Solved Block mac address within LAN for NAS

Currently reading
Solved Block mac address within LAN for NAS

100
11
NAS
DS412+
DSM's firewall setting can block LAN IP address for access to NAS, but DHCP can always assign that PC a new IP, so ...
could anyone tell me if possible or how to block a PC with its mac address ( this can be obtained from router interface)

thanks!
 
I believe it’s not possible with DSM’s firewall. This is usually done at the switch.

However, you can do it with IP addresses if the situation permits, by assigning the clients that you want to allow access a static or a fixed IP address (allow them in DSM’s firewall) and block everything else.

Of course this doesn’t fully prevent a user from changing the blocked client’s IP address manually if they’re determined.
 
thanks you 2 for stepping by.

Case is explained in OP. I am afraid this can only be manipulated by SSH access into iptable .

/regards
The sort of thing I was wondering...
  • Is this a home or business environment?
  • Are you looking for a one-person hack to implement and maintain the 'fix', or a process that can be followed by an operations team?
  • Why is the device the problem and not the user of the device? What's the security posture being combatted?
  • Is the device to be blocked running as a client device (users) or a server (headless/ Insecure of Things type)?
  • Is all access to the NAS to be blocked? Or just some services?
  • Is the NAS accessible from the Internet? Wouldn't the device just get loopback access to the NAS via the router?
  • Why is this device on the LAN/WLAN if it's not trusted?

MAC addressed can be spoofed too.
 
OK. I don't permit guest access to NAS shares and UPNP for Media Server is set to only allow a few devices (MAC list allow/block list).

Sorry about the questions, wasn't obvious how a device needed blocking when there's user account access for the NAS services.

If you're using a WiFi router that can block LAN access to guest WiFi devices then that would be what you might be looking for. The SRM routers do this.
 
If your router doesn't have an isolated guest network, just get another cheap wireless router, connect its WAN port to a LAN port of your existing router, and put him on the new wireless router. Then he can get all the internet he wants, but Router #1's network should be isolated from him.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
PF will help you for sure much more then syno fw
Replies
4
Views
2,934
That's one way I suppose. For now, I just have a literally empty index.html file. As in NOTHING in it.
Replies
4
Views
2,506
Closed ports + CG-NAT = Come at me, bros. :D
Replies
8
Views
8,280
Oh I figured it out. The PCs had both ethernet and wireless adapaters. So two lan adapters each. Thanks...
Replies
3
Views
1,214
  • Solved
Thank you. It's interesting, I've not seen this before. It's always had just the 192.x address in the...
Replies
5
Views
3,101

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top