecm200 on topic Re: Vigor 2862 - Selective Intra-LAN communication
Hornbyp, thanks very much for your assistance.
I connected my laptop to the trusted network via ethernet cable, and then used the DGND4000 router AP admin page, which I am using as the wireless AP for the IOT network on 192.168.2.0 subnet, as the ping and trace route target to assess firewall performance. Straight away it worked, either passing or blocking packets as per the firewall rule. So you were absolutely correct, the Draytek IP address on each subnet is treated differently and not subject to firewall rules. I guess, in theory, the packet is not leaving the router and so therefore is not tested by the firewall, even though it is on a different subnet.
So I should be able to setup the firewall rules as we suggested, using IP objects and groups to specify specific rules for IOT devices requiring internet and internet and LAN connectivity.
I suppose to be completely secure, I should work out what ports each IOT device needs on the local network and only open these, rather than a carte blanche pass on any port for a subset of IPs.
Thanks again, I am glad it was my testing target rather than my understanding of how firewall rules work. I was beginning to worry ....
I connected my laptop to the trusted network via ethernet cable, and then used the DGND4000 router AP admin page, which I am using as the wireless AP for the IOT network on 192.168.2.0 subnet, as the ping and trace route target to assess firewall performance. Straight away it worked, either passing or blocking packets as per the firewall rule. So you were absolutely correct, the Draytek IP address on each subnet is treated differently and not subject to firewall rules. I guess, in theory, the packet is not leaving the router and so therefore is not tested by the firewall, even though it is on a different subnet.
So I should be able to setup the firewall rules as we suggested, using IP objects and groups to specify specific rules for IOT devices requiring internet and internet and LAN connectivity.
I suppose to be completely secure, I should work out what ports each IOT device needs on the local network and only open these, rather than a carte blanche pass on any port for a subset of IPs.
Thanks again, I am glad it was my testing target rather than my understanding of how firewall rules work. I was beginning to worry ....
Please Log in or Create an account to join the conversation.
- pharcyder
- Offline
- Member
-
- hornbyp
- User
-
20 May 2021 13:59 #9
by hornbyp
No, just the clunky method of manually swapping SSID on my phone, whenever I want to access something on the "I.O.T." LAN.
(Or relying on the device's 'cloud interface' and accessing it as though I'm off-site).
Otherwise, some sort of 'proxy' is presumably required on each network segment? Perhaps that already exists for mDNS? ...
Replied by hornbyp on topic Re: Vigor 2862 - Selective Intra-LAN communication
pharcyder wrote:
The only hurdle I don't know how to overcome yet is those services than use broadcasting features to discover devices.
Does anyone have any good solutions here?
No, just the clunky method of manually swapping SSID on my phone, whenever I want to access something on the "I.O.T." LAN.
(Or relying on the device's 'cloud interface' and accessing it as though I'm off-site).
Otherwise, some sort of 'proxy' is presumably required on each network segment? Perhaps that already exists for mDNS? ...
Please Log in or Create an account to join the conversation.
- pharcyder
- Offline
- Member
-
- pharcyder
- Offline
- Member
-