[lkraus]

In July, we bought a new GE oven, which has a phone app to provide remote control and oven status over our wireless LAN. I wanted to block the oven from any WAN access.

I'm using a WRT1900ACS v2, with DD-WRT v3.0-r44715 std

In Access restrictions, I set:
Policy: 1 (NO WAN)
Status: Enable
Interface: Any (default, can't find documentation on this)
Policy Name: NO WAN
PCs: MAC address of the oven in the list of clients
Deny Internet access during selected days and hours selected.
Days: Everyday checked
Times: 24 Hours selected

I thought that would be sufficient.

A week or so later, I decided to turn off the oven's wireless since we were not really using the remote feature.

Two days after that I received an email that the oven had been disconnected for 48 hours. So apparently the oven had still been in contact with GE in spite of the access restriction.

Yesterday, I re-activated the oven's wireless, found I need to reconfigure/re-pair the app on the oven's own wireless access point, decided it was too much trouble and turned it off again. Four hours later, another email arrived from GE telling me that the oven lost connection.

We might use the remote to set timers or to know when a baking cycle is complete but I'd really prefer not to allow access to/from the internet.

What am I doing wrong?

EDIT:I added my laptop to the list of denied MAC address and immediately lost internet access, so I'm doing something right. There is no other wireless network in range, no unknown devices in the DHCP client list.

[d33b0_n4p41m]

You should consider using a more recent release; there have been issues with Access Restrictions for quite some time and it's only recently been in focus to look into and fix.

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/09-08-2021-r47381/linksys-wrt1900acsv2/

[Monza]

Might be easier to use Wireless/MAC Filter and enable MAC filter for both radios, set for "Permit only clients listed to access the wireless network" add all your allowed device MAC's to the filter list via "Edit MAC Filter List" button . . . except for the stove?

Not forgetting to add any NEW device MAC's to the list as acquired in the future.

[bushant]

You can use iptables to keep the oven off the internet.

iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p tcp -s <oven-ip> -j REJECT

iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p udp -s <oven-ip> -j REJECT

Try these in CLI (putty/ssh). A reboot will clear these.
If they work put in Administration-Commands-Save Firewall.

Alternate rules:
iptables -I FORWARD -i br0 -o $(get_wanface) -p tcp -s xxx.xxx.xxx.xxx -j REJECT
iptables -I FORWARD -i br0 -o $(get_wanface) -p udp -s xxx.xxx.xxx.xxx -j REJECT

Replace xxx with oven IP.

[lkraus]

I'll try the beta firmware when I get some time. I usually prefer a stable release, but if it doesn't really do what it says it probably doesn't deserve to be called stable.

It's OK for the oven to use wi-fi and our LAN, letting a phone act as a remote, so the Wireless/MAC filter idea is not what I want. I can turn off the wi-fi radio on the oven to keep it off the LAN. I just want to block the oven's access to the internet.

I'll save the iptables idea for if/when the newer firmware fails me. Might be awhile before I can take the time to experiment.

Thanks for the ideas.

[Alozaros]

[bushant]