separating/shielding a local IP-range

jult · December 23, 2021, 1:19pm

The wife and daughter are literally going insane with the amount of smart lightbulbs and smart plugs from a brand named meross. It’s actually not that bad of a smart-brand, with lots of timely firmware updates and fairly recent protocols (tokens, keys, 2nd factor auth etc).
They can be operated via some meross cloud, and the devices access internet through our 2.4GHz WiFi AP, which is all fine, except I don’t want these devices to be able to access anything other than our local DNS/NTP server (192.168.1.9) and the internet.

I have given all these devices a static IP through our mikrotik DHCP server (also the gateway) in a certain consecutive manner. They’re all included within 192.168.1.180 to 192.168.1.200.
I could also allow or block using MAC-addresses, since they all start with 48:E1:E9 for these devices.

What is the easiest and least processor intensive way to block access to the rest of the LAN, except of course the internet and DNS ?
I can add a firewall rule for outgoing traffic from them on the gateway, I have several in there already.
I assume I can use their LAN IP-range as source range, something like Src.Address: 192.168.1.180-192.168.1.200 or I’m not sure what the syntax for that would need to be.
But as I understand it, the meross app the ladies use access the devices from the LAN as well, because they also work if internet is down, so they probably need inward access from clients to be allowed then too. That’s making it harder, no?

Any advice here is welcomed.
I did already search the forums, but it’s all immediately trying to introduce a VLAN or physical extra network, which I’m not going to do in this case.

tdw · December 23, 2021, 2:26pm

Blocking on layer 2 / ethernet networks doesn’t have the range of options available at layer 3 / IP, there is no stateful firewalling which is needed if you wish to allow communications to be initiated in one direction (app → device) but not the other (device → tablet/phone running app).

Turning on client isolation on WiFi APs will block all traffic between wireless clients so if the tablet/phone running the app and the device are associated with the same AP they cannot communicate with each other. When client isolation is off any firewall rules on the router will do nothing as the traffic does not go through the router. Port isolation, bridge horizon and bridge filters provide similar all-or-nothing isolation for wired connections.

VLANs allow you to form logical groups of devices and set up firewall rules for what is and isn’t allowed between the groups, however many domestic / SOHO systems expect to be on a single layer 2 network as they use broadcast or multicast for discovery and setup from an app to the devices.

jult · December 23, 2021, 3:13pm

Just found out that we can limit functionality through their AWS cloud, so I can shield it within LAN either way, I can block ALL access from those IPs to anything LAN-based, except DNS, which is still handy anyway, since that way I can see what these devices ask for every now and then..
So, how do I best firewall rule this in a mikrotik firewall?
192.168.1.180-192.168.1.199 should be allowed access to internet and 192.168.1.9, but rejected from anything else on that subnet.