Can Router Contol IP Access From List To Connected Device?

Bint Box · 17 Jan 2015 at 12:22

Hi,

Can I use a router to control internet IP access to a device connected to the router, ie, some type of router inbound filter using IP address?

What I would like to do, is to be able to allow connection to a device connected to my router at home from client locations via the internet. However, I would like to have some access control over the IP's that can connect so that only those IP's in a list can get through to the device. Preferably, I would like the IP access control to be configured in the router.

The router I currently use is a Netgear R6300 but I am OK changing it if this model does not have IP Incoming access control.

Thx for any advice

Caged · 17 Jan 2015 at 13:54

Pretty much anything with a configurable firewall will do what you want. An Ubiquiti EdgeRouter Lite is a good place to start as it has a decent UI but uses the correct terminology that is used in the rest of the industry. The OS is a fork of Vyatta which is very like Cisco IOS if you ever wanted to get into CLI access and learn a bit more, but you won't need to for what you're doing. Then you can use the Netgear as an access point only.

Bint Box · 17 Jan 2015 at 15:19

Caged said:
Pretty much anything with a configurable firewall will do what you want. An Ubiquiti EdgeRouter Lite is a good place to start as it has a decent UI but uses the correct terminology that is used in the rest of the industry. The OS is a fork of Vyatta which is very like Cisco IOS if you ever wanted to get into CLI access and learn a bit more, but you won't need to for what you're doing. Then you can use the Netgear as an access point only.

Caged,

Thx for the reply.

Does the Ubiquiti go between the Wall Phone/Broadband Socket and the Netgear router so that the line of connectivity is:

Wall Socket --> Ubiquiti --> Netgear Router --> Device on Local Network

Or, is the Ubiquiti placed between the Netgear router and the device on my local network so the line of connectivity is:

Wall Socket --> Netgear Router --> Ubiquiti --> Device on Local Network

I think I understand the logic, I use a configurable unit like the Ubiquiti that has the functionality to control Inbound IP filtering to a specific device on my local network in the absence of that functionality in my router?

I use BT Infinity, will any hardware with a configurable firewall need to be compatible with that? Or, does it not need to be compatible as long as the Netgear router is BT Infinity compatible? If there is an all in one solution such as a BT Infinity compatible router that will provide a configurable firewall that can controls Inbound IP access using a customisable list of IP's then I an OK with purchasing the equipment. However, its knowing what kit might do the job.

I am a total "noob" at this so please bear with me if my questions are rather basic.

Thx

Caged · 17 Jan 2015 at 22:44

You can connect eth1 of the EdgeRouter straight to the BT modem if you want and then run a PPPoE client on the EdgeRouter.

http://wiki.ubnt.com/PPPoE_Client_-_CLI_Commands

I'm not sure if that's been moved into the GUI yet or not, ask on the Ubiquiti forums, they are pretty helpful.

The Netgear router would only be used as an access point after this setup, it wouldn't be doing any routing because you'd end up double-NATing things.

Edit: Looks like it's been added into one of the quick-start wizards, see chapter 8 of this http://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf

Bint Box · 18 Jan 2015 at 14:37

Caged said:
You can connect eth1 of the EdgeRouter straight to the BT modem if you want and then run a PPPoE client on the EdgeRouter.

http://wiki.ubnt.com/PPPoE_Client_-_CLI_Commands

I'm not sure if that's been moved into the GUI yet or not, ask on the Ubiquiti forums, they are pretty helpful.

The Netgear router would only be used as an access point after this setup, it wouldn't be doing any routing because you'd end up double-NATing things.

Edit: Looks like it's been added into one of the quick-start wizards, see chapter 8 of this http://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf

Caged,

Thank you for the reply and the links.

Reading the manual for the Ubiquiti, I can see the section where the Firewall/NAT Groups are created. However, it looks like the IP Groups are for local IP addresses for devices on my local network? If I read it correctly, the IP Groups are not for creating a list of external web IP's that I wish to allow through to have access to one specific computer?

I have BT Infinity 2 so I use VDSL2 via the Openreach modem then to my NetGear router. Is the signal coming out of my Openreach modem OK to be accepted by the Ubiquiti? I checked the Interface/Encapsulation details and it says it is PPoE but not if it is VDSL2 compatible.

If the Ubiquiti will do the job it looks OK.

Thx

bremen1874 · 18 Jan 2015 at 15:08

If you don't have any luck with Ubiquiti you could have a look at using a DrayTek router. The firewall filtering rules should handle what you want.

Caged · 18 Jan 2015 at 15:13

Bint Box said:
Caged,

Thank you for the reply and the links.

Reading the manual for the Ubiquiti, I can see the section where the Firewall/NAT Groups are created. However, it looks like the IP Groups are for local IP addresses for devices on my local network? If I read it correctly, the IP Groups are not for creating a list of external web IP's that I wish to allow through to have access to one specific computer?

I have BT Infinity 2 so I use VDSL2 via the Openreach modem then to my NetGear router. Is the signal coming out of my Openreach modem OK to be accepted by the Ubiquiti? I checked the Interface/Encapsulation details and it says it is PPoE but not if it is VDSL2 compatible.

If the Ubiquiti will do the job it looks OK.

Thx

It can definitely filter on source addresses. And it doesn't need a VDSL2+ interface, that's what the Openreach modem does. It just needs to speak PPPoE, which the modem can happily handle.

Bint Box · 18 Jan 2015 at 18:42

Caged said:
It can definitely filter on source addresses. And it doesn't need a VDSL2+ interface, that's what the Openreach modem does. It just needs to speak PPPoE, which the modem can happily handle.

I think the filter on source IP addresses is either a single source IP address or between a selected range of source IP addresses. What I wish to have is to create a custom list/group of IP source addresses that can be modified. This custom list/group will then allow internet source IP addresses through to a server.

I will have another check in the manual to see if I missed something. Quite a few routers will allow a single IP filter or between a range of IP's to be filtered but not many allow creation of custom/group lists to be created until you get to business level kit.

Thx

Caged · 18 Jan 2015 at 18:43

I'm reasonably sure you can create address groups and use those in your firewall rules, but it's been a while since I had one.