Skip to main content

Policies, groups and tags

To isolate networks and devices SPR is using policies, groups and tags:

  • Policy for network access, internet
  • Group Fine grained access within networks, isolation
  • Tag Control traffic, ad block

Policies

  • wan internet access
  • dns for domain lookups, block/filter dns
  • lan access to all other local devices
  • lan_upstream allows the device to query LAN addresses from rfc1918 upstream of SPR

wan and dns is enabled by default. Add the device to lan sparingly, as this grants it access to all other devices. You can create groups and rules later for defining more specific access.

WAN policy

Example WAN policy, devices with the policy can access internet:

DNS policy

dns policy is needed for dns lookups on wan network

LAN policy

Example LAN policy, the two devices can talk to each other:

Groups

Devices assigned to a Group can intercommunicate (TCP, UDP & ICMP). A firewall rule can be used if only a particular port should be reachable.

Device isolation

If a device does not have the lan policy and is not in a group it's completely isolated.

Use cases and examples

In this example the work group can access devices within the phone group (using the lan policy), the work group is not visible for the phones:

Isolated IoT Devices

Here Work group have the lan policy and can access all the groups, the phones and iot devices can't see each other or access the work environment:

Docker Service

Devices in the work group can access the docker service, but the service can't access any of the groups.

Tags

Tags can be used to apply blocklists for specific devices: Block Lists Tags