Filter by IP - Poor mans dmz

[Eloque]

Is it possible, somehow, to filter all traffic coming through a specific IP to only be allowed internet access, but nothing else? The thing is this, on my LAN I have to Wifi AP, one of them should allow access to my servers and such, the other one is for guests to be able to use the internet. The guest wifi is physically on the same network, but can give out other ip ranges via DHCP. Is there a way to allow that range internet only?

[philwhineray]

Yes, provided your firewall is between the guest AP and the rest of the LAN in some way. A firewall can only block traffic that has to pass through it.

If the guest AP is on the same network segment as the rest of the devices, the firewall cannot normally block the traffic. If the firewall is running on the switch (e.g. you are using OpenWRT) and/or AP, you should be able to manage it, since again the traffic must pass through it.

Otherwise, that "between" could be literal in the sense of having an extra ethernet port in the firewall or it could be by using VLANs, if you have a switch that is VLAN capable and configure it appropriately.

Once you have this basic layout worked out we can probably help with specific rules.

[Eloque]

Well, it's slightly more limited then that; both AP's are on the same switch, non managed switch, and connect to the firewall. The firewall is also a fileserver. Everything that goes via AP1 should have access to the internet and the fileserver, everything going through AP2 should have only internet.

AP1 serves IP's in the 192.168 range, same as the lan AP2 serves IP's in the 10.0 range, and has the firewall as gateway, also it has one port as a 192.168 address

Basicly, I want all systems that use an ip address in the 10.0 range to only have internet access and not be able to acess anything else on the LAN. Is that possible. Without physical extra NIC's or managed switches?