ER605 ACLs not working as expected in standalone

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER605 ACLs not working as expected in standalone

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER605 ACLs not working as expected in standalone
ER605 ACLs not working as expected in standalone
2022-07-06 16:20:33 - last edited 2022-10-10 01:50:01
Tags: #ACL
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.2.1 Build 20220512 Rel.76748

I have two networks/subnets, network1 and network2.

 

If I create two ACLs:

  • A LAN-LAN rule which blocks traffic from network2 to !network2
  • An ALL rule that allows traffic from IP2 on network2 to an IP1 on network1 using IP Groups

 

The allow rule is above the block rule on the list.

 

In this case, traffic does not flow from IP2 to IP1 and back. 

 

However, if I add the reflexive rule to allow traffic from IP1 to IP2, it works.  However, why would that be needed?  I don't have an ACL which blocks *any* traffic from network1 to network2.  If ALL traffic is already allowed, why would a need an allow rule for one IP explicitly?

 

In this case, the switches are all layer 2 managed switches.  The routing and ACLs are being applied by the ER605 only.

 

 

  1      
  1      
#1
Options
4 Reply
Re:ER605 ACLs not working as expected in standalone
2022-07-06 17:17:03 - last edited 2022-10-10 01:49:31

I did some further testing on this.  If I change the LAN-LAN rule which blocks traffic from network2 to !network2 and instead us an ALL rule which blocks traffic from network2 to !network2 it works as expected.

 

So this more or less looks like a bug when rules are set as LAN->LAN.

  0  
  0  
#2
Options
Re:ER605 ACLs not working as expected in standalone
2022-07-07 09:47:59 - last edited 2022-10-10 01:49:31

Dear @Alex789,

 

Alex789 wrote

I have two networks/subnets, network1 and network2.

 

If I create two ACLs:

  • A LAN-LAN rule which blocks traffic from network2 to !network2
  • An ALL rule that allows traffic from IP2 on network2 to an IP1 on network1 using IP Groups

 

The allow rule is above the block rule on the list.

 

In this case, traffic does not flow from IP2 to IP1 and back. 

 

However, if I add the reflexive rule to allow traffic from IP1 to IP2, it works.  However, why would that be needed?  I don't have an ACL which blocks *any* traffic from network1 to network2.  If ALL traffic is already allowed, why would a need an allow rule for one IP explicitly?

 

When we select Direction as ALL, the rule will only apply to one-way traffic which is from the source to the destination.

When we select Direction as LAN-LAN, the rule will apply to two-way traffic.

 

So we'll need to add the reflexive rule to make it to allow communication between IP2 and IP1.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#3
Options
Re:ER605 ACLs not working as expected in standalone
2022-07-07 14:13:08 - last edited 2022-10-10 01:49:31

Fae wrote

 

When we select Direction as ALL, the rule will only apply to one-way traffic which is from the source to the destination.

When we select Direction as LAN-LAN, the rule will apply to two-way traffic.

  @Fae 

 

Since this behavior is both atypical and unintuitive, would it be possible to add some hint in the UI that indicates this?

  0  
  0  
#4
Options
Re:ER605 ACLs not working as expected in standalone
2022-07-08 01:24:32 - last edited 2022-10-10 01:49:31

Dear @Alex789,

 

Alex789 wrote

Since this behavior is both atypical and unintuitive, would it be possible to add some hint in the UI that indicates this?

 

Thank you for your valuable feedback. I'll forward this to the engineer for further evaluation.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#5
Options