Question Blocking WAN access based on mac-address on ASUS LYRA?

[john.mccraft]

Greetings! I own a set of Sonos speakers that has no option to be configured with static IP-addresses, hooked up to my home network with an Asus Lyra.
I want to restrict these speakers from accessing WAN. Does any pro here know if it is possible to restrict WAN access based on MAC addresses rather than an IP-range on the Asus Lyra? I cannot seem to find the option anywhere in the setup. Any help, or alternative approach to solve the problem appreciated.

 

[bill001g]

Like many things lately I can not find a real manual for that device just some silly quick setup. I guess nobody reads manuals so they don't write them ?

Asus in general run the same software on all their routers. I guess it also depends on what feature you are using, most routers do not have actual firewall functions but most have parental controls. The parental controls only uses mac address and not IP so maybe you were looking at something else.

So I will assume by static IP you mean you went in and used some kind of setup procedure on the sonos speaker itself and set the IP. The lazy way to prevent internet access is to just not tell the device how to get to the internet. You would want to leave the gateway IP blank or if it requires a IP put in some ip that is not the router IP. It will then function fine but to get outside the local lan it will attempt to use the gateway IP which does not actually exist.

If you have a very fast internet connection...say over 300mbps..I would not use any form of software filtering on the router. Modern routers use special hardware based accelerators to do the NAT function. This means all the traffic is bypassing the CPU chip, when you need to filter traffic the cpu must actually see the data so this feature is disabled which then means the cpu chip must also do the NAT function. Since the CPU is small it will cap out even fairly powerful routers well under the 1gbit that the hardware NAT can do.

 

[Ralston18]

Agree with the above post.

I found the following December 2019 Sonos User Guide:

https://files.bbystatic.com/3mM2drCEmdUcCNZkpdhm4w==/0d1fd6f7-56c6-4dac-9cde-45bc0c7649f6.pdf

From the Guide, Page 5:

"Getting started Here’s what you’ll need: • WiFi—have your network name and password ready. • Mobile device—connected to the same WiFi. You’ll use this for setup. • The Sonos app—you’ll use it to set up and control your Sonos system (install it on the mobile device you’re using for setup). • A Sonos account—If you don’t have an account, you’ll create one during setup. Learn more about Sonos accounts. Note: Get more information about the latest Sonos system requirements "

And, Page 123:

"Have a new router or network password? If you have a wireless setup (no Sonos product connected to your router): After you install a new router or change your network password, update your Sonos system with the new network information. Just open the Sonos app and we’ll walk you through it. If you have a wired setup (there’s a Sonos product connected to your router): You don’t have to do anything when you install a new router (as long as you connect a Sonos product to it) or when you change your password. Your Sonos products will continue to work as before. "

One of those products where the manufacturer appears to want to be the "one ring to rule them all". Generally by requiring users to create an online account with the manufacturer that in turn allows end user access back to the speaker (or other devices as applicable) for configuration purposes. [I avoid such products.]

You may be able to directly access the speaker via a browser.

Reference:

https://bsteiner.info/articles/hidden-sonos-interface

I have no way to test the access but you may wish to give it a careful try.

After some googling about and reading, it appears that Sonos speakers cannot be assigned a Static IP address.

What you must do is to allow the router to assign a DHCP IP address to the speaker and then, if necessary, reserve that DHCP IP address for the speaker via the speaker's MAC.

FYI:

https://support.ask4.com/help-support/my-devices/connecting-a-sonos-speaker-to-ask4/

Once the DHCP IP address is "fixed" then that IP address may allow end user access to the speakers configuration settings.

Or otherwise restrict that IP address in some manner.

 

[john.mccraft]

https://bsteiner.info/articles/hidden-sonos-interface

Thanks for that link! I'm concerned about this company's wide collection of data. I'm going to run some testing with iptables and see if I can get the system working with only downstream access to WAN.

Asus in general run the same software on all their routers. I guess it also depends on what feature you are using, most routers do not have actual firewall functions but most have parental controls. The parental controls only uses mac address and not IP so maybe you were looking at something else.
If you have a very fast internet connection...say over 300mbps..I would not use any form of software filtering on the router. Modern routers use special hardware based accelerators to do the NAT function. This means all the traffic is bypassing the CPU chip, when you need to filter traffic the cpu must actually see the data so this feature is disabled which then means the cpu chip must also do the NAT function. Since the CPU is small it will cap out even fairly powerful routers well under the 1gbit that the hardware NAT can do.

You got it quite right that I was looking at the wrong place. Through arp -a I was able to locate all devices mac-addresses, but it seems the parental controls only have generic restrictions - I want to deny all access to WAN from these speakers, blocking all ports for outbound traffic.

I'll setup a box between the router and WAN and try blocking the outbound data. Thanks for quick response, I appreciate that.