Firewall should block internet for specific clients

Goal: I`d like to stop some smart-home devices to “phone back home”.

But I have some troubles to use the firewall in the Turris Omnia (OS 5.1.10).
I set it up according to the documentation and forum discussions.

I used the MAC of my tablet to test it, blocked the LAN to WAN and set it to “drop”. (Using LUCI for that)
I cannot access the web with the tablet anymore, still I see the connections in the nextDNS protocol of apps etc.

What am I missing?

And I dont want to use a guest network or new WIFI, because I dont want to switch network on my phone to turn off the lights…

Default DNS setup directs clients to the LAN address of Turris (running a DNS resolver), so it seems right to me that this access is not “LAN to WAN”… although ultimately it may e.g. be misused to leak information to the internet. I can’t say I’m a firewall expert, but certainly it should be possible to just add another rule to block access to Turris (I assume you want to keep LAN), which would be the whole “Device” zone I guess.

1 Like

That‘s correct, but keep udp ports 67-68 (LAN -> DEVICE) open for DHCP (or use static IP on your iot device)

2 Likes

@vcunat and @protree that is awesom!
It would be so easy, but unfortunately there`s nothing I found in documentation or the forum (maybe I used wrong keywords?).

With this configuration, nothing leaks to the internet but I can still use the apps on the smartphone to control my devices!
Firewall -> Traffic Rules -> Add

Edit:
Also add an exception for DHCP-Port as @protree mentioned:

The keyword is the “device” area!
Hope this will help some people!

I know this is marked solved, but the way I do this is create a separate wifi for my IOT things with a separate IP space, but only route it locally. I can’t get to the internet from that network, but I can get to that network from my main network and vice-versa.

My Homeassistant box is on the regular network, but has no trouble talking to all my IOT things not on the network. It works quite well. If you set it up right, you don’t need to connect to the guest or alternate wifi.

It might take some time, but I should be able to find the document that I used to set it up.
[edit]
OK, I didn’t find my documents, but this is what my firewall looks like:

2 Likes

That is also a good option.
Would be great do have it documented :smiley:

All the discussions I found hat some good ideas or solutions, but none of it was documented, just giving an idea.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.