EFW Support

Support => General Support => Topic started by: UTM_Novice on Thursday 02 April 2020, 01:32:57 pm

Title: Restricting access for one WiFi client to Internet only.
Post by: UTM_Novice on Thursday 02 April 2020, 01:32:57 pm
I'm a bit lost with something I'm trying to do here...

For background, I have EFW 3.3.0, running on a multi-homed HP RP5700 Desktop, with the ubiquitous Green, Red, and Blue zones.

The Blue zone connects to a DLink DIR-890L router, which has three separate networks, routed back through it's 172.16.x.x/16 address to the EFW Box/Internet and Local LAN. My WiFi clients connect to the router using WPA2/PSK, with a complex password arrangement. I've "punched" some inter-zone holes from Blue to Green, to allow file/print access for WiFi-connected devices.

In essence, then, there is a blanket exemption from the 172.16.x.x/16 address on the routers ethernet link, through the EFW appliance to a number of fixed (192.168.1.x/24) addresses on the LAN. Naturally, only devices we've authenticated are able to get on to the WiFi network, and thus access internal resources.

Recently, my wife was given a (very nice) work laptop to use for work, and we'd prefer that this device is allowed to access the Internet only (i.e. not able to take advantage of the Blue to Green exemptions granted to our own devices).

Is this doable?

In an ideal world, I'd simply go into the exemption rule (Inter-zone traffic), and add exemptions based on individual MAC addresses. However, even if I did that (for example, "excluding" one of the WiFi SSIDs from the rule), it would not work, as they are all seen as the 172.16.x.x/16 address on the ethernet LAN (from the Firewall's perspective).

I'm probably missing something basic, but would appreciate any help people can offer...