Custom trusted zone with a set of IPs.


I have my LAN, and people from wifi and wired on my LAN.
I do not want to trust my LAN, because my roomies can give out the wifi key, and/or plug on a cable (physical access)

I see there’s a trusted zone thing with Comodo, which works fine.
But what if I want to have a set of IPs as “Trusted Roomies”, for example and and everything else can be denied. These IPs are statically assigned by my router, so I know they won’t change since they’re bound to MAC addr.

Does comodo have such a feature, if yes, please help in pointing me to the right direction as my searches on the forum were all vain.

What you’re looking for is exactly what you’ve already found - zones. You can create a zone that covers just the IPs you have assigned to your roomies (Start range : - End range : 10.1.1.X). Create this zone and set it as a trusted zone.

If you really want to tighten your access, you can adjust the rules so that it excludes all IPs other than those specifically named. This is done in the network monitor rules, selecting “Exclude”. In a nutshell, you would create a BLOCK rule, select EXCLUDE, and then name the IP addreses that you want to have access. Any other IP address is then BLOCKED, the named IP addresses are ALLOWED.

Hope this helps,
Ewen :slight_smile:

Hello Mr. Panic,

Thank you for taking the time to reply to me. And maybe I didn’t get your answer correctly, in which case, apologies.

My question was looking for something like an option in the “Define Trusted Network”, that would let me add a set of IPs to a trusted level, intra, or extra. Just like the “set of ports” we can add in the nrules.

Currently, my router gives out dhcp ips in the range of →
However, only my 2 laptops and 1 other roommates laptop is what I trust. Namely, *.10, *.11, *.12

Everything else, although in my LAN, I don’t trust.

Now, what you say seems fine to me, but that also leads me to think (and please tell me if I’m wrong heh) that when you say BLOCK, it blocks world. And allows only the specified IPs. Something like a whitelist.

Which means, it might block internet for me.
I haven’t tried your suggestion yet, but I’d definitely like it if you could help me out further and/or clear my doubts.

Once again, thank you very much. To you, and to Melih and his associates for coming out with an amazing suite of freeware produts.

If I understand things correctly, you have the following;

TRUSTED DEVICES —>Router —>Trusted PC #1 —>Trusted PC #2 —>Trusted PC #3


Router autoassigns IP address in the range

If these assumptions are correct, then there is a fairly easy way to achieve what you want, providing your router allows you to bind a specific DHCP assigned IP address to a specific MAC address.

When you define a zone, define the start address as and the end address as This will allow the trusted devices to access each other and the net. All you have to do then is to work out how you want to handle other addresses.

If you don’t trust IPs above, why don’t you just adjust your routers DHCP assignment pool downwards from 20 to 12? This would seem to be the simplest solution.

If you really want to make things harder for roomies to pinch bandwidth (which I’m assuming is the issue), change the IP of the router and the trusted devices to a different subnet, something like 172.16.43. 85,86,87 and 88, and redefine the zone accordingly. If someone is just trying out your LAN at the simplest level, they’re going to start at the most common default addresses for the router - or or Changing the IPs isn’t worlds best security, and won’t stop a determined hacker, but it can deter or delay a casual bandwidth thief.

The other thing you can do is to disable SSID broadcast and DHCP altogether and statically assign IPs on the trusted laptops and PCs, and associate those statically assigned IPs with their respective MAC addresses in the router. This cuts down extraneous broadcast chatter from the router and prohibits someone just coming near the router to 1) detect the SSID (which can still be sniffed, but not by casual BW thiefs) and 2) be alocated an IP address which is acceptable to the router.

Hope this helps,
Ewen :slight_smile:

After I typed it, I realized that I might’ve made a small mistake - which would lead you to think of me as a dumbass, haha.

Because *.10 - *.13 can ofcourse be a range. Stupid me.
What I really meant was,, 10.0.07 (this is just a scenario)

THAT becomes a set of IPs, rather than a range.

Quad erat demonstandumbass! That which has just been proven to be a ■■■■■■■! LOL

If your intention is to prevent bandwidth loss, I’d recommend that you

  1. statically allocate consecutive IPs to the trusted devices
  2. bind these IPs to their respective MAC addresses in your router
  3. define these IPs as a zone in CPF and set that zone as trusted on all trusted devices
  4. prohibit addresses outside the trusted devices range from external access on the router
  5. disable DHCP on your router
  6. disable SSID broadcast on the router
  7. ensure that adequate Wifi security is implemented on your router

These steps should enable your trusted devices to access your WiFi , but no others.

QED - in the normal definition. :wink:

Is there a reason that you had non-contiguous addresses for the trusted devices? If there is no real reason, change.

Hope this helps,
Ewen :slight_smile:

Now, how do I define these different IPs in a zone?
For example, I want to add, 10.0.06,, in one zone called “Jackasses”.
How can I do it? :slight_smile:

Before we go any further, can you please answer the following “Why do you not want to use consecutive IP addresses for your zone?”.

Using consecutive IP addresses makes what you want to achieve a piece of cake. Using non-consecutive addresses overly complicates what should be a simple task.

I’m not saying you MUST use consecutive IPs, but it makes no real operational difference, and allows us to define a single zone, which is your overall objective, as I see it.

So, how come the need for non-consecutive IPs?

Ewen :slight_smile:

I just noticed something in one of your earlier posts.

Currently, my router gives out dhcp ips in the range of -> However, only my 2 laptops and 1 other roommates laptop is what I trust. Namely, *.10, *.11, *.12

Everything else, although in my LAN, I don’t trust.

If you only have three devices on your LAN that you trust, why on earth is your DHCP allocation range greater than 3???

I feel this is another reasonably compelling argument to have consecutive IP addresses.

Ewen :slight_smile:

Ok, my friend… I will explain to you in more detail. sigh

I have 11 roommates in this house. All of them have computers.
I have 3 roomies living close to me who I know personally. I’d like to share my stuff with them.

Everybody has IPs, and they’re ALL on the LAN. And the 3 roomies have different IPs.
ALL I’m asking is, can I add a set of 3 IPs (not consecutive, or range) in a SINGLE trusted zone.

If anyone out there knows what I’m talking about, PLEASE indulge.

OK, I’ll explain in less detail sigh.

No, zones are used to allow traffic from complete subnets or from consecutively numbered ranges of addresses within the one subnet, but not from non-consecutive addresses, to the exclusion of all others, within the one subnet.

The only way I can think of achieving what you want is to create three separate zones, one for each IP that you trust. If you are going to go that way, you don’t even have to create a zone, just create rules to cater for traffic to and from the individual IPs.

Hope this helps,
Ewen :slight_smile:

That, my friend, is something on the same line of thought as I am on.
Thanks for your help.

I was just wondering if I don’t have to classify each IP in it’s own zone, and that Comodo had an option for me to do it.

Thanks, Ewen.
You’ve been great!

Unfortunately not. With inbound rules (where your trusted roomies are attempting to contact your PC over the LAN), before an unsolicited contact can be accepted, it must meet the criteria of a Network monitor rule that all allows the traffic in. CFP runs off the “all are guilty until proven innocent” style of thinking. Until there is a rule that explicitly allows the traffic in, it ain’t coming in.

The rules, however are not hard to make. Open CFP and click on SECURITY - NETWORK MONITOR - ADD and then set up a rule with the following parameters;

Action : ALLOW
Direction : IN
Protocol : TCP/UDP (This should be sufficient)
Source IP : A trusted IP address goes here
Destination IP : ANY (This actually means “This PC”)
Source Port : ANY
Destination Port : ANY

You should repeat these steps for each trusted device on your LAN, not forgetting that your router and other networked devices, like print servers, count too. You could get fussy and create separate IN and OUT rules. This makes it a bit easier if you have to troubleshoot.

Hope this helps,
Ewen :slight_smile: