How to configure router to limit a computer to local network and block its incoming or outgoing WAN access?












1














How can I configure a router to limit a computer to local network and block its incoming or outgoing WAN access? What kind of settings I should look into?



I am using Tomato firmware.










share|improve this question
























  • This is normally done with Vlans - you can include vlan in the access list and prevent it from using NAT translation. This would be best solution but I dont know if this is possible on Tomato. Im pretty sure though that there is an IPtables [tomatousb.org/forum/t-369359] which could be treated as light weight firewall - you can setup a rule to drop packets based on source and destination.
    – mnmnc
    Dec 23 '12 at 1:31
















1














How can I configure a router to limit a computer to local network and block its incoming or outgoing WAN access? What kind of settings I should look into?



I am using Tomato firmware.










share|improve this question
























  • This is normally done with Vlans - you can include vlan in the access list and prevent it from using NAT translation. This would be best solution but I dont know if this is possible on Tomato. Im pretty sure though that there is an IPtables [tomatousb.org/forum/t-369359] which could be treated as light weight firewall - you can setup a rule to drop packets based on source and destination.
    – mnmnc
    Dec 23 '12 at 1:31














1












1








1


1





How can I configure a router to limit a computer to local network and block its incoming or outgoing WAN access? What kind of settings I should look into?



I am using Tomato firmware.










share|improve this question















How can I configure a router to limit a computer to local network and block its incoming or outgoing WAN access? What kind of settings I should look into?



I am using Tomato firmware.







networking router lan






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 23 '12 at 1:17









Indrek

20.4k117484




20.4k117484










asked Dec 22 '12 at 22:59









smallbee

2113




2113












  • This is normally done with Vlans - you can include vlan in the access list and prevent it from using NAT translation. This would be best solution but I dont know if this is possible on Tomato. Im pretty sure though that there is an IPtables [tomatousb.org/forum/t-369359] which could be treated as light weight firewall - you can setup a rule to drop packets based on source and destination.
    – mnmnc
    Dec 23 '12 at 1:31


















  • This is normally done with Vlans - you can include vlan in the access list and prevent it from using NAT translation. This would be best solution but I dont know if this is possible on Tomato. Im pretty sure though that there is an IPtables [tomatousb.org/forum/t-369359] which could be treated as light weight firewall - you can setup a rule to drop packets based on source and destination.
    – mnmnc
    Dec 23 '12 at 1:31
















This is normally done with Vlans - you can include vlan in the access list and prevent it from using NAT translation. This would be best solution but I dont know if this is possible on Tomato. Im pretty sure though that there is an IPtables [tomatousb.org/forum/t-369359] which could be treated as light weight firewall - you can setup a rule to drop packets based on source and destination.
– mnmnc
Dec 23 '12 at 1:31




This is normally done with Vlans - you can include vlan in the access list and prevent it from using NAT translation. This would be best solution but I dont know if this is possible on Tomato. Im pretty sure though that there is an IPtables [tomatousb.org/forum/t-369359] which could be treated as light weight firewall - you can setup a rule to drop packets based on source and destination.
– mnmnc
Dec 23 '12 at 1:31










3 Answers
3






active

oldest

votes


















0














Check the Parental Controls.



I'm not familiar with Tomato settings but many firmwares will let you control and/or meter the internet access using parental controls.



You should be able use the machines IP or MAC address to restrict its access.



I can block access completely or allow it on a schedule with my Asus router.






share|improve this answer





























    0














    A simpler way is to use the Access Restriction menu, make a rule for specific Ethernet interface with disabled internet access.



    Here's a video tutorial
    http://www.polarcloud.com/v/screst.htm






    share|improve this answer





























      0














      I don't know Tomato, but every reasonable router should offer at least the following:




      • Firewall rules based on IP addresses

      • Firewall rules based on Ethernet (MAC) addresses

      • Firewall rules based on VLANs


      So you could easily block the machine in question by blocking its IP address and its Ethernet address in the router. Please note that this is not completely safe: The administrator of the machine in question could change the machine's IP address.
      The Ethernet address of modern NICs can be changed as well. So that method could be circumvented.



      On the other hand, VLANs are considered to be safe (unless the firmware has bugs), but are impractical for most home or small office users because every network component between the PC in question and the router must support them.



      For example, if the PC in question is connected to a switch, and the switch is connected to the router, and the router should identify the PC based on VLANs, the switch must support VLANs as well. Of course, switches supporting VLANs are much more expensive than standard switches.



      Furthermore, VLAN safety is based on the assertion that no user has physical access to the router or switches. Otherwise, the owner of the PC in question can just pull out his network cable from the router, plug it into another network port of the router, configure the PC accordingly, and have full access afterwards.



      So if you are in an environment with skilled and evil persons, you should place every network component (i.e. switches, routers etc.) in locations where nobody but you has physical access to, you should use VLANs (meaning that every network component has to support them and must be configured accordingly), and you should configure your router to deny or grant access based on the VLAN ID.



      But if you just want to prevent your 6-year-old kid from surfing the net, IP-based rules or MAC-based rules are sufficient (probably).



      As an additional idea:



      People are thinking too complicated in many cases. So if you just would like to prevent some software on the PC in question from breaking out, you could simply remove the gateway from that PC's network configuration.



      This is quite easy and safe provided that you have administrative access to that PC, and that you let run that software without administrative privileges. Of course, removing the gateway is possible only if the network is configured manually (and not automatically via DHCP).



      A final warning:



      If you deny internet access, the O/S won't be able to get updates. This is a very high risk, even if the PC is not connected to the internet (think of viruses on USB sticks and the like), so I really wouldn't do that.



      If you would have detailed the reasons for denying internet access, we eventually would have been able to propose a better solution ...






      share|improve this answer





















        Your Answer








        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "3"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: true,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: 10,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });














        draft saved

        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f523171%2fhow-to-configure-router-to-limit-a-computer-to-local-network-and-block-its-incom%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        3 Answers
        3






        active

        oldest

        votes








        3 Answers
        3






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        0














        Check the Parental Controls.



        I'm not familiar with Tomato settings but many firmwares will let you control and/or meter the internet access using parental controls.



        You should be able use the machines IP or MAC address to restrict its access.



        I can block access completely or allow it on a schedule with my Asus router.






        share|improve this answer


























          0














          Check the Parental Controls.



          I'm not familiar with Tomato settings but many firmwares will let you control and/or meter the internet access using parental controls.



          You should be able use the machines IP or MAC address to restrict its access.



          I can block access completely or allow it on a schedule with my Asus router.






          share|improve this answer
























            0












            0








            0






            Check the Parental Controls.



            I'm not familiar with Tomato settings but many firmwares will let you control and/or meter the internet access using parental controls.



            You should be able use the machines IP or MAC address to restrict its access.



            I can block access completely or allow it on a schedule with my Asus router.






            share|improve this answer












            Check the Parental Controls.



            I'm not familiar with Tomato settings but many firmwares will let you control and/or meter the internet access using parental controls.



            You should be able use the machines IP or MAC address to restrict its access.



            I can block access completely or allow it on a schedule with my Asus router.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Dec 22 '12 at 23:42









            Zooks64

            1,8931314




            1,8931314

























                0














                A simpler way is to use the Access Restriction menu, make a rule for specific Ethernet interface with disabled internet access.



                Here's a video tutorial
                http://www.polarcloud.com/v/screst.htm






                share|improve this answer


























                  0














                  A simpler way is to use the Access Restriction menu, make a rule for specific Ethernet interface with disabled internet access.



                  Here's a video tutorial
                  http://www.polarcloud.com/v/screst.htm






                  share|improve this answer
























                    0












                    0








                    0






                    A simpler way is to use the Access Restriction menu, make a rule for specific Ethernet interface with disabled internet access.



                    Here's a video tutorial
                    http://www.polarcloud.com/v/screst.htm






                    share|improve this answer












                    A simpler way is to use the Access Restriction menu, make a rule for specific Ethernet interface with disabled internet access.



                    Here's a video tutorial
                    http://www.polarcloud.com/v/screst.htm







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Dec 23 '12 at 1:52









                    PoulGrym

                    3517




                    3517























                        0














                        I don't know Tomato, but every reasonable router should offer at least the following:




                        • Firewall rules based on IP addresses

                        • Firewall rules based on Ethernet (MAC) addresses

                        • Firewall rules based on VLANs


                        So you could easily block the machine in question by blocking its IP address and its Ethernet address in the router. Please note that this is not completely safe: The administrator of the machine in question could change the machine's IP address.
                        The Ethernet address of modern NICs can be changed as well. So that method could be circumvented.



                        On the other hand, VLANs are considered to be safe (unless the firmware has bugs), but are impractical for most home or small office users because every network component between the PC in question and the router must support them.



                        For example, if the PC in question is connected to a switch, and the switch is connected to the router, and the router should identify the PC based on VLANs, the switch must support VLANs as well. Of course, switches supporting VLANs are much more expensive than standard switches.



                        Furthermore, VLAN safety is based on the assertion that no user has physical access to the router or switches. Otherwise, the owner of the PC in question can just pull out his network cable from the router, plug it into another network port of the router, configure the PC accordingly, and have full access afterwards.



                        So if you are in an environment with skilled and evil persons, you should place every network component (i.e. switches, routers etc.) in locations where nobody but you has physical access to, you should use VLANs (meaning that every network component has to support them and must be configured accordingly), and you should configure your router to deny or grant access based on the VLAN ID.



                        But if you just want to prevent your 6-year-old kid from surfing the net, IP-based rules or MAC-based rules are sufficient (probably).



                        As an additional idea:



                        People are thinking too complicated in many cases. So if you just would like to prevent some software on the PC in question from breaking out, you could simply remove the gateway from that PC's network configuration.



                        This is quite easy and safe provided that you have administrative access to that PC, and that you let run that software without administrative privileges. Of course, removing the gateway is possible only if the network is configured manually (and not automatically via DHCP).



                        A final warning:



                        If you deny internet access, the O/S won't be able to get updates. This is a very high risk, even if the PC is not connected to the internet (think of viruses on USB sticks and the like), so I really wouldn't do that.



                        If you would have detailed the reasons for denying internet access, we eventually would have been able to propose a better solution ...






                        share|improve this answer


























                          0














                          I don't know Tomato, but every reasonable router should offer at least the following:




                          • Firewall rules based on IP addresses

                          • Firewall rules based on Ethernet (MAC) addresses

                          • Firewall rules based on VLANs


                          So you could easily block the machine in question by blocking its IP address and its Ethernet address in the router. Please note that this is not completely safe: The administrator of the machine in question could change the machine's IP address.
                          The Ethernet address of modern NICs can be changed as well. So that method could be circumvented.



                          On the other hand, VLANs are considered to be safe (unless the firmware has bugs), but are impractical for most home or small office users because every network component between the PC in question and the router must support them.



                          For example, if the PC in question is connected to a switch, and the switch is connected to the router, and the router should identify the PC based on VLANs, the switch must support VLANs as well. Of course, switches supporting VLANs are much more expensive than standard switches.



                          Furthermore, VLAN safety is based on the assertion that no user has physical access to the router or switches. Otherwise, the owner of the PC in question can just pull out his network cable from the router, plug it into another network port of the router, configure the PC accordingly, and have full access afterwards.



                          So if you are in an environment with skilled and evil persons, you should place every network component (i.e. switches, routers etc.) in locations where nobody but you has physical access to, you should use VLANs (meaning that every network component has to support them and must be configured accordingly), and you should configure your router to deny or grant access based on the VLAN ID.



                          But if you just want to prevent your 6-year-old kid from surfing the net, IP-based rules or MAC-based rules are sufficient (probably).



                          As an additional idea:



                          People are thinking too complicated in many cases. So if you just would like to prevent some software on the PC in question from breaking out, you could simply remove the gateway from that PC's network configuration.



                          This is quite easy and safe provided that you have administrative access to that PC, and that you let run that software without administrative privileges. Of course, removing the gateway is possible only if the network is configured manually (and not automatically via DHCP).



                          A final warning:



                          If you deny internet access, the O/S won't be able to get updates. This is a very high risk, even if the PC is not connected to the internet (think of viruses on USB sticks and the like), so I really wouldn't do that.



                          If you would have detailed the reasons for denying internet access, we eventually would have been able to propose a better solution ...






                          share|improve this answer
























                            0












                            0








                            0






                            I don't know Tomato, but every reasonable router should offer at least the following:




                            • Firewall rules based on IP addresses

                            • Firewall rules based on Ethernet (MAC) addresses

                            • Firewall rules based on VLANs


                            So you could easily block the machine in question by blocking its IP address and its Ethernet address in the router. Please note that this is not completely safe: The administrator of the machine in question could change the machine's IP address.
                            The Ethernet address of modern NICs can be changed as well. So that method could be circumvented.



                            On the other hand, VLANs are considered to be safe (unless the firmware has bugs), but are impractical for most home or small office users because every network component between the PC in question and the router must support them.



                            For example, if the PC in question is connected to a switch, and the switch is connected to the router, and the router should identify the PC based on VLANs, the switch must support VLANs as well. Of course, switches supporting VLANs are much more expensive than standard switches.



                            Furthermore, VLAN safety is based on the assertion that no user has physical access to the router or switches. Otherwise, the owner of the PC in question can just pull out his network cable from the router, plug it into another network port of the router, configure the PC accordingly, and have full access afterwards.



                            So if you are in an environment with skilled and evil persons, you should place every network component (i.e. switches, routers etc.) in locations where nobody but you has physical access to, you should use VLANs (meaning that every network component has to support them and must be configured accordingly), and you should configure your router to deny or grant access based on the VLAN ID.



                            But if you just want to prevent your 6-year-old kid from surfing the net, IP-based rules or MAC-based rules are sufficient (probably).



                            As an additional idea:



                            People are thinking too complicated in many cases. So if you just would like to prevent some software on the PC in question from breaking out, you could simply remove the gateway from that PC's network configuration.



                            This is quite easy and safe provided that you have administrative access to that PC, and that you let run that software without administrative privileges. Of course, removing the gateway is possible only if the network is configured manually (and not automatically via DHCP).



                            A final warning:



                            If you deny internet access, the O/S won't be able to get updates. This is a very high risk, even if the PC is not connected to the internet (think of viruses on USB sticks and the like), so I really wouldn't do that.



                            If you would have detailed the reasons for denying internet access, we eventually would have been able to propose a better solution ...






                            share|improve this answer












                            I don't know Tomato, but every reasonable router should offer at least the following:




                            • Firewall rules based on IP addresses

                            • Firewall rules based on Ethernet (MAC) addresses

                            • Firewall rules based on VLANs


                            So you could easily block the machine in question by blocking its IP address and its Ethernet address in the router. Please note that this is not completely safe: The administrator of the machine in question could change the machine's IP address.
                            The Ethernet address of modern NICs can be changed as well. So that method could be circumvented.



                            On the other hand, VLANs are considered to be safe (unless the firmware has bugs), but are impractical for most home or small office users because every network component between the PC in question and the router must support them.



                            For example, if the PC in question is connected to a switch, and the switch is connected to the router, and the router should identify the PC based on VLANs, the switch must support VLANs as well. Of course, switches supporting VLANs are much more expensive than standard switches.



                            Furthermore, VLAN safety is based on the assertion that no user has physical access to the router or switches. Otherwise, the owner of the PC in question can just pull out his network cable from the router, plug it into another network port of the router, configure the PC accordingly, and have full access afterwards.



                            So if you are in an environment with skilled and evil persons, you should place every network component (i.e. switches, routers etc.) in locations where nobody but you has physical access to, you should use VLANs (meaning that every network component has to support them and must be configured accordingly), and you should configure your router to deny or grant access based on the VLAN ID.



                            But if you just want to prevent your 6-year-old kid from surfing the net, IP-based rules or MAC-based rules are sufficient (probably).



                            As an additional idea:



                            People are thinking too complicated in many cases. So if you just would like to prevent some software on the PC in question from breaking out, you could simply remove the gateway from that PC's network configuration.



                            This is quite easy and safe provided that you have administrative access to that PC, and that you let run that software without administrative privileges. Of course, removing the gateway is possible only if the network is configured manually (and not automatically via DHCP).



                            A final warning:



                            If you deny internet access, the O/S won't be able to get updates. This is a very high risk, even if the PC is not connected to the internet (think of viruses on USB sticks and the like), so I really wouldn't do that.



                            If you would have detailed the reasons for denying internet access, we eventually would have been able to propose a better solution ...







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Dec 13 '18 at 9:29









                            Binarus

                            34817




                            34817






























                                draft saved

                                draft discarded




















































                                Thanks for contributing an answer to Super User!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.





                                Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                                Please pay close attention to the following guidance:


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f523171%2fhow-to-configure-router-to-limit-a-computer-to-local-network-and-block-its-incom%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                                Alcedinidae

                                RAC Tourist Trophy