Networking

DIY: Limiting IP addresses on routers

Jack Wallen answers a reader's question about configuring a Wi-Fi router to set up a whitelist or a blacklist.

TechRepublic member Michael has a question about Wi-Fi that should be simple, but is it? Read his question and my answer in this latest edition of Ask Jack.

Q: I would like to configure a Wi-Fi router to give access to a single IP or URL and no other access. I am assuming this is possible, but have not found a clear description of how to do this. The wireless routers I have available for this are the Belkin Play N600 Wireless Dual-Band N Router (preferred) or the Actiontec PK5000. A: You're talking about setting up a whitelist and a blacklist. Neither the Belkin nor the Actiontec router will allow you to whitelist or blacklist sites. The closest thing to both of those that you can get is the Kid Defender software from Actiontec, but it must be installed on the clients and not the router.

Your best bet would be to flash a supported router, such as the ASUS RT-N12 with the Tomato firmware where you can block access to sites even from specific machines. With this, you can, for example, set up one group who can access anything and then set up a blocked group who only has access to specific sites. The Tomato firmware offers a number of other outstanding features, such as turning that router into a printer server. The only problem with this method is that flashing a router takes some know-how. Fortunately, if you search online, you'll find plenty of how-tos written about this task.

Ask Jack: If you have a DIY question, email it to me, and I'll do my best to answer it. (Read guidelines about submitting DIY questions.)

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

17 comments
rkuhn040172
rkuhn040172

Simple solution for complex problem.

notkermit
notkermit

I would have thought that the LAN setup on the router would allow you to specify the IP addresses allowed. I'm not an IT expert but when I bought my Belkin modem-router I not only specified the IP addresses, for extra security I also specified the mac addresses for my computers and my grandkids' ipods.

nickyA
nickyA

I have Asus WL-520gU that I flashed with Tomato firmware , and supports filtering of IP's, Also added Mass storage support on USB port as addition to the original Printer support. Tomato firmware is quite good but have to check what rooter supports..

jasonemmg
jasonemmg

Are you asking how to limit wireless access to a specific PC or 2 within your network? or are you asking how to limit the PC's on your network to have access to only a specific web site / IP address? 1) Very easy...Most wireless routers allow admin to set a specific IP address range for wireless access. 2) Many ways to accomplish this. You can install a firewall hardware/software or can use Windows Content Advisor for basic,etc...

Gisabun
Gisabun

Wondering if a software firewall [such as ZoneAlarm] coiuld do the trick. Allow local addresses and that one website and block the rest. I think a commercial/enterprise AV/firewall software like Symantec Endpoint Protection can also do it, but you need a stand alone version.

BALTHOR
BALTHOR

There's a little network icon.It will show you the Wi Fi stuff.You just might need to manually switch some off.There could be an installation disk that came with your router or you may need your ISP's Wi Fi connection disk.I suppose that in big cities you could see many networks displayed.Finding the correct one would be difficult.Shut them off each one at a time to see which one is yours.Linksys is the one that will always work.You probably need to do this every time that you reboot.(If you were a gamer they would bend over backwards for you.)

BALTHOR
BALTHOR

If I just wanted to lock out this popup with a firewall.Check the Internet for router settings.It could even be that in setting up your Windows network some sort of password screen name would work.

chrisbedford
chrisbedford

I read (but don't have enough interest to verify) that MAC address spoofing is dead easy for anyone who really wants to bypass that level of security, so don't rely on it.

chrisbedford
chrisbedford

However what I understood from this discussion was that the limitation has to come from the Wireless AP, *not* the router. When the AP is a standalone unit, and you want to use that and not the Internet connection to limit access, you have a whole different kettle of fish. Most APs are pretty dumb (little more than an old network hub with a bit of configuration HTML built in) and hence Jason's solution. I still say the preferred method of attack is to put a filter of some type (Proxy server or firewall) between the router and the rest of the network, giving much more flexibility (you can restrict any computer, not just WiFi-connected devices) and security (avoids users bypassing your Wireless restrictions by simply plugging in a cable).

chrisbedford
chrisbedford

...that's what firewall software is for. But I think the original asker was hoping to set up something central so that he did not have to install software on each PC. To avoid having to trash your investment in an AP in order to achieve this (and go and buy Jack's recommended Tomato one) (ok not a huge amount of money I suppose) you could find an old PC (there are lots of P4 machines lying around out there - if you don't have one lying around the office you should be able to pick one up for $50 if you look hard enough), throw in a second network card, and install ClearOS (www.clearcenter.com) - firewall, proxy, file server, mail server, it has it all for probably less than the price of the new Wireless Access Point. Easy to install. Easy to configure. Set and forget.

chrisbedford
chrisbedford

The clock is on the right on my PC, and every other computer I've worked on. But seriously - what are you talking about? Manually switch off some what? Installation disk for the router - that usually gives you a way to configure the router, i.e. set up your Internet access, not access to specific websites. Usually this will be in the form of a "wizard" or some other dumbed-down UI that covers only the basic settings - user name & password, LAN IP address, that sort of thing. Thereafter you configure the router using its own web admin screens (http://{router IP address}) from any PC on the LAN. In "big cities" or crowded suburbs you often see several APs, yes. Finding the "right one" is a matter of correctly configuring your own before trying to connect to it - if you are not the network administrator, ask him/her what your network name is. If you are the netadmin, configure your AP to have a meaningful name (SSID) for your location (without giving away too much about your company or family or address) and set a strong password before connecting it to your network. Shut off each one at a time - how, if they are your neighbours'? Linksys will always work - Dude, you are showing a serious lack of experience here. No, Linksys will not always work! No, you will not have to do this every time you boot! Once you connect to a wireless network, your computer remembers the network and password and automatically connects every time you boot. If you were a gamer... say what? Who would bend over? Why? Anyhow, this discussion is not about getting computers connected to WiFi networks, it's about what websites those computers are allowed to surf to after they are already connected. I appreciate you probably were trying to help, but answers like yours just confuse the issue. Best is to make sure you completely understand the blog post before jumping in with both feet. And please - don't take this in the wrong way, I'm trying to be nice here. Posts like yours are likely to attract flames in many forums.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

It ups the level of skill a little to get on the network, but is still fairly easy. I personally don't consider either worth the hassle. Simply using a secure protocol (WPA2) and a complex password should be enough. Bill

Gisabun
Gisabun

Symantec Edpoint Protection Small Business Edition [5+ users] could do it as well as the clients would get their AV definitions and configurations [AV, firewall, etc.] from the parent. Of course there is the setup [and another server but another server already in use could handle the load]. And to boot [or not] you can control the AV and firewall so it's not disabled by the user. Even if you used them as stand-alone, SEP allows importing of firewall rules that you exported from another.

rmerchberger
rmerchberger

you could scan ePay and find a used Juniper 5GT firewall or a sonicwall device that is much smaller, tales a *lot* less power and is much easier to set up. I've not tinkered much with the sonicwalls, but I have a *lot* of experience with the Juniper products and they are enterprise-quality devices - rugged, durable, extremely capable and easy to configure. I would _guess_ (but I have not looked) that the device Jack quoted is probably around the $50 mark as well, but the extra hassle of installing a new firmware (if the original poster is a novice) might be daunting for him/her.

lehnerus2000
lehnerus2000

I've just started studying a networking module that seems to be related to this. It seems to me that you could route the traffic through TMG (or pfSense). You could create rules that fit the parameters described (i.e. IP address restrictions, PC restrictions, URL redirections, etc.).

CharlieSpencer
CharlieSpencer

That's nothing new. He shows a serious lack of experience and knowledge every time he posts. At least this time he's on topic, if ill-informed.

Editor's Picks