Business Community > Routers > Firewall rules for LAN not honored
< Routers

Firewall rules for LAN not honored

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Firewall rules for LAN not honored

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Firewall rules for LAN not honored
Firewall rules for LAN not honored
2021-08-02 07:14:46 - last edited 2021-08-02 07:16:35
Model: TL-R470T+  
Hardware Version: V6
Firmware Version: 6.0.2 Build 20180211 Rel.60963

I have 3/5 ports in use for LAN, 2/5 for WAN (failover LB over WAN1 + WAN2). While the FW rules work just fine for outbound connections I have trouble getting the same rules applied to LAN-to-LAN connections:

 

e.g. I have a [TP-Link TL-SG108] switch connected to LAN port #3. I have my WLAN router connected to LAN port #4.

 

One of my servers is connected to the switch (which is connected to the port #3 at the router). I disabled some service, e.g. DNS (both TCP and UDP), for the WLAN for LAN server. Nevertheless, I can connect to the [DNS] service. Applying the same rule for outbound connection works as expected, the connection to the [DNS] service is blocked.

 

The rule is:

ID, Name, Source, Destination, Policy, Service Type, Interface, Effective Time
1, test, ANY, ANY, Block, DNS, LAN, Any

and changing only the Interface to ANY or WAN1/WAN1 disables the service for WANs (or WAN1/WAN2). The LAN is always allowed, regardless of setting. Router has been rebooted multiple times after applying [new] rules.

 

Why is the LAN connections not blocked with my rule(s) and/or how can I block LAN-to-LAN connections to selected service(s)?

  0      
 
  0      
 
#1
Options
2 Reply
Re:Firewall rules for LAN not honored
2021-08-03 04:03:30

@LanceSackless 

 

Don't know if you configured it right. Have you configured the IP group? Preference > IP Group. Specify your IP group and test again. 

The interface is the effective interface. Try to set a matching IP range and fix the port? Test again with Interface+ effective IP group.

  0  
  0  
#2
Options
Re:Firewall rules for LAN not honored
2021-08-03 11:02:23

@Yannie I configured IP group 'servers' containing the following server_range,infra_range,media_range,Security. These are configured respectively:

server_range: 192.168.42.30-192.168.42.39
media_range: 192.168.42.40-192.168.42.69
Security: 192.168.42.70-192.168.42.79

infra_range: 192.168.42.90-192.168.42.99

Adding a rule

ID, Name, Source, Destination, Policy, Service Type, Interface, Effective Time
1, test, !servers, servers, Block, myDNS, LAN, Any

 

with the Service Type 'myDNS' as:
ID, Service Type Name, Protocol, Detail
myDNS, TCP/UDP, Source Port = 0-65535; Destination Port = 53-53

[This service type was copied from the default DNS rule, only TCP was added to 'myDNS']

 

still does not block DNS within LAN clients outside of 'servers' ranges. I have an IP 192.168.42.15 with WLAN connection for my PC and I can still reach servers at 192.168.42.34 and 192.168.42.38 with DNS.

  0  
  0  
#3
Options

Information

Helpful: 0

Views: 944

Replies: 2

Related Articles
VLAN and Firewall Rules
284 0
How to set port-specific firewall rules?
248 0
 ER605 IPv6 Firewall Rules Especially WAN>LAN
2983 5
Unknown firewall entry "Me"
482 0
 How to use Access Control Rules to isolate/restrict LAN segments?
2868 0
 ER605: Can only apply LAN->LAN firewall rules for VLANS, not IPs or IP Groups?
1786 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.