Looking for solutions in firmwares v1.2.0/v1.2.1 on TL-R605 v1 when using ACL rules with ! mark

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Looking for solutions in firmwares v1.2.0/v1.2.1 on TL-R605 v1 when using ACL rules with ! mark

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
40 Reply
Re:The latest firmware v1.2.0 for TL-R605 has a serious bug. Don't upgrade!
2022-05-01 19:37:35

  @Fae I sincerely hope that in this fix the devs will allow only DHCP requests from any vlan to the router but disallow access to the router management portal from blocked vlans, this is really a security feature that I have been waiting for since I first installed the ER605.

  1  
  1  
#12
Options
Re:The latest firmware v1.2.0 for TL-R605 has a serious bug. Don't upgrade!
2022-05-12 11:22:39

@Fae 

The router made me mad, again, even with the firmware v1.1.1

I experienced that rebooting this router takes so long, at least 10 minutes. And as I've mentioned before, there is no "promising" communication by the leds on the device.

Only the power led is on, it doesn't even flashing to show that it's in process. It's frustrating because we can't know if it's frozen or not.

 

And after looking at the system log, it shows that each vlan takes 3 seconds to get its IP address/mask. Then several other steps take minutes. DHCPS initialization 30-240 seconds, and it appears several times in the log.

There are other strange things:

E.g. one of the WAN connections is PPPoE. And it has been set with MTU=1492. In the log it shows 1480

 

Fortunately I installed an UPS power backup for this config, otherwise any tiny power shortage could lead to a 10-15 minutes internet shortage.

 

Other thing still happening since the first firmware release:

Now I have two microwave connection with the same bandwidth plan. One connects with dynamic IP, the other with PPPoE.

Both are configured with the same bandwidth numbers. However, the traffic statistics shows that WAN2 had 10 times more download usage than WAN1, and the uploads are the opposite, it has sent more via WAN1.

 

There is something else that causes problem:

If a WAN port is disconnected (either by me clicking on disconnect in WAN setup page...), it still wants to send traffic through that, probably because of Load Balance. If in Load Balance both wan ports are marked, it doesn't look at the result of the online detection feature.

This is a serious issue, IMO.

  1  
  1  
#13
Options
Re:The latest firmware v1.2.0 for TL-R605 has a serious bug. Don't upgrade!
2022-06-15 13:36:21
Evidently v1.2.1 was available but my system was unable to detect that unless I rebooted by OC300 controller last night, then all of the sudden it was available. Not sure if that is a timing coincidence with the release for 1.2.1 - but that seems specious
  0  
  0  
#14
Options
Re:The latest firmware v1.2.0 for TL-R605 has a serious bug. Don't upgrade!
2022-06-15 14:25:48

@Fae 

 

Please, can you tell me what this new feature exactly does that is written in the new (v1.2.1) release thread? (I wanted to avoid starting a new thread.)

 

Add cloud optimization support in standalone/controller mode, you can choose to enable/disable cloud connection, and update the basic cloud domain name.

 

I'm interested in this feature in standalone mode. Does it mean some kind of limited access via Tether app?

Or is it just how the Omada cloud service can somehow detect the device even if it's configured in standalone mode while it's connected in a Omada controlled environment?

  0  
  0  
#15
Options
Re:The latest firmware v1.2.0 for TL-R605 has a serious bug. Don't upgrade!
2022-06-17 01:05:12

Dear @Arion,

 

Arion wrote

Please, can you tell me what this new feature exactly does that is written in the new (v1.2.1) release thread? (I wanted to avoid starting a new thread.)

 

Add cloud optimization support in standalone/controller mode, you can choose to enable/disable cloud connection, and update the basic cloud domain name.

 

I'm interested in this feature in standalone mode. Does it mean some kind of limited access via Tether app?

Or is it just how the Omada cloud service can somehow detect the device even if it's configured in standalone mode while it's connected in a Omada controlled environment?

 

This feature is mainly to provide an option to disable cloud-connection behavior and update the cloud domain name to avoid confusion, as is reported Here.

 

If you don't have plan to use the Omada Cloud-Based Controller to manage your Omada devices, you can disable the cloud-connection behavior as you want. Anyhow, it won't affect your access to Tether app (for home products?) or Omada App (for Omada devices).

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#16
Options
Re:The firmwares v1.2.0 and v1.2.1 for TL-R605 have a serious bug. Don't upgrade if you use ACL rules!
2022-08-30 11:26:11 - last edited 2022-08-30 11:52:43

After updating to v1.2.1, the ACL rules with "!" work again as they did on v1.1.1, BUT the major security flaw is still there that the router's management portal is still accessible from any VLAN.

 

EDIT: I was wrong, the '!' issue is not fixed!!

  0  
  0  
#17
Options
Re:The firmwares v1.2.0 and v1.2.1 for TL-R605 have a serious bug. Don't upgrade if you use ACL rules!
2022-08-30 11:58:46 - last edited 2022-08-30 12:09:09

  @K_verb 

Please, could you describe your configuration for ACL or better post a printscreen of that page?

 

I keep claiming that on v1.2.1 firmware using my config with ! in ACL the router becomes unreachable after turning that ACL rule on.

 

Edit: now I see your edited comment.

 

But @Hank21 has stated that with the new firmware they tested the ! rules and works for them. I'd like to know exactly what configuration works for them.

 

Actually, I don't mind using v1.1.1 for longer period. And I couldn't have risked (again) to update during the (european) summer. I'd like to ask the devs that whenever they release new firmware, please test this bug and don't allege that it works because it causes many hours of interrupted local network until we figure out why it doesn't work.

  0  
  0  
#18
Options
Re:The firmwares v1.2.0 and v1.2.1 for TL-R605 have a serious bug. Don't upgrade if you use ACL rules!
2022-08-30 12:16:26

K_verb wrote

BUT the major security flaw is still there that the router's management portal is still accessible from any VLAN.

 

You are requesting an exclusive management vlan.

I have also thought about it but couldn't figure out how to do it.

There is a similar feature on EAP management page and when I tried it, "successfully" blocked myself from that page because chose my vlan but the EAP was connected on a different vlan port. It's a different story though.

On ER605 there should be this feature choosing management vlans.

  0  
  0  
#19
Options
Re:The firmwares v1.2.0 and v1.2.1 for TL-R605 have a serious bug. Don't upgrade if you use ACL rules!
2022-08-30 12:21:08

  @Arion 

This seems to work when using an Omada controller but for me it does not work standalone.

Any device in any VLAN can access the router login page although the router LAN IP is in a VLAN that is fully isolated by an ACL rule.

  0  
  0  
#20
Options
Re:The latest firmware v1.2.0 for TL-R605 has a serious bug. Don't upgrade!
2022-10-08 19:35:40

Fae wrote

 

[...]

The main cause of the issue is that the 1.2.0 firmware has adjusted the ACL rules strategy, when the ACL rules created with a "!" network, it will also restrict the access to the gateway itself. That's why the clients are unable to obtain IP addresses from the DHCP after the 1.2.0 firmware update.

[...]

  @Fae is there already a plan to change this in a future firmware release to where access is blocked on every service EXCEPT dhcp?

  0  
  0  
#21
Options