Surf SOHO Firewall Question - Block WAN for Specific SSID

Is there a way to create a rule that will prevent any device connected to a specific SSID from inbound/outbound WAN traffic?

I have certain IoT devices for which I have configured rules to (1) assign an IP address to the device’s MAC address, and (2) block all inbound/outbound WAN traffic for that device. I use this, for example, for inside cameras (like a baby cam) to restrict it to local only access and prevent it from sending any data outside the local network.

However, I have an IoT device that appears to rotate MAC addresses, so I can’t necessarily assign an IP address or create a rule based on the MAC address or IP address. Could I configure the device to connect to a separate SSID (e.g., NO-WAN-FOR-YOU) and then create a rule that any device connected to that SSID cannot send/receive WAN traffic?

Yes. Create an enforced rule with a source of the subnet for that new SSID and point it at an unconfigured wan.

1 Like

Or create a new SSID and create an outbound firewall rule that denies that subnet - which is tidier.

1 Like

Thanks for the quick reply.

I know I can create an outbound firewall rule in the main Firewall location (Advanced → Firewall Access Rules) that can block traffic based on (1) Any Address, (2) Single Address, (3) Network, (4) MAC Address, (5) Grouped Network. Ordinarily, I would create a separate VLAN and map the SSID to that VLAN and then create a firewall rule to block WAN traffic for the IP range of that VLAN. Unfortunately, due to the need to use some apps/software that are pretty dumb and can’t seem to find devices on a different IP subnet, putting the devices in question in a separate VLAN won’t work.

I cross-posted in the other thread (Surf SOHO Firewall Mode in SSID Settings - #15 by sitloongs) because I don’t understand exactly how the Firewall Settings on the SSID screen work and whether that might be a solution (by selecting “Lockdown - Block all except…” and then creating an exception rule specifying the IP address and mask corresponding to my LAN IP range). (Sorry if cross-posting is discouraged.)

This is what I’m looking at:

Alternatively, if I turned on the “Access Control Settings” and selected “Deny all except listed”, would that prevent a device that randomly rotated its MAC address from connecting if it changed its MAC address (or if it changed its MAC address after connecting, would the connection be maintained somehow)? Do the event logs show if a device tries to connect but is denied based on the Access Control Settings, so that I could see the MAC address that was used? … That wouldn’t be an ideal solution, but at least it would let me assign a static IP address to the device and then created inbound/outbound firewall rules for that IP address without worrying that the device would connect and be assigned a different IP address.