Hi @Sadiqus 

Thanks for posting in our business forum.

We got something to prepare before we dig into this.

So you can take a look at this thread to learn about the ACL. https://community.tp-link.com/en/business/forum/topic/617732

If possible, I'd recommend you upgrade your firmware to the V2.1.5 beta, you can find it in the pinned thread.

This looks like an attack from the WAN. So, I got a question is your Internet affected?

If your Internet is affected, we will need to find the IP address of the attacker and block it. So, that'll use the first link.

Then try the latest firmware and see if the log can show the IP address. If it cannot display the attacker's IP, we gotta use Wireshark to find it out and add it to the ACL block.

How to capture packets using Wireshark on SMB router or switch

How to Use Port Mirror to Capture Packets in the Controller

  hello @Clive_A , fortunately it does not affect my internet connectivity, unfortunately I cannot upgrade to the beta version due to the fact that the controller firmware is 5.12.7, and the beta version is for the controller with firmware 5.11 ... I noticed that there is the version this: ER605 V2_2.2.2 Official Firmware (Released on Oct 18th, 2023) and I have 2.2.0.

Is it safe to try to put the beta firmware on the 5.12.7 controller?

My controller is software, in a docker container, I hope this is not a problem.

Below are some print screens of my internet speed, apparently it is not affected in any way.

Hi @Sadiqus 

Thanks for posting in our business forum.

Sadiqus wrote

  hello @Clive_A , fortunately it does not affect my internet connectivity, unfortunately I cannot upgrade to the beta version due to the fact that the controller firmware is 5.12.7, and the beta version is for the controller with firmware 5.11 ... I noticed that there is the version this: ER605 V2_2.2.2 Official Firmware (Released on Oct 18th, 2023) and I have 2.2.0.

 

Is it safe to try to put the beta firmware on the 5.12.7 controller?

 

My controller is software, in a docker container, I hope this is not a problem.

 

 

Below are some print screens of my internet speed, apparently it is not affected in any way.

 

If possible, I still recommend you take a look at your network to find out what the device is. But it's your network and it's your choice.

The firmware does not have any negative impact if you use it for lower adaptation.

The attack should be sent to the router. The router blocks and reports it. Usually, it is from the WAN. This log will continue to show with the current setting or you can disable the notification in the log settings.

Uncheck all of them. You should be free from the attack log.

  @Clive_A 

I looked in my network, and there are no problems, I tend to think that the attack is still from outside, but it doesn't show me that IP so I can block it. 
I have 2 internet providers, I have to see which of them the attack is coming from. 
The option with Gateway Detected Attack unchecked works perfectly.

  @MR.S

I can't do that, behind the router I have a few servers that need to be accessed from anywhere. Some websites, web pages, etc.  

Hi @Sadiqus 

Thanks for posting in our business forum.

Sadiqus wrote

  @MR.S

I can't do that, behind the router I have a few servers that need to be accessed from anywhere. Some websites, web pages, etc.  

This is the downside if you host websites or other stuff. You also face the risk of being attacked. Usually, the home users would not experience such an issue. If they expose the port, that might happen because open ports can be exploited if you do not set proper security for that.

I would do the following to find it out:

1. Unplug one of the WANs to identify which ISP is under attack.

2. Port Mirroring and Wireshark to find out the constant access of the device.

3. Set up the ACL or the Geo block by identifying the IP belonging.

  @Clive_A 

To make it easier to understand, my configuration is as follows: I have 2 internet providers, and behind the router I have 5 vlans :

1. Administration vlan,

2. IoT Vlan,

3. Home vlan,

4. Guest Home vlan

5. free wifi vlan as guest.

So in the admin network I have 2 physical servers that have docker containers. To be more precise, there are 18 sites on one physical server and 6 sites on the other physical server, all in docker containers, of which only one site goes to the Internet on my real IP through an nginx reverse proxy, the rest of 23 sites are made through proxies through cloudflare. I specify the fact that I own an FQDN domain. 

The only ports I forward on the router are 80 and 443 + 2 other ports for VPN connection through Wireguard (each port for a different ISP).

The main ISP is a 1 GBps up/down fiber connection, the other ISP is a VDSL of 70 Mbps down and 23 Mbps UP, which is only for backup and through which the IoT vlan and the FreeWifi vlan come out to the Internet.

If you say that it wouldn't be a problem to downgrade to the V2.1.5 beta version, on my V5.12.7 controller, I would also try this in the hope that maybe it will show me the IP/IPs that are attacking me as to be able to block them.

Thank you very much for your help

 In the meantime I upgraded to V2.2.2, but the problem is still. I also shut down one of the physical servers.