I'm using a draytek 2866 router, and am trying to create a firewall rule so that 192.168.1.8 cannot access any other devices on the network except the gateway 192.168.1.1. However unsure if draytek firewall is just non functional, or if this is a configuration issue but it has absolutely no effect and does not log anything under the syslog -> firewall. TThe firewall config is in this screenshot. Can anyone please explain why this firewall rule is not working, and how to prevent this single IP from accessing anything else on the network? Thanks
Asked
Active
Viewed 229 times
1 Answers
4
By definition, traffic between hosts in the same subnet does not go through a router.
All of your LAN devices don't actually connect to the 'logical' router directly. Before it, they are all connected to an Ethernet network (and/or a Wi-Fi network bridged to it) which is the actual "LAN", and which allows any device to send packets directly to the MAC address of any other device on that Ethernet – such packets take the direct path through Ethernet switches from host A to B, and the router will never see them, much less log or filter them. The Draytek's CPU is only another device in that Ethernet network, and your devices only send packets towards its MAC address when they need to reach outside of their subnet.
(You might not have a dedicated Ethernet switch, but your router, like most home wifi routers, has all LAN ports connected to a switch internally, so it's the same thing: packets directed to the MAC address of another local device will just take a shortcut through that switch and will never be seen by the router. As for Wi-Fi devices, those are bridged to the Ethernet by the router's CPU, so it could see the packets that go through the bridge... but that's not where your filter rules operate – they work in the IP forwarding stage.)
Without additional equipment, the only reliable way to isolate that device would be to put it in a separate VLAN – but that's assuming the router even supports VLANs (and all external Ethernet switches between the router and device have to support them as well).
Otherwise, the easiest way would be to get a second router where you could define firewall/filter rules, and connect only that device to the 2nd router.
grawity
- 501,077