How to set up the LAN side Filter Set to block access between subnets on the Local Area Network.
PLEASE NOTE: A LAN Filter Set option was introduced in firmware version 4.7, and was relocated in firmware version 4.7.2. (This change was made to prevent easily activating the Basic Firewall on the LAN by accident). The primary function of the LAN filter set is to control traffic between local subnets.
Below is a list of hardware and firmware loads that this Technical Note is based upon:
| Hardware | Firmware/Version | Installed Options |
| Any Netopia Router | 4.11 or later 5.3.4 or later |
N/A |
To update your router firmware, go to our firmware update page.
It is crucial to remember that the LAN filter set behaves just the opposite of the WAN filter set in that the Input Filter affects traffic from the LAN to the router's ethernet interface, and the output filter is filtering from the router's ethernet interface back to the LAN.
For the purposes of this document, we have created two subnets on the ethernet LAN interface. Both subnets are using private addressing behind NAT with a single public IP on the WAN interface.
| Subnet #1 | Subnet #2 |
| 10.10.10.1/24 | 192.168.1.1/24 |
To configure the LAN filter set, go to:
| Quick Menus... |
| --->Filter Sets... |
| --->Add Filter Set... |
| --->name it LAN Filter... |
...and enter on ADD FILTER SET.
Now go to Display/Change Filter Set... and enter the LAN filter you've created. From here you can make the necessary additions to create the filter set rules. Enter Add Input Filter to Filter Set...
Hit the "Enter" or "Return" key after each entry to save the change.
- Leave Enabled set to Yes
- Leave Forward set to No
- Enter Source IP Address: as 10.10.10.0
- Enter Source IP Mask: as 255.255.255.0
- Enter Dest. IP Address: as 192.168.1.0
- Enter Dest. IP Mask: as 255.255.255.0
- Protocol Type: (type in) ANY
- (Enter) on ADD THIS FILTER NOW
Again, enter Add Input Filter to Filter Set...
- Leave Enabled set to Yes
- Leave Forward set to No
- Enter Source IP Address: as 192.168.1.0
- Enter Source IP Mask: as 255.255.255.0
- Enter Dest. IP Address: as 10.10.10.0
- Enter Dest. IP Mask: as 255.255.255.0
- Protocol Type: (type in) ANY
- (Enter) on ADD THIS FILTER NOW
Again, enter Add Input Filter to Filter Set...
- Leave Enabled set to Yes
- (Tab) Forward to Yes
- Leave Source IP Address: set as 0.0.0.0
- Leave Source IP Mask: set as 0.0.0.0
- Leave Dest. IP Address: set as 0.0.0.0
- Leave Dest. IP Mask: set as 0.0.0.0
- Protocol Type: (type in) ANY
- (Enter) ADD THIS FILTER NOW
This completes the configuration of the Input Filter of your LAN Filter Set. If you now enter Display/Change Input Filter... you should see the following screen:
Next, hit the (ESC) key once and then scroll down to Add Output Filter to Filter Set...
- Leave Enabled set to Yes
- (Tab) Forward to Yes
- Leave Source IP Address: set as 0.0.0.0
- Leave Source IP Mask: set as 0.0.0.0
- Leave Dest. IP Address: set as 0.0.0.0
- Leave Dest. IP Mask: set as 0.0.0.0
- Protocol Type: (type in) ANY
- (Enter) ADD THIS FILTER NOW
This will be the only rule necessary for the Output Filter in this example.
Following this example, both subnets we've configured can get out to the internet, but they are unable to access the resources on the other subnet.
To activate the LAN filter set, go to:
| System Configuration... |
| --->Security... |
| --->Advanced Security Options... |
| --->LAN (EN Hub) IP Filter Set... |
...and select the filter set you wish to use.
Caution: Do NOT activate the default Basic Firewall on the LAN interface. This will block telnet access into the router from a local workstation and would require a serial console connection or a factory reset to get back into the configuration menus.