linux – Different levels of Internet access for different hosts on the local network


I am using Ubuntu 16.04 as a router with 2 network cards. The current configuration is very simple – white IPv4 on the outside interface and NAT by ufw on the inside. I use dnsmasq as my DHCP and caching DNS server. My ethernet switch supports VLAN , but now this feature is disabled.

I often connect new devices (new virtual machines) to the local network and by default they all immediately get access to the Internet, which I don't really like.

I want to change the configuration so that NAT works only for whitelisted hosts, and everyone else has access to local resources, but not to the Internet.

What is the best / easiest way to do this? It is advisable not to ufw and dnsmasq to their counterparts (since I have already partially figured out these programs)

So far I have the following ideas:

  1. configure different dhcp ranges and assign the wrong gateway by default
  2. assign multiple IP addresses from different subnets to the internal network card and do NAT only for one subnet
  3. enable VLAN support on the switch and somehow use this functionality (I don’t know how yet, I’ve just been going to deal with VLAN long time)


you probably set up nat ("masquerading") according to this instruction.

then the line in /etc/ufw/before.rules :


must be replaced with two:

-A POSTROUTING -s список -o eth0 -j MASQUERADE

where список is a comma-separated list of "white" ip-addresses of the form:,,

etc. etc.

Scroll to Top