Switch ACL's don't act as expected

Switch ACL's don't act as expected
Switch ACL's don't act as expected
2022-05-20 14:48:52 - last edited 2022-05-24 10:06:00

My system is shown here for reference.  Also, here's a bulleted list of equipment.  I just checked/confirmed that they all have the latest firmware:

 

  • TP-Link TLR-605 v1.0 (1.2.0)
  • TP-Link OC200 v 1.0 (5.1.7)
  • TP-Link TL-SG2210P v3.20 (3.20.2)
  • (2) TP-Link TL-SG2218 v1.0 (1.1.2)
  • (3) TP-Link EAP-245 V3.0 (5.0.5)
  • TP-Link EAP-225 v1.0 (5.0.8)

 

I have (3) VLANs

  • LAN 192.168.0.x (Management)
  • IoT 192.168.30.x
  • Guest 192.168.20.x

 

The Guest VLAN is isolated via the Guest rules.  I'd like the devices on LAN to be able to reach out and connect to devices on my IoT.  At the same time, devices on IoT should NOT be able to connect to anything on LAN.  With that in mind, I have created (2) Switch ACL rules via my OC200 hardware controller and ordered them as shown:

 

  • Rule 1: Allow LAN > IoT

  • Rule 2: Deny IoT > LAN

 

Pretty simple rules and a pretty simple concept.  However, this does not work as I expected it would.  The above Switch ACL rules cause connections between LAN and IoT to fail - and not allow any communication in either direction. (i.e., all communication between IoT and LAN is blocked.)  In the above rules, it seems that Rule #1 does nothing and I think that rule #2 actually overrides rule #1 (by default, all VLANs CAN all 'see' each other anyway).  If I disable rule #2, communication between LAN and IoT is open in BOTH directions.  The same result occurs if both rules are disabled or completely deleted.

 

Any insights on achieving what I'm trying to do?

 

(Edit: Updated device details)

0
0
#1
Options
1 Accepted Solution
Re:Switch ACL's don't act as expected-Solution
2022-05-20 20:17:39 - last edited 2022-05-24 10:06:00

Your point about allowing the ICMP protocol to get through made me think about this a bit more.  Here's what I think is happening. 

Since the 'Allow' LAN to IoT ACL Rule is in place, the ping from LAN to IoT is allowed to be sent - and IoT receives it.  However, once it is received by IoT, the 'Deny' IoT to LAN ACL Rule prevents an acknowledgment response via ICMP back to LAN, and the ping eventually times out.  Removing ICMP from the 'Deny' Rule, allows the ping acknowledgment to be sent back to LAN.  Doing that, however (as you stated) weakens your LAN-to-LAN security.  If due to different types of traffic and different ports that are needed to be used, and other adjustments are then needed too, the cross-LAN security will be further weakened. 

Digging a little more, I found a Reddit thread with the title, "TP-Link Omada - Switch ACLs aren't stateful".  The short version is that Omada Switch ACLs are not stateful and therefore can't - at least currently, do what we want in this case.  Additionally, it's important to note that most Switch ACLs are also not stateful.  That duty is usually handled by firewalls.  From Wikipedia: A stateful firewall is a kind of firewall that keeps track and monitors the state of active network connections while analyzing incoming traffic and looking for potential traffic and data risks. This firewall is situated at Layers 3 and 4 of the Open Systems Interconnection (OSI) model.

So, it appears that (I'd be more than happy to be wrong) the current capabilities of Omada's Switch ACL Rules cannot handle this task.

Am I interpreting all of this incorrectly? and if I'm right, will TP-Link upgrade their Switches and ACL Rule capabilities?

Recommended Solution
5
5
#3
Options
7 Reply
Re:Switch ACL's don't act as expected
2022-05-20 16:50:19 - last edited 2022-05-24 10:06:00

lflorack wrote

My system is shown here for reference.  Also, here's a bulleted list of equipment.  I just checked/confirmed that they all have the latest firmware:

 

  • TP-Link TLR-605 v1.0 (1.2.0)
  • TP-Link OC200 v 1.0 (5.1.7)
  • TP-Link TL-SG2210P v3.20 (3.20.2)
  • (2) TP-Link TL-SG2218 v1.0 (1.1.2)
  • (3) TP-Link EAP-245 V3.0 (5.0.5)
  • TP-Link EAP-225 v1.0 (5.0.8)

 

I have (3) VLANs

  • LAN 192.168.0.x (Management)
  • IoT 192.168.30.x
  • Guest 192.168.20.x

 

The Guest VLAN is isolated via the Guest rules.  I'd like the devices on LAN to be able to reach out and connect to devices on my IoT.  At the same time, devices on IoT should NOT be able to connect to anything on LAN.  With that in mind, I have created (2) Switch ACL rules via my OC200 hardware controller and ordered them as shown:

 

  • Rule 1: Allow LAN > IoT

  • Rule 2: Deny IoT > LAN

 

Pretty simple rules and a pretty simple concept.  However, this does not work as I expected it would.  The above Switch ACL rules cause connections between LAN and IoT to fail - and not allow any communication in either direction. (i.e., all communication between IoT and LAN is blocked.)  In the above rules, it seems that Rule #1 does nothing and I think that rule #2 actually overrides rule #1 (by default, all VLANs CAN all 'see' each other anyway).  If I disable rule #2, communication between LAN and IoT is open in BOTH directions.  The same result occurs if both rules are disabled or completely deleted.

 

Any insights on achieving what I'm trying to do?

 

(Edit: Updated device details)

@lflorack you and me both.   The ACL seems to be bi-directional even though I didnt set it up that way.  For me to ping from LAN to IoT, I have to change the ACL so that ICMP is not denied and then it works. But that leaves the IoT open to initiate pings back to me and see whats in my LAN

0
0
#2
Options
Re:Switch ACL's don't act as expected-Solution
2022-05-20 20:17:39 - last edited 2022-05-24 10:06:00

Your point about allowing the ICMP protocol to get through made me think about this a bit more.  Here's what I think is happening. 

Since the 'Allow' LAN to IoT ACL Rule is in place, the ping from LAN to IoT is allowed to be sent - and IoT receives it.  However, once it is received by IoT, the 'Deny' IoT to LAN ACL Rule prevents an acknowledgment response via ICMP back to LAN, and the ping eventually times out.  Removing ICMP from the 'Deny' Rule, allows the ping acknowledgment to be sent back to LAN.  Doing that, however (as you stated) weakens your LAN-to-LAN security.  If due to different types of traffic and different ports that are needed to be used, and other adjustments are then needed too, the cross-LAN security will be further weakened. 

Digging a little more, I found a Reddit thread with the title, "TP-Link Omada - Switch ACLs aren't stateful".  The short version is that Omada Switch ACLs are not stateful and therefore can't - at least currently, do what we want in this case.  Additionally, it's important to note that most Switch ACLs are also not stateful.  That duty is usually handled by firewalls.  From Wikipedia: A stateful firewall is a kind of firewall that keeps track and monitors the state of active network connections while analyzing incoming traffic and looking for potential traffic and data risks. This firewall is situated at Layers 3 and 4 of the Open Systems Interconnection (OSI) model.

So, it appears that (I'd be more than happy to be wrong) the current capabilities of Omada's Switch ACL Rules cannot handle this task.

Am I interpreting all of this incorrectly? and if I'm right, will TP-Link upgrade their Switches and ACL Rule capabilities?

Recommended Solution
5
5
#3
Options
Re:Switch ACL's don't act as expected
2022-05-20 20:55:30 - last edited 2022-05-24 10:06:00

lflorack wrote

Your point about allowing the ICMP protocol to get through made me think about this a bit more.  Here's what I think is happening. 

Since the 'Allow' LAN to IoT ACL Rule is in place, the ping from LAN to IoT is allowed to be sent - and IoT receives it.  However, once it is received by IoT, the 'Deny' IoT to LAN ACL Rule prevents an acknowledgment response via ICMP back to LAN, and the ping eventually times out.  Removing ICMP from the 'Deny' Rule, allows the ping acknowledgment to be sent back to LAN.  Doing that, however (as you stated) weakens your LAN-to-LAN security.  If due to different types of traffic and different ports that are used, other adjustments are needed, the cross-LAN security will be further weakened. 

Digging a little more, I found a Reddit thread with the title, "TP-Link Omada - Switch ACLs aren't stateful".  The short version is that Omada Switch ACLs are not stateful and therefore can't - at least currently, do what we want in this case.  Additionally, it's important to note that most Switch ACLs are also not stateful.  That duty is usually handled by firewalls.  From Wikipedia: A stateful firewall is a kind of firewall that keeps track and monitors the state of active network connections while analyzing incoming traffic and looking for potential traffic and data risks. This firewall is situated at Layers 3 and 4 of the Open Systems Interconnection (OSI) model.

So, it appears that (I'd be more than happy to be wrong) the current capabilities of Omada's Switch ACL Rules cannot handle this task.

Am I interpreting all of this incorrectly? and if I'm right, will TP-Link upgrade their Switches and ACL Rule capabilities?

  @lflorack pretty much spot on.  I tried to even put in an ACL just for the heck of it to allow all from LAN to IoT just to see if that might help. Didnt make a difference.  So we are kinda in limbo when it comes to security.  I guess if we want to check the IoT VLAN, we need to connect into it and check it from there.   But on a somewhat good note...we know that everybody can talk to each other in their respective LANS but not inter VLAN unless we pinhole things by unchecking protocols and such...

0
0
#4
Options
Re:Switch ACL's don't act as expected
2022-05-20 21:09:12 - last edited 2022-05-24 10:06:00

lflorack wrote

Your point about allowing the ICMP protocol to get through made me think about this a bit more.  Here's what I think is happening. 

Since the 'Allow' LAN to IoT ACL Rule is in place, the ping from LAN to IoT is allowed to be sent - and IoT receives it.  However, once it is received by IoT, the 'Deny' IoT to LAN ACL Rule prevents an acknowledgment response via ICMP back to LAN, and the ping eventually times out.  Removing ICMP from the 'Deny' Rule, allows the ping acknowledgment to be sent back to LAN.  Doing that, however (as you stated) weakens your LAN-to-LAN security.  If due to different types of traffic and different ports that are used, other adjustments are needed, the cross-LAN security will be further weakened. 

Digging a little more, I found a Reddit thread with the title, "TP-Link Omada - Switch ACLs aren't stateful".  The short version is that Omada Switch ACLs are not stateful and therefore can't - at least currently, do what we want in this case.  Additionally, it's important to note that most Switch ACLs are also not stateful.  That duty is usually handled by firewalls.  From Wikipedia: A stateful firewall is a kind of firewall that keeps track and monitors the state of active network connections while analyzing incoming traffic and looking for potential traffic and data risks. This firewall is situated at Layers 3 and 4 of the Open Systems Interconnection (OSI) model.

So, it appears that (I'd be more than happy to be wrong) the current capabilities of Omada's Switch ACL Rules cannot handle this task.

Am I interpreting all of this incorrectly? and if I'm right, will TP-Link upgrade their Switches and ACL Rule capabilities?

  @lflorack actually...I take back what I said.....I read the reddit article and if you put them in the correct order in the ACL list, it works.  Put the ALLOW LAN TO IOT before the DENY IOT TO LAN and that should do the trick.  I wasnt aware that the order of the ACL was that important.  I am testing now and it appears to be working

0
0
#5
Options
Re:Switch ACL's don't act as expected
2022-05-20 23:44:53 - last edited 2022-05-24 10:06:00

Fleegle61 wrote

@lflorack actually...I take back what I said.....I read the reddit article and if you put them in the correct order in the ACL list, it works.  Put the ALLOW LAN TO IOT before the DENY IOT TO LAN and that should do the trick.  I wasnt aware that the order of the ACL was that important.  I am testing now and it appears to be working

 

  @Fleegle61 

The order of your ACL rules is definitely important, but I already had mine in the proper order:

 

  1. Permit LAN > IoT
  2. Deny IoT > LAN

 

....and it still doesn't work.  I just confirmed the order of my ACL rules and the settings in the rules themselves and then test pinged them again.  For the reasons I explained earlier, they still don't work for me.  Unless I remove ICMP from the DENY rule (#2 above) before test pinging, I guess I don't see how it can.  Without a stateful capability in our Omda hardware, It isn't likely to work.  Are you sure its working for you?

0
0
#6
Options
Re:Switch ACL's don't act as expected
2022-05-21 00:47:34 - last edited 2022-05-24 10:06:00

lflorack wrote

Fleegle61 wrote

@lflorack actually...I take back what I said.....I read the reddit article and if you put them in the correct order in the ACL list, it works.  Put the ALLOW LAN TO IOT before the DENY IOT TO LAN and that should do the trick.  I wasnt aware that the order of the ACL was that important.  I am testing now and it appears to be working

 

  @Fleegle61 

The order of your ACL rules is definitely important, but I already had mine in the proper order:

 

  1. Permit LAN > IoT
  2. Deny IoT > LAN

 

....and it still doesn't work.  I just confirmed the order of my ACL rules and the settings in the rules themselves and then test pinged them again.  For the reasons I explained earlier, they still don't work for me.  Unless I remove ICMP from the DENY rule (#2 above) before test pinging, I guess I don't see how it can.  Without a stateful capability in our Omda hardware, It isn't likely to work.  Are you sure its working for you?

  @lflorack I also tried to no avail.  I thought i had it but nope!  But I did find it interesting that I could ping by guest wifi. Of course thats because there is no ACL for that, but the SSID is set for guest and that VLAN cant do anything other than internet.  Well it was worth trying and a good conversation.  I know a little more than I did this morning

0
0
#7
Options
Re:Switch ACL's don't act as expected
2022-05-21 15:34:51 - last edited 2022-05-24 10:06:00

Fleegle61 wrote

@lflorack I also tried to no avail.  I thought i had it but nope!  But I did find it interesting that I could ping by guest wifi. Of course thats because there is no ACL for that, but the SSID is set for guest and that VLAN cant do anything other than internet.  Well it was worth trying and a good conversation.  I know a little more than I did this morning

 

  @Fleegle61 

Thanks for the confirmation.

I have marked my explanation of why our Switch ACL Rules do not work as we expected.  We can hope that TP-Link will enhance the Switches to have the ACL Rules to be stateful.

3
3
#8
Options