How to configure router to limit a computer to local network and block its incoming or outgoing WAN access?
How can I configure a router to limit a computer to local network and block its incoming or outgoing WAN access? What kind of settings I should look into?
I am using Tomato firmware.
networking router lan
add a comment |
How can I configure a router to limit a computer to local network and block its incoming or outgoing WAN access? What kind of settings I should look into?
I am using Tomato firmware.
networking router lan
This is normally done with Vlans - you can include vlan in the access list and prevent it from using NAT translation. This would be best solution but I dont know if this is possible on Tomato. Im pretty sure though that there is an IPtables [tomatousb.org/forum/t-369359] which could be treated as light weight firewall - you can setup a rule to drop packets based on source and destination.
– mnmnc
Dec 23 '12 at 1:31
add a comment |
How can I configure a router to limit a computer to local network and block its incoming or outgoing WAN access? What kind of settings I should look into?
I am using Tomato firmware.
networking router lan
How can I configure a router to limit a computer to local network and block its incoming or outgoing WAN access? What kind of settings I should look into?
I am using Tomato firmware.
networking router lan
networking router lan
edited Dec 23 '12 at 1:17
Indrek
20.4k117484
20.4k117484
asked Dec 22 '12 at 22:59
smallbee
2113
2113
This is normally done with Vlans - you can include vlan in the access list and prevent it from using NAT translation. This would be best solution but I dont know if this is possible on Tomato. Im pretty sure though that there is an IPtables [tomatousb.org/forum/t-369359] which could be treated as light weight firewall - you can setup a rule to drop packets based on source and destination.
– mnmnc
Dec 23 '12 at 1:31
add a comment |
This is normally done with Vlans - you can include vlan in the access list and prevent it from using NAT translation. This would be best solution but I dont know if this is possible on Tomato. Im pretty sure though that there is an IPtables [tomatousb.org/forum/t-369359] which could be treated as light weight firewall - you can setup a rule to drop packets based on source and destination.
– mnmnc
Dec 23 '12 at 1:31
This is normally done with Vlans - you can include vlan in the access list and prevent it from using NAT translation. This would be best solution but I dont know if this is possible on Tomato. Im pretty sure though that there is an IPtables [tomatousb.org/forum/t-369359] which could be treated as light weight firewall - you can setup a rule to drop packets based on source and destination.
– mnmnc
Dec 23 '12 at 1:31
This is normally done with Vlans - you can include vlan in the access list and prevent it from using NAT translation. This would be best solution but I dont know if this is possible on Tomato. Im pretty sure though that there is an IPtables [tomatousb.org/forum/t-369359] which could be treated as light weight firewall - you can setup a rule to drop packets based on source and destination.
– mnmnc
Dec 23 '12 at 1:31
add a comment |
3 Answers
3
active
oldest
votes
Check the Parental Controls.
I'm not familiar with Tomato settings but many firmwares will let you control and/or meter the internet access using parental controls.
You should be able use the machines IP or MAC address to restrict its access.
I can block access completely or allow it on a schedule with my Asus router.
add a comment |
A simpler way is to use the Access Restriction menu, make a rule for specific Ethernet interface with disabled internet access.
Here's a video tutorial
http://www.polarcloud.com/v/screst.htm
add a comment |
I don't know Tomato, but every reasonable router should offer at least the following:
- Firewall rules based on IP addresses
- Firewall rules based on Ethernet (MAC) addresses
- Firewall rules based on VLANs
So you could easily block the machine in question by blocking its IP address and its Ethernet address in the router. Please note that this is not completely safe: The administrator of the machine in question could change the machine's IP address.
The Ethernet address of modern NICs can be changed as well. So that method could be circumvented.
On the other hand, VLANs are considered to be safe (unless the firmware has bugs), but are impractical for most home or small office users because every network component between the PC in question and the router must support them.
For example, if the PC in question is connected to a switch, and the switch is connected to the router, and the router should identify the PC based on VLANs, the switch must support VLANs as well. Of course, switches supporting VLANs are much more expensive than standard switches.
Furthermore, VLAN safety is based on the assertion that no user has physical access to the router or switches. Otherwise, the owner of the PC in question can just pull out his network cable from the router, plug it into another network port of the router, configure the PC accordingly, and have full access afterwards.
So if you are in an environment with skilled and evil persons, you should place every network component (i.e. switches, routers etc.) in locations where nobody but you has physical access to, you should use VLANs (meaning that every network component has to support them and must be configured accordingly), and you should configure your router to deny or grant access based on the VLAN ID.
But if you just want to prevent your 6-year-old kid from surfing the net, IP-based rules or MAC-based rules are sufficient (probably).
As an additional idea:
People are thinking too complicated in many cases. So if you just would like to prevent some software on the PC in question from breaking out, you could simply remove the gateway from that PC's network configuration.
This is quite easy and safe provided that you have administrative access to that PC, and that you let run that software without administrative privileges. Of course, removing the gateway is possible only if the network is configured manually (and not automatically via DHCP).
A final warning:
If you deny internet access, the O/S won't be able to get updates. This is a very high risk, even if the PC is not connected to the internet (think of viruses on USB sticks and the like), so I really wouldn't do that.
If you would have detailed the reasons for denying internet access, we eventually would have been able to propose a better solution ...
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f523171%2fhow-to-configure-router-to-limit-a-computer-to-local-network-and-block-its-incom%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Check the Parental Controls.
I'm not familiar with Tomato settings but many firmwares will let you control and/or meter the internet access using parental controls.
You should be able use the machines IP or MAC address to restrict its access.
I can block access completely or allow it on a schedule with my Asus router.
add a comment |
Check the Parental Controls.
I'm not familiar with Tomato settings but many firmwares will let you control and/or meter the internet access using parental controls.
You should be able use the machines IP or MAC address to restrict its access.
I can block access completely or allow it on a schedule with my Asus router.
add a comment |
Check the Parental Controls.
I'm not familiar with Tomato settings but many firmwares will let you control and/or meter the internet access using parental controls.
You should be able use the machines IP or MAC address to restrict its access.
I can block access completely or allow it on a schedule with my Asus router.
Check the Parental Controls.
I'm not familiar with Tomato settings but many firmwares will let you control and/or meter the internet access using parental controls.
You should be able use the machines IP or MAC address to restrict its access.
I can block access completely or allow it on a schedule with my Asus router.
answered Dec 22 '12 at 23:42
Zooks64
1,8931314
1,8931314
add a comment |
add a comment |
A simpler way is to use the Access Restriction menu, make a rule for specific Ethernet interface with disabled internet access.
Here's a video tutorial
http://www.polarcloud.com/v/screst.htm
add a comment |
A simpler way is to use the Access Restriction menu, make a rule for specific Ethernet interface with disabled internet access.
Here's a video tutorial
http://www.polarcloud.com/v/screst.htm
add a comment |
A simpler way is to use the Access Restriction menu, make a rule for specific Ethernet interface with disabled internet access.
Here's a video tutorial
http://www.polarcloud.com/v/screst.htm
A simpler way is to use the Access Restriction menu, make a rule for specific Ethernet interface with disabled internet access.
Here's a video tutorial
http://www.polarcloud.com/v/screst.htm
answered Dec 23 '12 at 1:52
PoulGrym
3517
3517
add a comment |
add a comment |
I don't know Tomato, but every reasonable router should offer at least the following:
- Firewall rules based on IP addresses
- Firewall rules based on Ethernet (MAC) addresses
- Firewall rules based on VLANs
So you could easily block the machine in question by blocking its IP address and its Ethernet address in the router. Please note that this is not completely safe: The administrator of the machine in question could change the machine's IP address.
The Ethernet address of modern NICs can be changed as well. So that method could be circumvented.
On the other hand, VLANs are considered to be safe (unless the firmware has bugs), but are impractical for most home or small office users because every network component between the PC in question and the router must support them.
For example, if the PC in question is connected to a switch, and the switch is connected to the router, and the router should identify the PC based on VLANs, the switch must support VLANs as well. Of course, switches supporting VLANs are much more expensive than standard switches.
Furthermore, VLAN safety is based on the assertion that no user has physical access to the router or switches. Otherwise, the owner of the PC in question can just pull out his network cable from the router, plug it into another network port of the router, configure the PC accordingly, and have full access afterwards.
So if you are in an environment with skilled and evil persons, you should place every network component (i.e. switches, routers etc.) in locations where nobody but you has physical access to, you should use VLANs (meaning that every network component has to support them and must be configured accordingly), and you should configure your router to deny or grant access based on the VLAN ID.
But if you just want to prevent your 6-year-old kid from surfing the net, IP-based rules or MAC-based rules are sufficient (probably).
As an additional idea:
People are thinking too complicated in many cases. So if you just would like to prevent some software on the PC in question from breaking out, you could simply remove the gateway from that PC's network configuration.
This is quite easy and safe provided that you have administrative access to that PC, and that you let run that software without administrative privileges. Of course, removing the gateway is possible only if the network is configured manually (and not automatically via DHCP).
A final warning:
If you deny internet access, the O/S won't be able to get updates. This is a very high risk, even if the PC is not connected to the internet (think of viruses on USB sticks and the like), so I really wouldn't do that.
If you would have detailed the reasons for denying internet access, we eventually would have been able to propose a better solution ...
add a comment |
I don't know Tomato, but every reasonable router should offer at least the following:
- Firewall rules based on IP addresses
- Firewall rules based on Ethernet (MAC) addresses
- Firewall rules based on VLANs
So you could easily block the machine in question by blocking its IP address and its Ethernet address in the router. Please note that this is not completely safe: The administrator of the machine in question could change the machine's IP address.
The Ethernet address of modern NICs can be changed as well. So that method could be circumvented.
On the other hand, VLANs are considered to be safe (unless the firmware has bugs), but are impractical for most home or small office users because every network component between the PC in question and the router must support them.
For example, if the PC in question is connected to a switch, and the switch is connected to the router, and the router should identify the PC based on VLANs, the switch must support VLANs as well. Of course, switches supporting VLANs are much more expensive than standard switches.
Furthermore, VLAN safety is based on the assertion that no user has physical access to the router or switches. Otherwise, the owner of the PC in question can just pull out his network cable from the router, plug it into another network port of the router, configure the PC accordingly, and have full access afterwards.
So if you are in an environment with skilled and evil persons, you should place every network component (i.e. switches, routers etc.) in locations where nobody but you has physical access to, you should use VLANs (meaning that every network component has to support them and must be configured accordingly), and you should configure your router to deny or grant access based on the VLAN ID.
But if you just want to prevent your 6-year-old kid from surfing the net, IP-based rules or MAC-based rules are sufficient (probably).
As an additional idea:
People are thinking too complicated in many cases. So if you just would like to prevent some software on the PC in question from breaking out, you could simply remove the gateway from that PC's network configuration.
This is quite easy and safe provided that you have administrative access to that PC, and that you let run that software without administrative privileges. Of course, removing the gateway is possible only if the network is configured manually (and not automatically via DHCP).
A final warning:
If you deny internet access, the O/S won't be able to get updates. This is a very high risk, even if the PC is not connected to the internet (think of viruses on USB sticks and the like), so I really wouldn't do that.
If you would have detailed the reasons for denying internet access, we eventually would have been able to propose a better solution ...
add a comment |
I don't know Tomato, but every reasonable router should offer at least the following:
- Firewall rules based on IP addresses
- Firewall rules based on Ethernet (MAC) addresses
- Firewall rules based on VLANs
So you could easily block the machine in question by blocking its IP address and its Ethernet address in the router. Please note that this is not completely safe: The administrator of the machine in question could change the machine's IP address.
The Ethernet address of modern NICs can be changed as well. So that method could be circumvented.
On the other hand, VLANs are considered to be safe (unless the firmware has bugs), but are impractical for most home or small office users because every network component between the PC in question and the router must support them.
For example, if the PC in question is connected to a switch, and the switch is connected to the router, and the router should identify the PC based on VLANs, the switch must support VLANs as well. Of course, switches supporting VLANs are much more expensive than standard switches.
Furthermore, VLAN safety is based on the assertion that no user has physical access to the router or switches. Otherwise, the owner of the PC in question can just pull out his network cable from the router, plug it into another network port of the router, configure the PC accordingly, and have full access afterwards.
So if you are in an environment with skilled and evil persons, you should place every network component (i.e. switches, routers etc.) in locations where nobody but you has physical access to, you should use VLANs (meaning that every network component has to support them and must be configured accordingly), and you should configure your router to deny or grant access based on the VLAN ID.
But if you just want to prevent your 6-year-old kid from surfing the net, IP-based rules or MAC-based rules are sufficient (probably).
As an additional idea:
People are thinking too complicated in many cases. So if you just would like to prevent some software on the PC in question from breaking out, you could simply remove the gateway from that PC's network configuration.
This is quite easy and safe provided that you have administrative access to that PC, and that you let run that software without administrative privileges. Of course, removing the gateway is possible only if the network is configured manually (and not automatically via DHCP).
A final warning:
If you deny internet access, the O/S won't be able to get updates. This is a very high risk, even if the PC is not connected to the internet (think of viruses on USB sticks and the like), so I really wouldn't do that.
If you would have detailed the reasons for denying internet access, we eventually would have been able to propose a better solution ...
I don't know Tomato, but every reasonable router should offer at least the following:
- Firewall rules based on IP addresses
- Firewall rules based on Ethernet (MAC) addresses
- Firewall rules based on VLANs
So you could easily block the machine in question by blocking its IP address and its Ethernet address in the router. Please note that this is not completely safe: The administrator of the machine in question could change the machine's IP address.
The Ethernet address of modern NICs can be changed as well. So that method could be circumvented.
On the other hand, VLANs are considered to be safe (unless the firmware has bugs), but are impractical for most home or small office users because every network component between the PC in question and the router must support them.
For example, if the PC in question is connected to a switch, and the switch is connected to the router, and the router should identify the PC based on VLANs, the switch must support VLANs as well. Of course, switches supporting VLANs are much more expensive than standard switches.
Furthermore, VLAN safety is based on the assertion that no user has physical access to the router or switches. Otherwise, the owner of the PC in question can just pull out his network cable from the router, plug it into another network port of the router, configure the PC accordingly, and have full access afterwards.
So if you are in an environment with skilled and evil persons, you should place every network component (i.e. switches, routers etc.) in locations where nobody but you has physical access to, you should use VLANs (meaning that every network component has to support them and must be configured accordingly), and you should configure your router to deny or grant access based on the VLAN ID.
But if you just want to prevent your 6-year-old kid from surfing the net, IP-based rules or MAC-based rules are sufficient (probably).
As an additional idea:
People are thinking too complicated in many cases. So if you just would like to prevent some software on the PC in question from breaking out, you could simply remove the gateway from that PC's network configuration.
This is quite easy and safe provided that you have administrative access to that PC, and that you let run that software without administrative privileges. Of course, removing the gateway is possible only if the network is configured manually (and not automatically via DHCP).
A final warning:
If you deny internet access, the O/S won't be able to get updates. This is a very high risk, even if the PC is not connected to the internet (think of viruses on USB sticks and the like), so I really wouldn't do that.
If you would have detailed the reasons for denying internet access, we eventually would have been able to propose a better solution ...
answered Dec 13 '18 at 9:29
Binarus
34817
34817
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f523171%2fhow-to-configure-router-to-limit-a-computer-to-local-network-and-block-its-incom%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
This is normally done with Vlans - you can include vlan in the access list and prevent it from using NAT translation. This would be best solution but I dont know if this is possible on Tomato. Im pretty sure though that there is an IPtables [tomatousb.org/forum/t-369359] which could be treated as light weight firewall - you can setup a rule to drop packets based on source and destination.
– mnmnc
Dec 23 '12 at 1:31