ER605/How to block a device from internet access?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

ER605/How to block a device from internet access?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER605/How to block a device from internet access?
ER605/How to block a device from internet access?
2022-10-24 08:27:11 - last edited 2022-10-24 22:01:26
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.2.1 Build 20220512 Rel.76748

Hi, I have a very simple setup, using the tp-link ER605 Omada as my home LAN router (single LAN). Within my  LAN I have a device with fixed IP. I want that device's IP address to be blocked from inbound/outbound connections to the internet (WAN). What steps within the router's admin panel do I need to follow to achieve this? I spent a lot of time with the Firewall's Access Control menu trying to figure it out but I can't. Previously I owned the  TL-R600VPN and doing this was very easy, but the admin panel of the ER605 is completely different, seems to be more intricate and less user friendly. Thanks for any suggestions.

  0      
  0      
#1
Options
11 Reply
Re:ER605/How to block a device from internet access?
2022-10-25 04:23:40 - last edited 2022-10-25 04:23:54

  @stealth23 

 

Are you using Omada Controller?

 

I also have ER605 and I take a screenshot of the example settings you need:

  1  
  1  
#2
Options
Re:ER605/How to block a device from internet access?
2022-10-25 05:33:50 - last edited 2022-10-25 05:36:06

Hi Somnus, and thanks for your reply. No, as I posted I'm using the ER605's admin panel, I did not install Omada's Software Controller, but maybe the controller's gui is more intuitive.

In the screenshot that you show I don't see any IP that is specified (are they included in the "group"??). You only seem to block the LAN to WAN connections, I'd also add the WAN to LAN (outbound AND inbound)

Also, I do not understand what "source" and "Destination" refer to, and where it says "Type" you specify "group1"? If you can outline the steps to follow I'd appreciate.

  0  
  0  
#3
Options
Re:ER605/How to block a device from internet access?
2022-10-25 07:46:18 - last edited 2022-10-25 07:53:13

  @stealth23 

 

Below is how ive configured my VPN router to basically only allow VPN users access to AFP and SMB service to my NAS and block everything else, in standalone mode (no omada software)

 

this shows my custom port settings for my nas, which will be applied in ACLs

Although what im doing is different to what you want, it shows how each stage is configured and how it all ties togther.  You should be able to adapt for your own needs.  In your case, on the ACLs, you would be setting the "direction" as "WAN In" and "LAN>WAN"

  1  
  1  
#4
Options
Re:ER605/How to block a device from internet access?
2022-10-25 09:33:28
Hi GRL, many thanks for your detailed answer. So taking NAS as an example, you added NAS as an IP Address Range where start and finish is 10.0.0.82, which I assume is your NAS fixed IP? This is confusing, calling a fixed IP a "range" Can you include a screenshot of how you created (added) the group "Grp_NAS"? So I assume that the group "Grp_NAS" contains only one device, the NAS, right?
  0  
  0  
#5
Options
Re:ER605/How to block a device from internet access?
2022-10-25 10:04:11

  @stealth23 

 

Yep, if you have only one IP you want to include in a group, its still considered a "range" so in my case i enter 10.0.0.82 in the From and To boxes.

 

When you set up a group, you give it a name, and then can select which IP "objects" you set up, you can have more than one if you want too

 

  0  
  0  
#6
Options
Re:ER605/How to block a device from internet access?
2022-10-26 08:04:30
Thanks GRL, I think that now I understand the logical flow of steps. I'm trying to resolve another network issue, but once I'm ready to upgrade to the ER605 I'll post back the results
  0  
  0  
#7
Options
Re:ER605/How to block a device from internet access?
2022-10-28 17:47:29

  @GRL 

Hi GRL again, I'm back after resolving my network issue

So I have a NAS at my LAN IP 192.168.1.3. I want to create a rule to have the ER605 block the NAS from Internet access (inbound and outbound).

So I followed your steps:

First I create the IP Address for the NAS in Preferences/IP Group/IP Address:

Then I create an IP Group to include this NAS IP Address:

And then I create the Access Rule in the Firewall:

 

The issue is the following: in the last screenshot, if I set "Direction" to include "[WAN] IN" and "LAN-WAN" the NAS will still have internet access. The only way to block the NAS from internet access is by choosing "ALL" as seen above. How come? And also, if I choose ALL which alos blocks LAN to LAN, then my PC in my LAN wouldn't be able to access the NAS, but it does have access. Can't get it.

 

  0  
  0  
#8
Options
Re:ER605/How to block a device from internet access?
2022-10-28 18:31:03 - last edited 2022-10-28 18:37:40

Problem with using IPGroup any is it will literally block any IP.  WAN, LAN, All of them

 

Is your WAN a static IP ?

 

Also, try setting the "Source" as the NAS group

 

EDIT:  might need two rules, one for Allow LAN<>LAN and one for blocking WAN, ill do some testing with a random device i have here

  0  
  0  
#9
Options
Re:ER605/How to block a device from internet access?
2022-10-28 19:17:43 - last edited 2022-10-28 19:18:47

GRL wrote

Problem with using IPGroup any is it will literally block any IP.  WAN, LAN, All of them

 

Is your WAN a static IP ?

 

Also, try setting the "Source" as the NAS group

 

EDIT:  might need two rules, one for Allow LAN<>LAN and one for blocking WAN, ill do some testing with a random device i have here

  @GRL 

My WAN is supposed to be Dynamic, however unless I renew the connection it seems to always stay with the same WAN IP.

Yes, but even when setting IPGroup Any as source or destination and ALL as Direction, the PC in my LAN is able to connect to the NAS

I just tested setting NAS group as Source and IPGroup Any as Destination and now NAS is blocked from Internet when setting Direction WAN/IN and LAN/WAN (no need to set it to ALL), however PC in the LAN is still able to access de NAS

  0  
  0  
#10
Options
Re:ER605/How to block a device from internet access?
2022-10-28 19:22:33

  @stealth23 

 

Im not sure i follow you

 

I just tested the following ACL to my spare NAS

 

 

This sucessfully blocks the device from the WAN connection, but allows devices on my LAN to access it.

  0  
  0  
#11
Options