Restrict incoming SSH to group of ip numbers

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Restrict incoming SSH to group of ip numbers

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Restrict incoming SSH to group of ip numbers
Restrict incoming SSH to group of ip numbers
2023-09-04 07:37:40 - last edited 2023-09-06 12:59:56
Model: ER707-M2  
Hardware Version: V1
Firmware Version: 1.1.0

Hi,

 

 

I installed a ER707-M2 as our internet router (in Omada env with TL-SG3452X Switch and a couple of EAP620 HD access points).

With the previous router I could limit incoming traffic to certain ip groups and ports.

 

I haven't found a way to do this in Omada yet. Can someone give me some suggestions?

 

Specifically I want to allow SSH (port 22) access to a Port forwarded server (internal) but only from a limited group of internet sources/IP addresses.

 

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:Restrict incoming SSH to group of ip numbers-Solution
2023-09-04 14:18:10 - last edited 2023-09-06 12:59:56

  @cdnhk 

If you portforward you can add alowed ip in portforward roule.

 

Recommended Solution
  0  
  0  
#4
Options
6 Reply
Re:Restrict incoming SSH to group of ip numbers
2023-09-04 09:21:48

Hi @cdnhk 

Thanks for posting in our business forum.

ACL can do it. Deny all and allow certain IPs should do it.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:Restrict incoming SSH to group of ip numbers
2023-09-04 09:46:02

  @Clive_A 

 

Thanks for your reply but I think it is a bit to limited for me to 'get it'.

 

  1. Would it be a Gateway ACL or a Switch ACL
    1. I guess a Switch ACL since Gateway ACL doesn't allow IP-Port Group
  2. If it's a switch ACL, I want to limit WAN -> LAN access only for port 22. WAN->LAN access for any on port 80/443 would still be needed to be allowed.

 

Maybe there is a document or video explaining this scenario?

 

  0  
  0  
#3
Options
Re:Restrict incoming SSH to group of ip numbers-Solution
2023-09-04 14:18:10 - last edited 2023-09-06 12:59:56

  @cdnhk 

If you portforward you can add alowed ip in portforward roule.

 

Recommended Solution
  0  
  0  
#4
Options
Re:Restrict incoming SSH to group of ip numbers
2023-09-05 02:23:10

Hi @cdnhk 

Thanks for posting in our business forum.

GW ACL, WAN IN.

Specify the IP group and deny their access.

If you still worry that the IP group cannot limit the access from others, then consider the VPN instead. If you expose the port, unless you are on a static IP, and you only allow your static IP to access the network, you cannot block that many IP addresses.

 

WAN ACL with IP-Port Group is a feature in the future. Gotta plan to add it.

For the docs about the ACL, refer to the User Guide of Omada Controller.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#5
Options
Re:Restrict incoming SSH to group of ip numbers
2023-09-06 12:55:27 - last edited 2023-09-06 12:59:53
Thanks Mr.S, I used this method although it would have been nice if you could use groups for this.
  1  
  1  
#6
Options
Re:Restrict incoming SSH to group of ip numbers
2023-09-06 12:57:25
Thanks Clive_A, WAN ACL with IP-Port Group would indeed be a nice addition.
  1  
  1  
#7
Options