Blocking Outgoing Ports From Guest Network --> WAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Blocking Outgoing Ports From Guest Network --> WAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Blocking Outgoing Ports From Guest Network --> WAN
Blocking Outgoing Ports From Guest Network --> WAN
2021-12-20 10:58:07 - last edited 2021-12-20 11:26:32
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version:

Hi

 

I run a guest network for folks staying at our remote hostel. Due to bandwidth issues, I need to prevent guests accessing the internet via anything other than ports 80, 443, 110, 143,21,465,992 & 995.

 

I also want to prevent access to DNS servers other than the one I specify (OpenDNS) via port 53. Open DNS is used to provide a crude 'block' to what sites might get resolved - obviously I need to prevent my users just choosing say 8.8.8.8 instead of DHCP-supply DNS servers.

 

Incoming internet is < 10Mbits down, 800Kbits up and its shared with B&B guests - as you can imagine, this does not cope well with folks streaming P2Ping or torrenting! There are no options for speeding things up apart from separate line or bonded DSL (I have 2 activated lines already), and there are also backhaul issues at the exchange.

 

For the hostel, i've also got a bandwidth limit of 5Mbits total, with 1Mbit per client to prevent hostel guests flooding the network - there are more folks in the hostel, but the B&B guests pay much more so I wish to keep back some bandwidth for B&B guests.

 

So, my understanding via TP-Link Omada (TL-605 router, OC200 cloud box), is that I can do this via ACL's on the router.

 

The Guest network runs on its own subnet, tagged as a VLAN, under Network Security --> ACL --> Gateway ACL, I have the following

 

1 ALLOW SRC: GUEST_VLAN   DEST: IPGROUP-Port (no IP, but ports: 80, 443, 110, 143,21,465,992 & 995 listed) I cant specify IP 0.0.0.0/0 so I assume that's the default when no IP listed?

2 ALLOW SRC: GUEST_VLAN   DEST: IPGROUP-Port Port 53, IPS: 208.67.220.220/32 and 208.67.222.222/32

3 DENY SRC: GUEST_VLAN   DEST: IPGroup_Any  (IPGroup_Any is 0.0.0.0/0 eg the entire internet)

 

So, is this right - because it does not appear to be working. Currently I have this setup on the gateway, might I have more joy with setting up the same via the EAP tab?

 

Also, I wondered if there was a way to redirect DNS (port 53) such that all traffic ended up with  208.67.220.220 no matter what alternative DNS server the person setup on their client.?

 

NB, for your ammusement, here is Digital Scotlands latest projection for FTTC for my village:

 

"A new superfast connection is being built in your area. It's part of the Scottish Government’s Reaching 100% (R100) superfast broadband programme.

Based on the current engineering schedule your address is in scope to receive its superfast connection in 2027.

The new connection will mean your address can get faster internet speeds. That’ll make it easier to videocall loved ones, watch shows online, work from home and more."

 

Come 2027 when they finally pull their finger out FTTC will be very much old-hat! Village is Crianlarich about 150 properties, right beside the A82 (!)

 

Kind Regards

 

Karen

  0      
  0      
#1
Options
2 Reply
Re:Blocking Outgoing Ports From Guest Network --> WAN
2021-12-22 11:31:27

@KarenW 

 

KarenW wrote

So, is this right - because it does not appear to be working. Currently I have this setup on the gateway, might I have more joy with setting up the same via the EAP tab?

 

Actually, I think your ACL settings is OK, Uhm...maybe you can elaborate the problem phenomenon about "it does not appear to be working" ?

How do you verify it actually?

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:Blocking Outgoing Ports From Guest Network --> WAN
2021-12-22 13:55:13

@Virgo I need to visit the site again when its guest-free to test it out properly. My reason for thinking this is not working is that I efforts to force folks onto my chosen DNS servers seem to have failed - eg there is traffic, but nothing in the logs of OpenDNS. It could however be that my settings are working and they have bypassed with a VPN or DNS over  HTTS/TLS once tested fully, I'll report back, but good to know that my settings look right.

 

To the above I also added a new entry under Policy Routing. If I am reading it right then this is able to redirect all port 53 traffic to a specific IP. Again, I will need to visit the site to see if this works. To test, I believe I can just use nslookup on say 8.8.8.8 and see if its OpenDNS or 8.8.8.8 that responds.

 

Thanks for your input

 

Karen

  0  
  0  
#3
Options