How to restrict router's services to a specific subnet/interface?

Currently, my Omnia is exposing Samba shares meant for the interface lan ( on work-lan (

I’ve modified smb.conf.template to make it listen only on but that doesn’t help, since someone like can still access and all its ports.

Is there a way to wall off everything except the necessary minimum on work-lan? Perhaps a custom firewall rule?


hosts allow = in smb.conf may do what you want (untested). I put /24 ,but adjust it to whatever your network configuration is.

You can also use hosts deny to do the opposite, to explicitly disallow access from work-lan. Both can accept multiple addresses, space separated.


Thanks. While that’ll work for samba, I’m really looking for a more general mechanism that bars access to from 192.168.2/24. Then I can stop relying on the security mechanisms of each service.

Check your firewall zones in Luci. You need a zone for each subnet, then you cann restrict access as needed. Everthing can be done via gui.

Take this howto for a guest wifi as an example (no copy & paste solition!)

Ask when you need further assistance

The link helped massively. I was missing ‘reject’ for the input chain. Doh!