@flips01 

this rule is not really necessary, it is set by default.
but, it will also block the remote site if you have site to site vpn, it also blocks if you have port forward (NAT IN)

I use it to block some remote site LAN that goes on VPN, but then only RFC1918 net

  @MR.S Oh, thanks. I read somewhere* that the ACL by default were just allow all, I guess that's not so, then.

*) or maybe someone said so in a YouTube video about Omada setup ... 

  @flips01 

By default LAN to WAN allow all, WAN to LAN Block all. except Remote site in VPN, then you can do portforward and this port is automatic opened to device you forward to.

  @MR.S 

Thanks, that's sensible defaults!

And [WAN] IN by default accepts/responds to ICMP (at least some)?

But blocks access to the router itself (Management interface HTTP/SSH/Telnet/SNMP etc.)?

BTW: Are useful info like this listed in any docs/guides?

flips01 wrote

  @MR.S 

Thanks, that's sensible defaults!

And [WAN] IN by default accepts/responds to ICMP (at least some)?

But blocks access to the router itself (Management interface HTTP/SSH/Telnet/SNMP etc.)?

 

BTW: Are useful info like this listed in any docs/guides?

  @flips01 

Wan respont to ICMP only if you have enabled ping from wan in firewall settings under Attach defence, and router management interface  itself is not possible to reach from wan, I don't think it is possible either when the router is controller managed. 

but if you try to reach wan interface from lan you will se a login page, but this is not posible from any device from wan.

If you are going to test do not test from LAN, there are many things that respond from the LAN, you must test from the WAN, if you ping the WAN IP from the LAN, it will respond to the ping, but if you do the same from the WAN, it will it does not respond. same thing with management on router itself. or SSH

you can test from your phone on the mobile network, turn off WiFI :-)

docs :-) yaea there is a omada documentation but how good this is? i dont know.

You can try this

https://static.tp-link.com/upload/manual/2023/202306/20230609/1910013343_Omada%20SDN%20Controller_User%20Guide_REV5.9.0.pdf

@MR.S 

Thanks.  Yes, I've been reading that guide. It doesn't really go into details.

It would be nice if there was a reference (wiki or whatever) where some default were visible.

(Details as in what you just described that default policy for WAN is Drop and what's opened by default when you add VPN etc.)

  @Tedd404 

Deny public WAN IN didn't block established, related, so most stuff works, as described by MR.S above.

I know an am able to design a pretty good firewall, when I understand the defaults (and user friendly behind the scenes logic).

The reason I was asking for examples, was because I like studying some examples (especially when I know it's made by people who know the hardware and software well). I usually pick up useful hints and understanding that's not obvious when you start from scratch.

(If the TP-link firmware is built on Linux (nf_tables/iptables) or BSD (pf or similar), it would be very helpful if one could get a command line dump of the active rules or similar. Not sure it's possible though.)