TP-LINK ER605 Access Control does not work (NOOP)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TP-LINK ER605 Access Control does not work (NOOP)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TP-LINK ER605 Access Control does not work (NOOP)
TP-LINK ER605 Access Control does not work (NOOP)
2022-12-14 15:22:21 - last edited 2022-12-23 21:53:55
Tags: #ACL #Access Control
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.0.1 Build 20220223 Rel.68551

TLDR: No matter what "Access Control" policies I set, they do nothing. I can't find any option to "enable" the Access Control as a feature so I'm left to assume that Access Control is busted.

 

Quick steps:

1) I assigned a device of mine I wish to never have access to the internet a DCHP reserved IP [and confirmed with the device's admin that the IP assigned matches the DHCP reservation and the device only has a single IP of 192.168.0.101]

2) Under "Preferences -> Service Type" I added a service type named "ALL_UDP_TCP" and specified "UDP+TCP" and ports 0-65535 on the source and destination

3) Under "Preferences -> IP Group, IP Address" I added an IP address range of 192.168.0.101 -> 192.168.0.101 as "My_Device"

4) Under "Preferences -> IP Group" I added the "My_Device" into a group called "My_Device_Group"

5) Under Firewall -> Access Control" I added an entry policy "Block", Service type "ALL_UDP_TCP", Direction "[WAN] IN", Source: "IPGROUP_ANY", Destination: "My_Device_Group", Effective time "Any"

6) Under Firewall -> Access Control" I added an entry policy "Block", Service type "ALL_UDP_TCP", Direction "LAN->WAN", Source: "My_Device_Group", Destination: "IPGROUP_ANY", Effective time "Any"

 

Variations:

a) I set service Type "Any"

b) I changed IP address range to subnet mask "192.168.0.101/32"

c) Rebooting the ER605 does not help

 

Other notes:

c) There are no NAT rules "Virtual Service" defined (although my understanding is that Access Control will still filter/monitor this traffic anyway)

d) I am using SIP/RTP over UDP for this device (source port 5032, destination 5060 and RTP range is UDP 13100-13499), and I disabled the SIP ALG under "Transmission -> NAT, ALG" "SIP ALG"

e) My actual goal is to enable this rule during specific hours (i.e. I'd like to set an Effective time) right now i'm just trying to prove the access control works at all; if it won't block "Any" for effective time then it won't block during a specific time frame either

 

My conclusions:

i) I may need to "enable" "Access Control" but I found no such option to enabled it, and if that's the case this issue will be easy to fix if someone can point where this option exists

ii) I do not understand Access Control in some subtle way, e.g. IPGROUP_ANY doesn't do what I expect it to do or something...

iii) Access Control is busted and effectively does a NO-OP

 

Please help as this is concerning that I cannot block traffic to/from this device and I can confirm the server on the open internet is in-fact receiving traffic to/from this device despite the Access Control rules being set.

 

  4      
  4      
#1
Options
1 Accepted Solution
Re:TP-LINK ER605 Access Control does not work (NOOP)-Solution
2022-12-23 18:25:37 - last edited 2022-12-23 21:53:55

I wanted to post a follow up with the issue and solution (after a few rounds of back and forth with TP Link's R&D)!

 

If you have too large an IP range in the "IP Address" list then "Access Control" policies will fail.

 

To be clear, do not have any extremely large set of ranges under "Preferences->IP Group->IP Address". I don't know the exact max range allowed but I wouldn't do a range like 1.0.0.0 to 9.255.255.255 as something of that large a range will cause all Access Control polices to break in a silent failure.

 

The mere presence of such a large range is enough to cause Access Control to fail regardless if the range is used in any rules or not.

 

 

Recommended Solution
  1  
  1  
#7
Options
6 Reply
Re:TP-LINK ER605 Access Control does not work (NOOP)
2022-12-16 05:02:45

  @optical 

 

These configuration seems to be good.

 

You may try Omada Controller to manage this router. I'm using Omada controller and the Gateway ACL works for me. It's a little different from standalone page

  0  
  0  
#3
Options
Re:TP-LINK ER605 Access Control does not work (NOOP)
2022-12-16 15:15:39
@somnus Thanks for the reply - I forgot to put that I already tried "ALL" for the service type for both directions. That doesn't work either (and I did reboot the router to see if that helps, it doesn't). I didn't know about the Omada Controller so I'll look that up.
  0  
  0  
#4
Options
Re:TP-LINK ER605 Access Control does not work (NOOP)
2022-12-17 03:10:44

  @optical Did you also check to add the IPV6 address to the named IP Group?

  0  
  0  
#5
Options
Re:TP-LINK ER605 Access Control does not work (NOOP)
2022-12-18 15:42:21
@JoeSea ER605 WAN does not have IPv6 enabled and the LAN device I'm trying to filter is IPv4 assigned IP only connected to an IPv4 server. There's no IPv6 assigned or in use on the device I'm trying to filter. I agree that could have been an avenue the device could bypass the IPv4 firewall but I'm not sure how that would be applicable in this particular case (unless I'm mistaken somehow in my understanding).
  0  
  0  
#6
Options
Re:TP-LINK ER605 Access Control does not work (NOOP)-Solution
2022-12-23 18:25:37 - last edited 2022-12-23 21:53:55

I wanted to post a follow up with the issue and solution (after a few rounds of back and forth with TP Link's R&D)!

 

If you have too large an IP range in the "IP Address" list then "Access Control" policies will fail.

 

To be clear, do not have any extremely large set of ranges under "Preferences->IP Group->IP Address". I don't know the exact max range allowed but I wouldn't do a range like 1.0.0.0 to 9.255.255.255 as something of that large a range will cause all Access Control polices to break in a silent failure.

 

The mere presence of such a large range is enough to cause Access Control to fail regardless if the range is used in any rules or not.

 

 

Recommended Solution
  1  
  1  
#7
Options
Re:TP-LINK ER605 Access Control does not work (NOOP)
2023-04-02 21:22:46

  @optical I'm using Omada Software Controller v 5.8.4 and I don't have any ranges that are too large and I have tried all variations of Gateway ACL rules to no avail.  The devices on the separate VLANs can always still ping eachother.  I'm going to upgrade my firmware from V2.0 at some point, but man am I terrified that I'll introduce another set of obstacles when I do that.  Here goes nothing..

  0  
  0  
#8
Options