Forums

Stories

Knowledge Base

Business Community > Routers > ER605 ACLs not working as expected in standalone

< Routers

ER605 ACLs not working as expected in standalone

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER605 ACLs not working as expected in standalone

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Alex789

LV3

2022-07-06 16:20:33 - last edited 2022-10-10 01:50:01

Posts: 112

Helpful: 60

Solutions: 9

Stories: 0

Registered: 2022-06-30

ER605 ACLs not working as expected in standalone

2022-07-06 16:20:33 - last edited 2022-10-10 01:50:01

Tags: #Gateway ACL

Model: ER605 (TL-R605)

Hardware Version: V1

Firmware Version: 1.2.1 Build 20220512 Rel.76748

I have two networks/subnets, network1 and network2.

If I create two ACLs:

A LAN-LAN rule which blocks traffic from network2 to !network2
An ALL rule that allows traffic from IP2 on network2 to an IP1 on network1 using IP Groups

The allow rule is above the block rule on the list.

In this case, traffic does not flow from IP2 to IP1 and back.

However, if I add the reflexive rule to allow traffic from IP1 to IP2, it works. However, why would that be needed? I don't have an ACL which blocks *any* traffic from network1 to network2. If ALL traffic is already allowed, why would a need an allow rule for one IP explicitly?

In this case, the switches are all layer 2 managed switches. The routing and ACLs are being applied by the ER605 only.

4 Reply

Alex789

LV3

2022-07-06 17:17:03 - last edited 2022-10-10 01:49:31

Posts: 112

Helpful: 60

Solutions: 9

Stories: 0

Registered: 2022-06-30

Re:ER605 ACLs not working as expected in standalone

2022-07-06 17:17:03 - last edited 2022-10-10 01:49:31

I did some further testing on this. If I change the LAN-LAN rule which blocks traffic from network2 to !network2 and instead us an ALL rule which blocks traffic from network2 to !network2 it works as expected.

So this more or less looks like a bug when rules are set as LAN->LAN.

Fae

2022-07-07 09:47:59 - last edited 2022-10-10 01:49:31

Posts: 3375

Helpful: 1276

Solutions: 431

Stories: 0

Registered: 2020-06-30

Re:ER605 ACLs not working as expected in standalone

2022-07-07 09:47:59 - last edited 2022-10-10 01:49:31

Dear @Alex789,

Alex789 wrote

I have two networks/subnets, network1 and network2.

If I create two ACLs:

A LAN-LAN rule which blocks traffic from network2 to !network2

An ALL rule that allows traffic from IP2 on network2 to an IP1 on network1 using IP Groups

The allow rule is above the block rule on the list.

In this case, traffic does not flow from IP2 to IP1 and back.

However, if I add the reflexive rule to allow traffic from IP1 to IP2, it works. However, why would that be needed? I don't have an ACL which blocks *any* traffic from network1 to network2. If ALL traffic is already allowed, why would a need an allow rule for one IP explicitly?

When we select Direction as ALL, the rule will only apply to one-way traffic which is from the source to the destination.

When we select Direction as LAN-LAN, the rule will apply to two-way traffic.

So we'll need to add the reflexive rule to make it to allow communication between IP2 and IP1.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*

Alex789

LV3

2022-07-07 14:13:08 - last edited 2022-10-10 01:49:31

Posts: 112

Helpful: 60

Solutions: 9

Stories: 0

Registered: 2022-06-30

Re:ER605 ACLs not working as expected in standalone

2022-07-07 14:13:08 - last edited 2022-10-10 01:49:31

Fae wrote

When we select Direction as ALL, the rule will only apply to one-way traffic which is from the source to the destination.

When we select Direction as LAN-LAN, the rule will apply to two-way traffic.

@Fae

Since this behavior is both atypical and unintuitive, would it be possible to add some hint in the UI that indicates this?

Fae

2022-07-08 01:24:32 - last edited 2022-10-10 01:49:31

Posts: 3375

Helpful: 1276

Solutions: 431

Stories: 0

Registered: 2020-06-30

Re:ER605 ACLs not working as expected in standalone

2022-07-08 01:24:32 - last edited 2022-10-10 01:49:31

Dear @Alex789,

Alex789 wrote

Since this behavior is both atypical and unintuitive, would it be possible to add some hint in the UI that indicates this?

Thank you for your valuable feedback. I'll forward this to the engineer for further evaluation.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*

Alex789

LV3

2022-07-06 16:20:33 - last edited 2022-10-10 01:50:01

Posts: 112

Helpful: 60

Solutions: 9

Stories: 0

Registered: 2022-06-30

Information

Helpful: 1

Replies: 4

ER605 ACLs not working as expected in standalone

ER605 ACLs not working as expected in standalone

Information

Voters 1

Tags