Block access to the internet for one device, but still use home network

dubster · 4 Dec 2021 at 12:37

Hi folks

I've got a synology diskstation, and a media player (Mi TV Box 3) I want to use with it.
But I want to prevent the TV Box from accessing the internet, or being accessed from the internet yet still access the diskstation on the home network.

Does anyone know - On my Sky router, if I add an Inbound and Outband firewall rule which says block access to Any - it will achieve what I'm after?

Only reason I'm asking and not giving it a go is that it's imperative that the Tv Box doesnt get to the net - if it does the first thing it will do is update its firmware and lose a feature I don't want to lose.

Any advice would be gratefully received.

Thanks all

bremen1874 · 4 Dec 2021 at 13:15

Firewall rules should allow this. I've never worked with one of Sky's routers so can't help with the specifics.

Giving the device a blank or invalid gateway address should also stop it from connecting out. You'd want it configured with a static IP anyway.

Semple · 4 Dec 2021 at 13:19

dubster said:
if it does the first thing it will do is update its firmware and lose a feature I don't want to lose.

Sounds very legal! :rolleyes:

pepp77 · 4 Dec 2021 at 13:31

Might be easiest to statically give it an IP address but not a gateway. Will be able to communicate with devices locally but never get to the internet.

bremen1874 · 4 Dec 2021 at 14:04

Semple said:
Sounds very legal!

If it's only consuming local media it can't be anything too bad.

Semple · 4 Dec 2021 at 14:29

bremen1874 said:
If it's only consuming local media it can't be anything too bad.

That is true, i'm intrigued what it is now, there's not much on these devices that would get removed with a firmware upgrade. So unless something has been sideloaded that'll get wiped with upgrade, i'm not sure what else there is.

dubster · 4 Dec 2021 at 17:40

Basically it's on Android 6 which still allows for Dolby TrueHD and DTS-HD Master.
It uses something called IEC61937 which gets removed with Android 7 onward for some reason.
Youve got no way of blocking the auto update either.

I even tried writing to Xiaomi to tell them I wasn't giving them permission to update my box and they said there's nothing they can do about it.

Sure enough as soon as it touches the internet it jumps to "installing update".

dubster · 4 Dec 2021 at 17:49

pepp77 said:
Might be easiest to statically give it an IP address but not a gateway. Will be able to communicate with devices locally but never get to the internet.

Is that something you can do via your router?? It's currently on a static IP and I was thinking of adding that into the firewall rules as block everything inbound and outbound.

pepp77 · 4 Dec 2021 at 22:41

Depends on the device, on a computer for example you set an IP, subnet, gateway and DNS. To achieve what you want I would just set the IP and subnet and leave the other two sections blank.

the-evaluator · 5 Dec 2021 at 07:34

pepp77 said:
Depends on the device, on a computer for example you set an IP, subnet, gateway and DNS. To achieve what you want I would just set the IP and subnet and leave the other two sections blank.

That's what I'd do, too. If you find that the device won't let you leave the gateway field empty then enter some dummy data. So if the IP address of you rrouter is 192.168.1.1, then tell the device in question that the gateway IP is 192.168.1.254 or similar.

jaybee · 5 Dec 2021 at 07:52

Does the sky router have the ability to set ips based on Mac and to block internet based on Mac? If yes, use them. Most routers can do this.

dubster · 6 Dec 2021 at 08:01

Nah sadly the Sky router doesnt let you block based on Mac or I would've gone down that route.
Also the TV Box doesnt let you set gateways etc, its similar to a Firestick - you just pick your network, that's your lot.

So the route I was thinking was set IP using Mac on the router.
Block the IP I set in the DHCP screen in the firewall rules.

the-evaluator · 6 Dec 2021 at 08:03

I think blocking the IP address at the DHCP server will stop the TV Box having any local network access too - it'll block it from the network completely, not just block it from having internet access.

So there's no way to set a static IP address on that TV box?

dubster · 6 Dec 2021 at 08:18

I've not seen a way of doing it on the box but I'll double check.
I've given it a static IP on the router up til now.

I don't think setting it on the box itself would make any difference in terms of what I need though as I'm pretty confident the internal update process on the box contacts the Xiaomi server using IP address as people have tried blocking Xiaomi using hostnames in the past and their boxes still get upgraded.

Rats if it blocks local network too I guess I'm going to have to buy a new router just for internal use only then. Thanks for the info though.

the-evaluator · 6 Dec 2021 at 10:49

Setting a static IP address on the box itself and not giving it a gateway, or giving it a dummy gateway would absolutely stop it connecting to anything on the internet. Without a working gateway a client doesn't know how to route out of your local network. So it may know the IP addresses it wants to reach but it won't be able to.

However, if the box can't have a static IP address set on the box itself then without additional or new equipment you're likely not going to get this working.

bremen1874 · 6 Dec 2021 at 12:53

It seems strange that they'd go to the effort of removing standard Andriod functionality to prevent static IPs.

AtaRo · 6 Dec 2021 at 17:02

This can be easily be done using asuswrt router that supports merlin firmware,
don't know if the asus stock firmware supports the MER option.

dubster · 8 Dec 2021 at 16:31

Awesome, thanks folks. Im back home tomorrow so I will double check the TV Box and see if I can set the gateway on it - Im 99% sure though that all you can do is pick a wireless network and thats it. If not then I'm looking for an asus router that supports merlin firmware. I'm guessing this is custom firmware I'd have to flash or something?

Semple · 8 Dec 2021 at 16:38

What about the DNS route. I can block devices on my network using Adguard - it can do typical services (i.e. facebook, instagram etc) so it might be able to block a custom domain. It's likely the Xiaomi box will have a FQDN that it needs to resolve to connect to the servers to get the update.

dubster · 8 Dec 2021 at 16:47

No I'm fairly sure it uses IP to get the updates.
Loads of people have tried blocking services and it always gets around it. Even down to disabling the android update service and still.. persistent bloody thing.

It was mentioned above about not providing a gateway. Is that something I could do at router level?

I.e. buy any old router, give that router no gateway, plug my TV box into that router and that router into my existing one. That way anything going via the new router (and from there into the existing one) won't have a gateway? Or would it then pick up the gateway once it gets to my existing sky router?