The situation is as follows:
Internet modem <-> Airport Express (DHCP + NAT) <-> rest of the network
I have a ISP-modem which handles my Internet connection. I have an Airport Express that routes all my traffic and handles DHCP and NAT. The rest of the network is a collection of Switches, IoT devices, and apparatus that use 'the Internet'.
The problem for me are the 'internet of things' (IoT) devices on my local network. I want to be able to acces my IoT devices using my normal network but I do not want my IoT devices to acces the Internet (World Wide Web).
Can I block Internet traffic but allow local network access for some MAC addresses using my Airport?
It seems that Timed Access Control is not the solution as it does block ALL (local network and Internet) traffic of a device by excluding the device from the network.
Best Answer
Give them a different subnet; if using 192.168.1.1 on your Internetwork, use any other RFC1918 range. 192.168.2.0/24 for example. If you only have the DHCP service on your airport express, consider running one on an always-on IoT device (there are plug and play options for the $2, 0.4W ESP8266 for example), or just assign static IPs to each. No need to set a meaningful default gateway.
Running a DHCP service on a system you can configure with more granularity will make this easier. No need to run BIND, dnsmasq and many others are smaller and easier. You will want to only offer DHCP leases from this service to your IoT devices, so you need to enter their MAC addresses in the configuration file and ignore all other devices. Argh?
If you have multiple DHCP services on your network, it’s random which one answers a request for address, DNS and route first — ensure that you only run one DHCP service by disabling the one on your airport express. Not possible? Shed no tears, since DHCP is not useful in your scenario, instead use static IPs for this.
Use hosts files, it’s no hassle if you only have a few dozen devices: https://www.tecmint.com/setup-local-dns-using-etc-hosts-file-in-linux/
https://gist.github.com/zenorocha/18b10a14b2deb214dc4ce43a2d2e2992
https://m.imore.com/how-edit-your-macs-hosts-file-and-why-you-would-want
A more correct solution is either a VLAN ( https://en.wikipedia.org/wiki/Virtual_LAN ) or a PVLAN ( https://en.wikipedia.org/wiki/Private_VLAN ). But the latter is going too far if you just need to keep a few local things online in your home but nowhere else.
Most network equipment can do this stuff, but Apple’s probably can’t, because it’s a hot-air trend company, and not a consumerfriendly company. No ssh access, and locked firmware:/ If you cannot work it out, just get a nice Ubiquity edgerouter lite.