Limit internet access for LAN devices behind Flexy


#1

Hi everyone,

i used this guide (Allow internet to LAN devices on Flexy205) to allow my LAN devices to connect to WAN / Internet through the Flexy. Everythings works fine and i have full internet access on all devices, but now i have some concerns about the overall security.

The “WAN Protection level” is still set to the highest “Discard all” setting.
So there is no incomming or inbound traffic allowed from the WAN Port (internet) to any of the LAN devices?

Is there any option to further limit the outbound internet access for the LAN devices?
Best solution for us would be to specify a single route from a LAN Device to a well known API Endpoint. There is no need for full internet access for all LAN devices.

Thanks in advance!


#2

Hi @jen5,

You are correct. When you followed that guide you allowed the LAN devices access to the WAN, but there still is no access in. If you want to restrict certain LAN devices access the internet, you could set the default gateway incorrectly, but that will also affect their responses to incoming traffic from the VPN from being returned.

Can you explain what you mean by single route to API Endpoint? If you mean a static route, you can find those settings under Setup > System >Communication > Networking > Routing.

Also, keep in mind, devices need to be programmed to “reach out” to the internet. They are not going to do that on their own.

Kyle


#5

Hi @kyle_HMS,

thanks for the quick response.
With single route to an API endpoint, i was thinking about a possibility to limit the urls or ip addresses that can be reached from the LAN connected devices. Since for our requirements there is only one device connected via LAN that needs outbound traffic to adamos.com on port 80. Do the routing settings provide such a feature?

Jens


#6

No, you cannot restrict WAN access by url or ip address. That would need to be done by your firewall on the WAN.

Keep in mind, allowing WAN access to the LAN devices is not the same as allowing LAN access to WAN devices. Your LAN devices will only reach out to the hosts that they are programmed or instructed to. It does not open them up to incoming traffic from the WAN.

Kyle


#8

Hi Kyle,

I am using eWon Flexy201 with WiFi card on. However, I can’t get access to internet from the LAN devices (say PC) connected to the flexy setting the route and security option as mentioned above. Could you please help me out with this issue?

Regards

Musfiq


#9

Did you set a static IP address, default gateway, DNS?

What happens when you try to ping 1.1.1.1? google.com?

Please provide as much information about what you have tried and what you are experiencing currently.


#10

Hi Kyle,
Thank you very much for your prompt reply. Yes I have set static IP, Gateway as eWon LAN IP, DNS1: 8.8.8.8 and DNS2: 8.8.4.4. I have attached the setup info and logs for your reference. Please let me know if you need any more information. To be mentioned, ping to 1.1.1.1 is OK but that to google.com or google.com.au doesn’t go through.

Anyway, every outcome has been attached in the compressed file for you.

Thank you again.

Regards

MusfiqeWon Info.7z (213.3 KB)


#11

Hi Kyle,

Thank you very much for your reply. Yes static IP is defined with flexy as gateway. The DNS was configured as DNS1: 8.8.8.8 and DNS2: 8.8.4.4 which could be ping like 1.1.1.1 as you advised. But google.com and google.com.au couldn’t be pinged. The setup and logs are attached for your reference.

eWon Info.7z (213.3 KB)

Looking forward to hearing from you and thank you in advance.

Regards

Musfiq


#12

If you can ping an IP address on the internet, but not a domain name, that indicates a DNS problem. Make sure you are setting a public DNS server on both the eWON and your LAN devices.


#14

Hi Kyle,

Thanks. You are absolutely right this is a DNS issue. Just letting you know I came to know this problem yesterday and solved now. Thank you again.

Regards