136

Block devices from Internet but allow local LAN

tl;dr - The current 'Block device' feature blocks the device from joining the local network entirely. It would be very useful to have an additional type of blocking mode that allows full local LAN access, but prevents outbound Internet connections.

Use-case: The main one (for me) is mainly for the millions of IoT devices that people have in their homes. The grand majority of these are not designed with security in mind (default root passwords, lots of unnecessary calls to cloud services for various data reporting, inability to even change these settings, etc.). Lots of the botnets these days are actually composed of these types of devices. Being able to use them in home via bluetooth and wifi (say, a light switch controller, a vaccuum, a kitchen appliance) but blocking them from outbound internet connections would be very useful.

Description of feature:  It’s all about being able to allow a device to talk to the local network (for example 192.168.1.0/24) but then be blocked in any outbound, non-local-subnet connections (i.e. those that will hit the default route (192.168.1.1 in this example) and then be NAT’d by the eero to the public address). The current feature acts more like blocking a switch port… if you block a device, it can literally talk to nothing (including 192.168.1.0/24 in this example).

91 replies

null
    • markperson
    • 2 yrs ago
    • Reported - view

    Hi,

    I think you should try the dmoat home network security device. this device provides security to your home router and builds a security firewall.

    • nibrwr
    • 2 yrs ago
    • Reported - view

    I would also like this implemented in the firmware. I have LAN services (ie: Plex) that need to be accessible while the internet is paused. 

    • Bender
    • 2 yrs ago
    • Reported - view

    Definitely a needed.  I have several IoT devices that I don't want to access the internet.  A simple way to block all ports per device would go along way. 

    • tkilgour
    • 2 yrs ago
    • Reported - view

    +1 for this feature! Found this thread while trying to google how to do this with my eero.

    • matthew
    • 2 yrs ago
    • Reported - view

    I chose Eero for ease of use and reliability. Overall it's been great for that. However, it's just too dumbed down. There are a few missing features (like this one) that would need to be implemented before I can start recommending Eero over other mesh networks.

      • Bender
      • 2 yrs ago
      • Reported - view

      matthew I very much agree. Eero is great but missing customizable features that that really help secure your network better. Unfortunately, Eero takes extremely long to implement new features.  For example, the ability to block websites by URL was recently added.  Users have been requesting this feature for years.

    • fluffywings
    • 2 yrs ago
    • Reported - view

    There are 3 things still missing from eero to really complete the package for me and this is the number one.

    • Navie
    • 2 yrs ago
    • Reported - view

    Kinda sucks. My stupid Dlink camera is infected with Mirai and I can't get rid of it. On my old router I just blocked it from the internet and it was fine

    • doctorsea
    • 2 yrs ago
    • Reported - view

    cant believe that you haven't implemented this feature yet...  Please, We implore you!  Give us some control over devices that call home incessantly!  Should be a relatively easy feature to code.  Otherwise Eero is a great system.  Please help keep it that way!

    • savetheclocktower
    • 2 yrs ago
    • Reported - view

    By and large I'm satisfied with eero, but this is not the first time I've needed a feature and been quite surprised that eero doesn't have it. This is practically table-stakes. Depressingly, I wonder if this is intentionally withheld to make eero Plus seem more valuable as a service.

    After all, the promise of a maintained blacklist of botnets would theoretically justify ongoing payment. But the much simpler solution — whitelisting to local devices only — is easy, and would possibly mean that fewer people would need to pay for eero Plus.

    The absence of these sorts of features makes me highly unlikely to invest any further in my eero setup and more likely to jump to Ubiquiti — or anyone else who'll just sell me WiFi equipment without entangling me in a quirky business model.

    • DannySR
    • 2 yrs ago
    • Reported - view

    I joined this forum just so that I could upvote this comment. I need control over this basic functionality and will end up buying another device to get it. Blacklists/whitelists, while a useful feature of the subscription service, are a completely separate issue.

    • racor
    • 2 yrs ago
    • Reported - view

    I can't believe this has not been added. It would make sense if Pause = pause internet and block = block device from network. Instead they give you two buttons that do basically the same thing.🤦‍♂️

    • frogtrot
    • 2 yrs ago
    • Reported - view

    I have this same concern!  Western Digital (WD) just announced an issue with some of their drives where remote wipes are occurring and recommended that users remove Internet access.  My model is not mentioned as being affected but I would like to remove that access as a precaution; however, WD does not have an option to disable cloud services on My Cloud Home or My Cloud Home Duo (doh!) and eero does not seem to have a way to block only outbound Internet access (doh!).  I cannot disconnect the NAS from ethernet or I lose local network access which defeats the purpose of the drive (Time Machine backups, media server, etc.).  Finally, I am paying for eero Secure but even those controls are not adequate.  You have to block by site so now I will have to use Little Snitch and other tools to try to figure out where the drive is connecting to then block by URL (not impossible but a HUGE pain).

    • bretep
    • 2 yrs ago
    • Reported - view

    I ended up buying a firewall and putting eero in bridge mode to secure my network and make this request possible. I also advise many people to do this and to not subscribe to the built in security features of eero. Unfortunately something as simple as this feature request not being implemented and is a basic feature of any firewall is costing eero business. The firewall I am using is the firewalla gold. https://firewalla.com/

    • markles
    • 2 yrs ago
    • Reported - view

    Give the lack of progress on this and its implications as to how eero views and reacts to the needs of its customers, I am actively advising friends and family who come to me for networking advice to avoid eero products.

      • Christian.1
      • 2 yrs ago
      • Reported - view

      markles sadly I've had to do the same. A friend of mine just bought their first home and asked me what network device to buy. It hurt to suggest TP-Link, but I had no choice based on lack of feature movement.

    • Christian.1
    • 2 yrs ago
    • Reported - view

    Given the situation with Western Digital My Book hacks, this is super critical. I'm putting my NAS behind a Cisco SG3000-10 until Eero supports this. I'd encourage others to find a solution for their NAS devices as well.

    • Mdam1921
    • 2 yrs ago
    • Reported - view

    This is disappointing to see 2 years old. I too have devices that try to phone to China that have no business doing so. They should work perfectly fine with local only communication and I was really hoping “content filter” in eero secure meant I could block all internet content if I wanted.

    • markles
    • 2 yrs ago
    • Reported - view

    I would like to thank everyone at eero for ignoring this thread for 3 years, thus proving they don't have a single f-k to give about security or the needs of their users. If anyone doubted what would happen when Amazon bought the company, that doubt has been removed.

    • Jwhel
    • 2 yrs ago
    • Reported - view

    Just setup a new eero install. Disappointed to learn I can’t block outgoing requests. Even more disappointed this request is three years old.

    • vitreo
    • 1 yr ago
    • Reported - view

    This is a must have with all the IoT devices in circulation these days. Come on Eero!

    • JC9091
    • 1 yr ago
    • Reported - view

    I Googled this functionality and it brought me here. I need this as well. Does Eero ever add any new features? Is this product still being actively developed? It seems lime they haven’t done much of anything to it for quite a while.

    • gtreece
    • 1 yr ago
    • Reported - view

    Ditto - looking for standard general functionally to control which of my network devices can or cannot communicate through the router to the internet.

    • Bob111
    • 1 yr ago
    • Reported - view

    Isn't this implemented now?    I seem to be doing via a profile and using a schedule to block internet access from 12am-12am, 7 days a week.

    Am I missing something here?   By internet access does it mean no access outside the local network or is it only blocking websites?

      • racor
      • 1 yr ago
      • Reported - view

      Bob111  so when you block internet access for your device is that device still able to communicate with other systems on your network ? Last I checked it was an all or nothing option and pause and block did the same thing. Basically if you paused or blocked the device all network activity would stop, internet and Lan. If this is no longer the case that would be awesome. 

Content aside

  • Status Under Consideration
  • 136 Votes
  • 4 days agoLast active
  • 91Replies
  • 3475Views
  • 76 Following