[ previous ] [ next ] [ threads ]
 From:  "James McKeand" <james at mckeand dot biz>
 To:  "Ron Rosson" <ron at oneinsane dot net>, "m0n0wall" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] LAN only access
 Date:  Mon, 8 Aug 2005 08:06:23 -0500
Ron Rosson wrote:
> I am adding a PC to my LAN that I only want it to be able to use
> local resources of the LAN (ie printers shared drives etc.) but do
> not want it to be able to access the internet. Machine will be using
> ethernet for its connectivity and I am using two of the three ports
> of my net4501 with it doing DHCP to all computers.    
> Suggestions welcome.
> -Ron
> P.S. If it it would be possible to swing in captive portal for this
> machine as well to provide internet access on only an authenticated
> basis that would be a bonus.  

Reserve an IP in the DHCP for the MAC address of the machine (make sure
the user cannot change the IP address manually). Create a firewall rule
on the LAN interface that blocks that IP. The rule should look something

Source: <blocked IP> 
Port: *
Destination: * 
Port: *

This rule should be placed before the "Default any -> any" rule.

This rule should not restrict access to any LAN resources. It should
only block traffic from passing the out of the gateway (m0n0wall). This
will include any "desirable" traffic like updates (OS or antivirus...)

James W. McKeand