Limit internet access for LAN devices behind Flexy


Hi everyone,

i used this guide (Allow internet to LAN devices on Flexy205) to allow my LAN devices to connect to WAN / Internet through the Flexy. Everythings works fine and i have full internet access on all devices, but now i have some concerns about the overall security.

The “WAN Protection level” is still set to the highest “Discard all” setting.
So there is no incomming or inbound traffic allowed from the WAN Port (internet) to any of the LAN devices?

Is there any option to further limit the outbound internet access for the LAN devices?
Best solution for us would be to specify a single route from a LAN Device to a well known API Endpoint. There is no need for full internet access for all LAN devices.

Thanks in advance!


Hi @jen5,

You are correct. When you followed that guide you allowed the LAN devices access to the WAN, but there still is no access in. If you want to restrict certain LAN devices access the internet, you could set the default gateway incorrectly, but that will also affect their responses to incoming traffic from the VPN from being returned.

Can you explain what you mean by single route to API Endpoint? If you mean a static route, you can find those settings under Setup > System >Communication > Networking > Routing.

Also, keep in mind, devices need to be programmed to “reach out” to the internet. They are not going to do that on their own.



Hi @kyle_HMS,

thanks for the quick response.
With single route to an API endpoint, i was thinking about a possibility to limit the urls or ip addresses that can be reached from the LAN connected devices. Since for our requirements there is only one device connected via LAN that needs outbound traffic to on port 80. Do the routing settings provide such a feature?



No, you cannot restrict WAN access by url or ip address. That would need to be done by your firewall on the WAN.

Keep in mind, allowing WAN access to the LAN devices is not the same as allowing LAN access to WAN devices. Your LAN devices will only reach out to the hosts that they are programmed or instructed to. It does not open them up to incoming traffic from the WAN.