Need Help with Access Control Rule: Allow Group of IPs Too Access Internet but Not LAN Systems

Need Help with Access Control Rule: Allow Group of IPs Too Access Internet but Not LAN Systems
Need Help with Access Control Rule: Allow Group of IPs Too Access Internet but Not LAN Systems
2018-12-20 21:00:56

Hello,

 

I have a TL-R600VPN and I'm trying to configure an access control rule to allow a set of systems (192.168.1.5-1.92.168.1.10) to only be able to access the internet. This is essentially the equivalent of a Guest subnet.

 

I don't want those systems to see or interact with any other system on the LAN for those systems (ICMP, http, https, VNC, etc.).

 

I've been able to block ICMP in this fashion through testing, but when I try using the ALL protocol the same way, it doesn't work. VNC still works, for example.

 

In my mind, the most obvious config for the ACL seemed to be:

Policy = block

Service Type = All

Interface = all

Source = GuestRange

Destination = IPGROUP_LAN

Effective time = any

 

...but that's not working. 

 

I have no other rules in place, so there isn't a concern with the ID (placing above or below another rule).

 

 

Can anyone tell me what I'm missing? Thanks!

0
0
#1
Options
4 Replies
Re:Need Help with Access Control Rule: Allow Group of IPs Too Access Internet but Not LAN Systems
2018-12-21 06:50:56

FullMoonMadness wrote

Hello,

 

I have a TL-R600VPN and I'm trying to configure an access control rule to allow a set of systems (192.168.1.5-1.92.168.1.10) to only be able to access the internet. This is essentially the equivalent of a Guest subnet.

 

I don't want those systems to see or interact with any other system on the LAN for those systems (ICMP, http, https, VNC, etc.).

 

I've been able to block ICMP in this fashion through testing, but when I try using the ALL protocol the same way, it doesn't work. VNC still works, for example.

 

In my mind, the most obvious config for the ACL seemed to be:

Policy = block

Service Type = All

Interface = all

Source = GuestRange

Destination = IPGROUP_LAN

Effective time = any

 

...but that's not working. 

 

I have no other rules in place, so there isn't a concern with the ID (placing above or below another rule).

 

 

Can anyone tell me what I'm missing? Thanks!

Hi FullmoonMadness:

     If you block All, these PCs will not access the interent also.

     Do you know the port of VNC Server?

     In the default setting,VNC use TCP 5900 to 5906, you need block these ports.

     But VNC can use different Server...

     So if you do not know the port of VNC, it is difficult to blok them.

    

     You can use URL Filter to limit these PCs to access special website( support HTTP and HTTPS).  

     

    

0
0
#2
Options
Re:Re:Need Help with Access Control Rule: Allow Group of IPs Too Access Internet but Not LAN Systems
2018-12-21 07:33:40

Hi TPTHZ,

 

Thank you for the response. I do not want to restrict these systems communicating outside of the network. However, I want to do the opposite on the internal network: no communication or visibility. Is there a way to do that? Thanks!

0
0
#3
Options
Re:Re:Re:Need Help with Access Control Rule: Allow Group of IPs Too Access Internet but Not LAN Systems
2018-12-25 09:39:37

FullMoonMadness wrote

Hi TPTHZ,

 

Thank you for the response. I do not want to restrict these systems communicating outside of the network. However, I want to do the opposite on the internal network: no communication or visibility. Is there a way to do that? Thanks!

Hi FullMoonMadness:

     You want to limit specific computer to access other Server in your Internal Network,is it right?

     If this is your demand. R600VPN cannot meet this demand.

     You need configure ACL in one Managed Switch.

     For R600VPN, you only can limit the traffic from LAN to WAN or WAN to LAN.

   

0
0
#4
Options
Re:Re:Re:Re:Need Help with Access Control Rule: Allow Group of IPs Too Access Internet but Not LAN Systems
2018-12-30 21:06:17
Thanks again for the reply! I admit that's not the news I was hoping to hear. My lack of experience configuring ACLs and switches led me to rely on assumptions that were incorrect. It looks like I am back to the drawing board.
0
0
#5
Options