38

Block devices from Internet but allow local LAN

tl;dr - The current 'Block device' feature blocks the device from joining the local network entirely. It would be very useful to have an additional type of blocking mode that allows full local LAN access, but prevents outbound Internet connections.

Use-case: The main one (for me) is mainly for the millions of IoT devices that people have in their homes. The grand majority of these are not designed with security in mind (default root passwords, lots of unnecessary calls to cloud services for various data reporting, inability to even change these settings, etc.). Lots of the botnets these days are actually composed of these types of devices. Being able to use them in home via bluetooth and wifi (say, a light switch controller, a vaccuum, a kitchen appliance) but blocking them from outbound internet connections would be very useful.

Description of feature:  It’s all about being able to allow a device to talk to the local network (for example 192.168.1.0/24) but then be blocked in any outbound, non-local-subnet connections (i.e. those that will hit the default route (192.168.1.1 in this example) and then be NAT’d by the eero to the public address). The current feature acts more like blocking a switch port… if you block a device, it can literally talk to nothing (including 192.168.1.0/24 in this example).

24replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hey  jsmith

    Thanks for taking the time to share this feedback with the community. I'm happy to share this with our team.

    In the meantime, if you haven't already, I'd also encourage taking a look at our eero Plus service. With built-in threat scanning, eero Plus can automatically block IoT devices from joining known botnets. For more information, visit https://eero.com/shop/eero-plus .

    Reply Like
  • Yup, I'm already an eero Plus user and love the features it provides :) While I do think that preventing access to known botnets with that service is great to have, there's always new endpoints popping up (common technique for attackers) that take some time to make it to the 'known-bad' block lists, often days or weeks unless an Internet-wide attack (massive DDoS or something) is underway. The other significant part of this request, aside from outgoing botnet traffic, is that there are a ton of devices that report all kinds of data back to cloud services that a user should be able to shut off for privacy reasons. Like for instance, many smart TVs allow you to mirror a mobile or laptop to the screen via wifi, which is a cool feature. However, almost all of them also connect to the Internet to send a *ton* of data about your usage habits (and even continuous audio samples in some cases!). In that case, this feature would allow blocking from Internet to preserve privacy while still letting you use the local features you want.

    The only other point I'd make is that many people have some wifi devices that have no business whatsoever connecting to the Internet (lights, switches, outlets, etc.) but do need local wifi to operate. It would be really convenient to just set this proposed feature and forget about trying to do something more complicated to monitor them for misbehavior (or more likely for most folks, ignore the risk until something bad happens).

    Reply Like 2
  • Yes! I need this! I have so many iot devices I would like to block from the internet. 

    Reply Like 2
  • I too want this, I have a Robovac that sends statistics to Xiaomi, without really consenting

    Reply Like 2
  • YES! Need to keep my Harmony Hub from updating firmware and nuking all the local API calls I enjoy, but if I block it totally, it doesn't function at all.

    Reply Like 2
  • Any more on this?

    I too would like to see this capability. I too already have eero Plus.

    And rather than assume that eero Plus is going to automagically block my iOT devices from calling home to China or wherever else with whatever data they can mine from my systems, I want the capability to actively control outbound data connections.

    Hopefully this is being worked.

    Reply Like 2
  • Another +1 for this. I could really use this for my TV. I need LAN access for AirPlay, but I don't want the TV reporting my viewing back to Vizio/LG/Samsung/etc.

    Reply Like 2
  • I found this page googling for whether this is a feature. Count me in!!

     

    I’m guessing 2019 is the year the lid gets blown of how much spying IoT devices are doing. I would like to pay eero and Apple to protect me from that. 

    Reply Like 1
      • Msargent
      • Msargent
      • 9 mths ago
      • 1
      • Reported - view

      Ken This is one of the reasons I only do Apple HomeKit gear. Unlike Amazon and Google, who freely acknowledge you (your information) are being sold. With Apple at least they claim your information is not being sold.

      Reply Like 1
      • cotedan87
      • Fan of tinkering with new hardware. Canadian dude.
      • cotedan87
      • 7 mths ago
      • 1
      • Reported - view

      Msargent Agreed. I've noticed that Apple appears much less in the outward scans carried out by eero Plus. Google, on the other hand, calls out a lot !

      Reply Like 1
  • +1 for this feature. Just recently got into smart home devices and this is a serious concern for Chinese made devices... Please get this feature into Eero!

    Reply Like 2
  • To be clear, this needs to be a feature of Eero the device, not Eero plus.

    Reply Like 2
  • I have a Brother WiFi enabled printer and it consistently shows up in the my Eero Home screen top devices by usage. This thing gets used max twice per week. My understanding is that the usage ranking is for internet egress/ingress, not local network activity. What is getting sent out?! This feature would let me lock this sucker down.

    Reply Like 2
      • cotedan87
      • Fan of tinkering with new hardware. Canadian dude.
      • cotedan87
      • 7 mths ago
      • 1
      • Reported - view

      cherroneous I don't have a Brother printer, but I've got about 45 devices of all kinds, and even my Roomba vacuums call home once in a while. All part of the iOT world I guess.  Most traffic scans are obviously from my desktop, laptop and iPads etc, but even Google Home that has been muted calls home regularly. The Nest Outdoor cams are at the bottom of the traffic list. 

      Glad to have eero Plus scanning the outward traffic DNS for bad players. Peace of mind for me and my 45 "can't-do-without" devices.

      Reply Like 1
  • Eero please bump the priority on this. Everything about eero is great. Except this.  Just because a device is phoning home to a white listed server doesn’t mean that server is fully secure and won’t result in data being compromised that could have easily been prevented by simply not allowing said device to have access to the web. Iot device overload is one of the reasons I switched to Eero and I feel like I’m way less secure than I was with my junk router. 

    Reply Like
  • I recently replaced my dated wireless router and was disappointed to see that eero does not have such a basic feature. I have a workaround in place (yes it's that important), but would like to see the ability to block external access to the Internet in eero.

    Reply Like
  • I agree, this should be a standard feature. Local network only for certain devices.

    Reply Like
  • I just got my eero pack and while I love it so far, i'm really missing this feature. On my old ISP-provided router I used it to isolate IP cameras and various IoT devices and it would be great to be able to do it with my Eeros too. Also, Eero Plus doesn't seem to be available in europe, which makes this feature even more important. Thanks!

    Reply Like
      • bretep
      • bretep
      • 10 days ago
      • 1
      • Reported - view

      Jord I ended up getting a firewalla https://firewalla.com/ you can also build it for “free” you just need a raspberrypi. I have symmetric gigabit internet and the blue works great! 
       

      if you want to build it yourself here is where to get the software they run on the tiny raspberry pi they are selling. https://github.com/firewalla/firewalla

      Reply Like 1
      • txgunlover
      • txgunlover
      • 10 days ago
      • Reported - view

      bretep Just remember, it uses ARP poisoning just like the Disney Circle...

      Reply Like
      • bretep
      • bretep
      • 9 days ago
      • Reported - view

      txgunlover txgunlover yes it does. And it works well. There are traditional inline firewalls you can buy  which are complicated (for consumers) to setup. However I’d prefer to recommend something more consumer friendly, like the firewalla.

       

      ARP poising is bad IF it’s an untrusted device poising maliciously.
       

      All the binaries running on this firewalla device are 100% open source. I’ve read the code to see what they are doing, I’ve also linked to the repository and I may even contribute to it. I trust it. 

      If you have a reason you don’t like how it works other than the word “poisoning” seeming to be a bad word, I’d love to hear why you think it’s bad. 
       

      I think providing a reliable way for consumers to protect their home at little to no cost and allowing them root access to the device and source code is a very good thing. 
       

      This is not an untrusted device, like a camera you buy from China running a binary you don’t trust, can’t read and they’re creating a reverse connection back to you. 
       

      Ideally Eero would offer their firewall at no cost. These erro devices pack enough resources to handle such rules.   

      Reply Like
      • txgunlover
      • txgunlover
      • 8 days ago
      • Reported - view

      bretep Recommend you read the head dev's take on ARP poisoning.  You're not taking overhead into account, and the loss of performance, while small to some, is significant to others.

      Reply Like
      • bretep
      • bretep
      • 8 days ago
      • Reported - view

      txgunlover as a network and software engineer there is not a significant / noticeable performance issue to. Abuse any concern for any home user or gamer.  If you are running real-time bidding systems or something that is extremely sensitive to latency, than you should probably not host that out of your home or small business, focus on datacenters and buy the equipment that serves your needs. 
       

      I could install the routers/switches I make in my home (well I do, but not for my home network) but it’s over kill and I don’t want to play technical support  for home.   

      Reply Like
      • txgunlover
      • txgunlover
      • 8 days ago
      • Reported - view

      bretep Having been the same for 22 years for for a fortune 100 company, and early CCIE, I respectfully disagree and assure you there is a noticeable performance impact due to ARP poisoning.  A gamer can very well experience this perceived lag.  The smaller the network, the less the impact, but as many home networks approach 100+ devices, it becomes a latency factor.

      Reply Like
Vote38 Follow
  • Status Under Consideration
  • 38 Votes
  • 8 days agoLast active
  • 24Replies
  • 567Views
  • 23 Following

Need Help? We're here for you!

We're big on support, and we want to make sure you always have the best eero experience possible. Here are several resources you can use if you ever need our help!


Quick links

Community Guidelines

Help Center

Contact eero support

@eerosupport

eero.com