Omada Firewall Gateway ACL setup
Hi!
Configuring my first Omada (and TP-Link) router/firewall.
Wanted to double check that I understand this correctly. If I create this rule (screenshot below),
Denying [WAN] IN, TCP&UDP from IPGroup_Any to IPGroup_Any:
... Then leaving State Type at Auto (Match State New / Established / Related)
Then everything that's Established, Related are allow back in, right?
(Maybe someone has a link to some nice example of best practice rules for a SOHO setup? I kinda got lost in reading the wrong PDFs for standalone config and such.) 😅
Most of my experience with firewalling is on Linux and router operating systems using pretty much the same logic.
I would feel more confident here if I could get a dump somehow (command line or something) of active ruleset ...
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
this rule is not really necessary, it is set by default.
but, it will also block the remote site if you have site to site vpn, it also blocks if you have port forward (NAT IN)
I use it to block some remote site LAN that goes on VPN, but then only RFC1918 net
- Copy Link
- Report Inappropriate Content
@MR.S Oh, thanks. I read somewhere* that the ACL by default were just allow all, I guess that's not so, then.
*) or maybe someone said so in a YouTube video about Omada setup ...
- Copy Link
- Report Inappropriate Content
By default LAN to WAN allow all, WAN to LAN Block all. except Remote site in VPN, then you can do portforward and this port is automatic opened to device you forward to.
- Copy Link
- Report Inappropriate Content
Thanks, that's sensible defaults!
And [WAN] IN by default accepts/responds to ICMP (at least some)?
But blocks access to the router itself (Management interface HTTP/SSH/Telnet/SNMP etc.)?
BTW: Are useful info like this listed in any docs/guides?
- Copy Link
- Report Inappropriate Content
flips01 wrote
Thanks, that's sensible defaults!
And [WAN] IN by default accepts/responds to ICMP (at least some)?
But blocks access to the router itself (Management interface HTTP/SSH/Telnet/SNMP etc.)?
BTW: Are useful info like this listed in any docs/guides?
Wan respont to ICMP only if you have enabled ping from wan in firewall settings under Attach defence, and router management interface itself is not possible to reach from wan, I don't think it is possible either when the router is controller managed.
but if you try to reach wan interface from lan you will se a login page, but this is not posible from any device from wan.
If you are going to test do not test from LAN, there are many things that respond from the LAN, you must test from the WAN, if you ping the WAN IP from the LAN, it will respond to the ping, but if you do the same from the WAN, it will it does not respond. same thing with management on router itself. or SSH
you can test from your phone on the mobile network, turn off WiFI :-)
docs :-) yaea there is a omada documentation but how good this is? i dont know.
You can try this
- Copy Link
- Report Inappropriate Content
there is no tailored config. you have the authority to design your network.
from your config, you want to block ICMP, that's not necessary because security > firewall has already blocked "ping from WAN". your router does not respond to WAN ping.
in protocols, you can further specify what kind of protocols you want to block.
when you deny all public IP in, you are probably limited to no internet access. you can only make/establish a connection.
what do you want to achieve eventually with the ACL?
- Copy Link
- Report Inappropriate Content
Thanks. Yes, I've been reading that guide. It doesn't really go into details.
It would be nice if there was a reference (wiki or whatever) where some default were visible.
(Details as in what you just described that default policy for WAN is Drop and what's opened by default when you add VPN etc.)
Deny public WAN IN didn't block established, related, so most stuff works, as described by MR.S above.
I know an am able to design a pretty good firewall, when I understand the defaults (and user friendly behind the scenes logic).
The reason I was asking for examples, was because I like studying some examples (especially when I know it's made by people who know the hardware and software well). I usually pick up useful hints and understanding that's not obvious when you start from scratch.
(If the TP-link firmware is built on Linux (nf_tables/iptables) or BSD (pf or similar), it would be very helpful if one could get a command line dump of the active rules or similar. Not sure it's possible though.)
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 6856
Replies: 7
Voters 0
No one has voted for it yet.