[kwlug-disc] Deny Internet access for some LAN devices
John Van Ostrand
john at vanostrand.com
Thu Apr 13 16:11:54 EDT 2017
How about traffic shaping. Matching packets with tc and then filter. I've
not done it but it seems it might work.
http://www.docum.org/faq/cache/62.html
On Wed, Apr 12, 2017 at 6:01 PM, B. S. <bs27975 at gmail.com> wrote:
> Doesn't need to be a VLAN, which would require the router to understand
> VLAN. Just static addresses (nets) on the camera, and a secondary eth on
> points you care about / would access with. e.g. On the PI, where the VPN
> address and internal net can forward to that interface and vice versa, and
> forwards from that net to 0.0.0.0 denied. Gateway on the cameras would be
> the PI.
>
> For VLAN, the cameras, or the switch(es) they're connected to, would have
> to be VLAN capable and probably aren't. The PI could be made to be, but by
> itself that doesn't buy you anything that isn't already present above.
>
> Have to be static on the cameras, else a physically separate network or
> DHCP is going to cause network confusion. Or specially crafted DHCP
> settings - which would only bring complication for little gain.
>
> You'll want to turn off PnP, et al, on the cameras, and UPnP et al inside
> the house, so nothing can inadvertently discover the presence of the
> cameras.
>
>
> On 04/12/2017 08:57 AM, Raymond Chen wrote:
>
>> I love the subnet idea. I'll check if it has the VLAN support. Thank you.
>>
>> @Paul, no it doesn't have parent control. :)
>>
>> On Tue, Apr 11, 2017 at 11:52 PM, Paul Nijjar via kwlug-disc <
>> kwlug-disc at kwlug.org> wrote:
>>
>>
>>> Are there parental control features on the router? You could say that
>>> the cameras have an early bedtime and are not allowed to access the
>>> Internet after those hours.
>>>
>>> - Paul
>>>
>>> On Tue, Apr 11, 2017 at 06:08:40PM -0400, Raymond Chen wrote:
>>>
>>>> I have some cameras in my house. I'm trying to disable their access to
>>>> Internet. Since I have a VPN service on my Raspberry Pi, if I want to
>>>> connect to those cameras, I can connect to the VPN first.
>>>>
>>>> One way I can think of is setting their gateway IP address to empty. But
>>>>
>>> if
>>>
>>>> there is a malware on the camera, that doesn't help so much, right?
>>>>
>>>> I'm sure those DD-WRT routers can do that, just create a policy based on
>>>> the MAC... But unfortunately my route is D-Link N600. It has some basic
>>>> firewall, filter features, but most of them are protecting agains
>>>> outside
>>>> access. Any idea?
>>>>
>>>>
>>>
>>> --
>>> http://pnijjar.freeshell.org
>>>
>>> _______________________________________________
>>> kwlug-disc mailing list
>>> kwlug-disc at kwlug.org
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>>
>>
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
--
John Van Ostrand
At large on sabbatical
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20170413/3eb7f533/attachment.htm>
More information about the kwlug-disc
mailing list