123Block devices from Internet but allow local LAN
tl;dr - The current 'Block device' feature blocks the device from joining the local network entirely. It would be very useful to have an additional type of blocking mode that allows full local LAN access, but prevents outbound Internet connections.
Use-case: The main one (for me) is mainly for the millions of IoT devices that people have in their homes. The grand majority of these are not designed with security in mind (default root passwords, lots of unnecessary calls to cloud services for various data reporting, inability to even change these settings, etc.). Lots of the botnets these days are actually composed of these types of devices. Being able to use them in home via bluetooth and wifi (say, a light switch controller, a vaccuum, a kitchen appliance) but blocking them from outbound internet connections would be very useful.
Description of feature: It’s all about being able to allow a device to talk to the local network (for example 192.168.1.0/24) but then be blocked in any outbound, non-local-subnet connections (i.e. those that will hit the default route (192.168.1.1 in this example) and then be NAT’d by the eero to the public address). The current feature acts more like blocking a switch port… if you block a device, it can literally talk to nothing (including 192.168.1.0/24 in this example).
-
Hey jsmith —
Thanks for taking the time to share this feedback with the community. I'm happy to share this with our team.
In the meantime, if you haven't already, I'd also encourage taking a look at our eero Plus service. With built-in threat scanning, eero Plus can automatically block IoT devices from joining known botnets. For more information, visit https://eero.com/shop/eero-plus .
-
Jeff C. No update? This feature was requested 2 years ago and still no consideration.
-
Jeff C. Any update?
-
Jeff C. Are you saying that I should additionally pay for eero plus to keep my network secure? Nice, nice 👍
-
Jeff C. Moreover, can you guarantee that you have your list of known botnets includes 100% botnets in the world? Of course not, right? If so, why haven't you implemented such blocking for certain devices yet? How can you talk about security in terms of your secure subscription then? Looks like hypocrisy, isn't it?
-
cc: James Evan (eero support) Kora (eero Support)
-
I'm using the eero system and pretty happy with the simplicity, etc., but would like to have an update about this certain functionality. I chose eero because Apple recommends you as one of two manufacturers for using with the home kit. But in the end, any connected hub I have, for instance, Philips hue is available not only for a local network. Which multiplies security aspect provided by Apple home kit by 0 😐
-
Jeff C. Jeff and team, can someone offer info as to the status of this request. When I bought eero, I was stunned this functionality wasn't in place but was told it would be coming soon. That was 18 months ago. I can't keep using eero without the ability to restrict access to just my local network.
-
Jeff C. I would also like to see this feature.
-
-
Yup, I'm already an eero Plus user and love the features it provides :) While I do think that preventing access to known botnets with that service is great to have, there's always new endpoints popping up (common technique for attackers) that take some time to make it to the 'known-bad' block lists, often days or weeks unless an Internet-wide attack (massive DDoS or something) is underway. The other significant part of this request, aside from outgoing botnet traffic, is that there are a ton of devices that report all kinds of data back to cloud services that a user should be able to shut off for privacy reasons. Like for instance, many smart TVs allow you to mirror a mobile or laptop to the screen via wifi, which is a cool feature. However, almost all of them also connect to the Internet to send a *ton* of data about your usage habits (and even continuous audio samples in some cases!). In that case, this feature would allow blocking from Internet to preserve privacy while still letting you use the local features you want.
The only other point I'd make is that many people have some wifi devices that have no business whatsoever connecting to the Internet (lights, switches, outlets, etc.) but do need local wifi to operate. It would be really convenient to just set this proposed feature and forget about trying to do something more complicated to monitor them for misbehavior (or more likely for most folks, ignore the risk until something bad happens). -
Yes! I need this! I have so many iot devices I would like to block from the internet.
-
I too want this, I have a Robovac that sends statistics to Xiaomi, without really consenting
-
YES! Need to keep my Harmony Hub from updating firmware and nuking all the local API calls I enjoy, but if I block it totally, it doesn't function at all.
-
Any more on this?
I too would like to see this capability. I too already have eero Plus.
And rather than assume that eero Plus is going to automagically block my iOT devices from calling home to China or wherever else with whatever data they can mine from my systems, I want the capability to actively control outbound data connections.
Hopefully this is being worked.
-
Another +1 for this. I could really use this for my TV. I need LAN access for AirPlay, but I don't want the TV reporting my viewing back to Vizio/LG/Samsung/etc.
-
I found this page googling for whether this is a feature. Count me in!!
I’m guessing 2019 is the year the lid gets blown of how much spying IoT devices are doing. I would like to pay eero and Apple to protect me from that.
-
Ken This is one of the reasons I only do Apple HomeKit gear. Unlike Amazon and Google, who freely acknowledge you (your information) are being sold. With Apple at least they claim your information is not being sold.
-
Msargent Agreed. I've noticed that Apple appears much less in the outward scans carried out by eero Plus. Google, on the other hand, calls out a lot !
-
-
+1 for this feature. Just recently got into smart home devices and this is a serious concern for Chinese made devices... Please get this feature into Eero!
-
To be clear, this needs to be a feature of Eero the device, not Eero plus.
-
I have a Brother WiFi enabled printer and it consistently shows up in the my Eero Home screen top devices by usage. This thing gets used max twice per week. My understanding is that the usage ranking is for internet egress/ingress, not local network activity. What is getting sent out?! This feature would let me lock this sucker down.
-
cherroneous I don't have a Brother printer, but I've got about 45 devices of all kinds, and even my Roomba vacuums call home once in a while. All part of the iOT world I guess. Most traffic scans are obviously from my desktop, laptop and iPads etc, but even Google Home that has been muted calls home regularly. The Nest Outdoor cams are at the bottom of the traffic list.
Glad to have eero Plus scanning the outward traffic DNS for bad players. Peace of mind for me and my 45 "can't-do-without" devices.
-
cherroneous I just installed a new Eero 6 and I also have a Brother printer. Looking at the usage, the other day, the printer uploaded 26 GB! That is scary as heck. I also really want to lock this printer down. I print maybe 1-2 pages a week. I've paused the printer for now and will un-pause it when I want to print something.
-
-
It's been damn near a year and we can't figure this out yet? I'm sure I'm over-simplifying, but this can't be that hard (managing a single ACL term per device? that's stupid easy on any network hardware or embedded system). Sadly, I guess I'll have to vote with money and cancel my eero plus subscription and rip out the gear (or relegate the gear to a 'dumb' wifi mesh, which sucks because it can be had for far cheaper). Disappointing, I had been recommending eero, but that's long been over now (and I actively tell folks to avoid). Shame, you guys almost had a good home network solution.
-
Eero please bump the priority on this. Everything about eero is great. Except this. Just because a device is phoning home to a white listed server doesn’t mean that server is fully secure and won’t result in data being compromised that could have easily been prevented by simply not allowing said device to have access to the web. Iot device overload is one of the reasons I switched to Eero and I feel like I’m way less secure than I was with my junk router.
-
I recently replaced my dated wireless router and was disappointed to see that eero does not have such a basic feature. I have a workaround in place (yes it's that important), but would like to see the ability to block external access to the Internet in eero.
-
I agree, this should be a standard feature. Local network only for certain devices.
-
I just got my eero pack and while I love it so far, i'm really missing this feature. On my old ISP-provided router I used it to isolate IP cameras and various IoT devices and it would be great to be able to do it with my Eeros too. Also, Eero Plus doesn't seem to be available in europe, which makes this feature even more important. Thanks!
-
Jord I ended up getting a firewalla https://firewalla.com/ you can also build it for “free” you just need a raspberrypi. I have symmetric gigabit internet and the blue works great!
if you want to build it yourself here is where to get the software they run on the tiny raspberry pi they are selling. https://github.com/firewalla/firewalla
-
bretep Just remember, it uses ARP poisoning just like the Disney Circle...
-
txgunlover txgunlover yes it does. And it works well. There are traditional inline firewalls you can buy which are complicated (for consumers) to setup. However I’d prefer to recommend something more consumer friendly, like the firewalla.
ARP poising is bad IF it’s an untrusted device poising maliciously.
All the binaries running on this firewalla device are 100% open source. I’ve read the code to see what they are doing, I’ve also linked to the repository and I may even contribute to it. I trust it.
If you have a reason you don’t like how it works other than the word “poisoning” seeming to be a bad word, I’d love to hear why you think it’s bad.
I think providing a reliable way for consumers to protect their home at little to no cost and allowing them root access to the device and source code is a very good thing.
This is not an untrusted device, like a camera you buy from China running a binary you don’t trust, can’t read and they’re creating a reverse connection back to you.
Ideally Eero would offer their firewall at no cost. These erro devices pack enough resources to handle such rules.
-
bretep Recommend you read the head dev's take on ARP poisoning. You're not taking overhead into account, and the loss of performance, while small to some, is significant to others.
-
txgunlover as a network and software engineer there is not a significant / noticeable performance issue to. Abuse any concern for any home user or gamer. If you are running real-time bidding systems or something that is extremely sensitive to latency, than you should probably not host that out of your home or small business, focus on datacenters and buy the equipment that serves your needs.
I could install the routers/switches I make in my home (well I do, but not for my home network) but it’s over kill and I don’t want to play technical support for home.
-
bretep Having been the same for 22 years for for a fortune 100 company, and early CCIE, I respectfully disagree and assure you there is a noticeable performance impact due to ARP poisoning. A gamer can very well experience this perceived lag. The smaller the network, the less the impact, but as many home networks approach 100+ devices, it becomes a latency factor.
-
-
This would be a great feature for my smart HomeKit TVs. I want to use HomeKit with them, but concerned about what data they send out.
I also noticed that this feature is listed in Apple’s “HomeKit Router MFI”, so if Eero goes on to support the HomeKit Router spec, this would be a part of it.
-
chanomie Thanks for your patience! As of today, eero now fully supports HomeKit integration. Please make sure your app is updated to version 3.3.1 to use the new feature. You'll need to be at home on your eero WiFi in order to add HomeKit devices. If you run into any questions or concerns, please reach out to support at 877-659-2347 or email support@eero.com!
-
Drew Any update on the main issue in this thread? We all would like to see LAN access with internet blocking become available in the near future.
-
Drew I'm SUPER excited to have HomeKit Router Support for Eero, and while this does address this feature request for HomeKit devices, it sadly doesn't address it for non-HomeKit devices.
Like I have older SamsungTV's that I would love to give local intranet access, but block from sending TV viewing data back to Samsung. Since they are older devices, they don't have HomeKit support and this feature doesn't work for them.
-
-
Brand new eero pro user! Loving this setup so far. Count me in on wlan only blocking. I'm going to have to get creative to work around this in the meantime.
-
This is a very basic security feature. It's an unacceptable gap.
-
I would also like to see this feature for the reasons listed by others above. I don’t want to trust iot devices.
-
Hello, is there any update on this? HomeKit router was nice but only a small percentage of my iot devices are HomeKit compatible, and I would like to have the same level of control for all the others. Thanks!
-
Any update on this wlan-only blocking? Not sure if this example was already mentioned- I have a baby monitor which requires the home WiFi network to communicate between the cameras and the parent unit (I’ve tried several high-rated non-WiFi models but none have sufficient signal strength for my needs, hence the WiFi model). I have no desire to use the phone app, so I’d love to be able to “unplug” it from the internet while still running the system locally.
-
Since this is a pain for me still not adressed, and together with other issue I was not aware until I actually setup the connection (lack of PPPoE), the simplest solution is to use another router :/
My setup has the modem plugged into a tp-link router, and the Eero network is in bridge mode.
On the tp-link I can do the PPPoE auth and use the parent control feature to limit internet access of specific devices.It's very sad that even with premium priced routers I need another a third party to get all the basic features one would expect.
-
Yes, please! I would love to be able to limit devices to local area only, and not give online access.
-
I have a NAS that I would like to block from accessing or being accessed from the internet. I would like for it to only be accessed from computers on the local network.
