0

In our company we have several access points. For some of them in the production area it should be disallowed to use them for accessing the internet.

The router we have has (at least) two interfaces: one for the local traffic (intif) and one for internet access (extif).

Is there a way to handle this just with iptables rules?

I already tried to block forwarding for the AP MAC Address, but that obviously only prohibits the AP itself to access the internet.

code-chicken
  • 161
  • 1
  • 2
  • If the production area has its own subnet it should be possible to implement with minimum effort. is this the case? – BANJOSA Jan 24 '20 at 10:02
  • @BANJOSA unfortunately at the moment the whole company is in the same subnet and for the moment it wouldn't be easy to change that. – code-chicken Jan 24 '20 at 10:41
  • if there is no distinct factor between a user that is connected to production from a user that's not this will be difficult to achieve. From my point of view you need to implement something that can distinguish what is production and what is not. A different subnet would be the easiest. With the addiction that having prod and non prod networks mixed up is a big no for security reasons. – BANJOSA Jan 24 '20 at 10:48

1 Answers1

0

If you don't have a dhcp server and you use the router and APs to serve dhcp, you can give different ranges of ips for the given APs you don't want to access the internet from, and then with iptables block traffic from those ips. So you don't have to create a new subnet and they will be able to communicate between them too.

itasahobby
  • 194
  • 10