Block devices from Internet but allow local LAN
tl;dr - The current 'Block device' feature blocks the device from joining the local network entirely. It would be very useful to have an additional type of blocking mode that allows full local LAN access, but prevents outbound Internet connections.
Use-case: The main one (for me) is mainly for the millions of IoT devices that people have in their homes. The grand majority of these are not designed with security in mind (default root passwords, lots of unnecessary calls to cloud services for various data reporting, inability to even change these settings, etc.). Lots of the botnets these days are actually composed of these types of devices. Being able to use them in home via bluetooth and wifi (say, a light switch controller, a vaccuum, a kitchen appliance) but blocking them from outbound internet connections would be very useful.
Description of feature: It’s all about being able to allow a device to talk to the local network (for example 192.168.1.0/24) but then be blocked in any outbound, non-local-subnet connections (i.e. those that will hit the default route (192.168.1.1 in this example) and then be NAT’d by the eero to the public address). The current feature acts more like blocking a switch port… if you block a device, it can literally talk to nothing (including 192.168.1.0/24 in this example).
Hey jsmith —
Thanks for taking the time to share this feedback with the community. I'm happy to share this with our team.
In the meantime, if you haven't already, I'd also encourage taking a look at our eero Plus service. With built-in threat scanning, eero Plus can automatically block IoT devices from joining known botnets. For more information, visit https://eero.com/shop/eero-plus .
Yup, I'm already an eero Plus user and love the features it provides :) While I do think that preventing access to known botnets with that service is great to have, there's always new endpoints popping up (common technique for attackers) that take some time to make it to the 'known-bad' block lists, often days or weeks unless an Internet-wide attack (massive DDoS or something) is underway. The other significant part of this request, aside from outgoing botnet traffic, is that there are a ton of devices that report all kinds of data back to cloud services that a user should be able to shut off for privacy reasons. Like for instance, many smart TVs allow you to mirror a mobile or laptop to the screen via wifi, which is a cool feature. However, almost all of them also connect to the Internet to send a *ton* of data about your usage habits (and even continuous audio samples in some cases!). In that case, this feature would allow blocking from Internet to preserve privacy while still letting you use the local features you want.
The only other point I'd make is that many people have some wifi devices that have no business whatsoever connecting to the Internet (lights, switches, outlets, etc.) but do need local wifi to operate. It would be really convenient to just set this proposed feature and forget about trying to do something more complicated to monitor them for misbehavior (or more likely for most folks, ignore the risk until something bad happens).
Yes! I need this! I have so many iot devices I would like to block from the internet.
I too want this, I have a Robovac that sends statistics to Xiaomi, without really consenting
YES! Need to keep my Harmony Hub from updating firmware and nuking all the local API calls I enjoy, but if I block it totally, it doesn't function at all.
Any more on this?
I too would like to see this capability. I too already have eero Plus.
And rather than assume that eero Plus is going to automagically block my iOT devices from calling home to China or wherever else with whatever data they can mine from my systems, I want the capability to actively control outbound data connections.
Hopefully this is being worked.
Another +1 for this. I could really use this for my TV. I need LAN access for AirPlay, but I don't want the TV reporting my viewing back to Vizio/LG/Samsung/etc.
I found this page googling for whether this is a feature. Count me in!!
I’m guessing 2019 is the year the lid gets blown of how much spying IoT devices are doing. I would like to pay eero and Apple to protect me from that.
+1 for this feature. Just recently got into smart home devices and this is a serious concern for Chinese made devices... Please get this feature into Eero!
To be clear, this needs to be a feature of Eero the device, not Eero plus.
I have a Brother WiFi enabled printer and it consistently shows up in the my Eero Home screen top devices by usage. This thing gets used max twice per week. My understanding is that the usage ranking is for internet egress/ingress, not local network activity. What is getting sent out?! This feature would let me lock this sucker down.
It's been damn near a year and we can't figure this out yet? I'm sure I'm over-simplifying, but this can't be that hard (managing a single ACL term per device? that's stupid easy on any network hardware or embedded system). Sadly, I guess I'll have to vote with money and cancel my eero plus subscription and rip out the gear (or relegate the gear to a 'dumb' wifi mesh, which sucks because it can be had for far cheaper). Disappointing, I had been recommending eero, but that's long been over now (and I actively tell folks to avoid). Shame, you guys almost had a good home network solution.
Eero please bump the priority on this. Everything about eero is great. Except this. Just because a device is phoning home to a white listed server doesn’t mean that server is fully secure and won’t result in data being compromised that could have easily been prevented by simply not allowing said device to have access to the web. Iot device overload is one of the reasons I switched to Eero and I feel like I’m way less secure than I was with my junk router.
- Status Under Consideration
- 22 hrs agoLast active