Allow Internet access for certain LAN clients only

This document introduces how to set up Firewall Filter Rules to block most of the LAN clients from the Internet, and allow only some IP to pass. To do this, it requires two Firewall FilterRules: one to block all the LAN client from the Internet, another to pass some IP for Internet access. (TIPS: Also use Bind-IP-to-MAC feature to give DHCP client a static IP)

1. Go Firewall >> Filter Setup >> Set 2 (Default Data Filter), click on an available index number to add new Filter Rules

Add a firewall filter rule on Vigor Router

2. Create a Firewall Rule that blocks all the LAN clients from the Internet:

  1. Enable this Filter Rule.
  2. Set Direction to ”LAN/DMZ/RT/VPN→WAN,” so that this rule filters the outgoing packets.
  3. Leave Source/Destination IP, Source Type, and Fragments as “Any” so that this rule applies to all kinds of outgoing packets.
  4. Set Filter Action to “Block If No Further Match,” it means the router will drop the packets if it doesn't match other Filter Rules.
  5. Click OK to save.
A firewall filter rule that block all the outgoing traffic from any source

3. Create a Firewall Rule that allows the specific IP address to the Internet:

  1. Enable this Filter Rule
  2. Set Direction to ”LAN/DMZ/RT/VPN→WAN”
  3. Click Edit to input Source IP. In the pop-up window, select an Address Type, and enter the IP address that you would like to allow Internet access, which is 192.168.1.10 to 192.168.1.15 in this example.
  4. Leave Destination IP and Service Type as “Any”
  5. Set Filter Action to “Pass Immediately,” so that the traffic source from the defined IP address will be accepted and forwarded to the Internet immediately, no need to check if there are other Filter Rules matched.
  6. Click OK to save.
A firewall rule that allows outgoing traffic from certain source

Now we have two Filter Rules. Most of the packets will be blocked by Filter Rule 2 because they don't match the filtering conditions in Filter Rule3, and Filter Rule 3 will filter out the packets sourced from the specific IP range and pass to the Internet

confirming the filter rules

Published On:2016-05-12 

Was this helpful?