How to block 192.168.0.1 for connected clients?
I installed Raspberry Pi OS on a RPi 3B, then I installed NetworkManager, set the Ethernet connection to "Shared to other computers" and connected an ethernet cable between the RPi and a normal desktop running Windows 11. The setup works, Windows has WiFi disabled and successfully gets internet over ethernet.
Now, I want the Windows machine to run malware and not be able to see or infect other devices on the network. I originally thought running a VPN on the RPi would make 192.168.0.1 be inaccessible. Additionally, I tried to block 192.168.0.1 in the firewall, but that still made it accessible for the Windows 11 machine.
1. First, I change the RPi DNS by modifying /etc/resolv.conf:
nameserver 8.8.8.8
Then I run:
sudo systemctl restart systemd-resolved
The result is that both 192.168.0.1 and stackoverflow.com load on both the RPi and Windows 11 machines. This step could have been skipped for my use case, I'm not sure. Edit: After step 3 or 4, I get a DNS error on the Windows machine if the value above is default (192.168.0.1).
2. Second, I disable the firewall on the RPi with a script:
#!/bin/bash
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
The result is both 192.168.0.1 and stackoverflow.com load on the RPi and Windows 11.
3. Third, I turn on OpenVPN (with Private Internet Access) on the RPi:
sudo openvpn --config belgium.ovpn --auth-user-pass auth.txt
The result is both 192.168.0.1 and stackoverflow.com load on the RPi and Windows 11.
4. Finally, I turn on the firewall on the RPi:
#!/bin/bash
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any
sudo ufw allow out from any to 8.8.8.8
#sudo ufw deny out from any to 192.168.0.1
sudo ufw enable
The result is 192.168.0.1 doesn't load on the RPi, but loads on the Windows 11. Stackoverflow.com loads on both
If I repeat all of the previous steps, but uncomment this line:
sudo ufw deny out from any to 192.168.0.1
Then nothing changes. 192.168.0.1 doesn't load on RPi, but it loads on Windows 11.
Again my goal is to not allow the Windows 11 machine to know about the other devices on my network.