LAN access without WAN access

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

LAN access without WAN access

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
LAN access without WAN access
LAN access without WAN access
2023-11-08 04:26:14 - last edited 2023-11-13 01:30:54
Model: ER605 (TL-R605)   SG2008P   EAP653  
Hardware Version:
Firmware Version:

Hello guys, 

Im sorry, english is not my native language but I try do my better.  

 

Since last 3 days i search over all Internet and trying too many ACLs rules but nothing works.  

 

What I have?   I have 4 Vlans.  1- Admin 2- Main 3- IoT 4- Guest 

 

What I need?  

I need this config on some IoT vlan devices: Block WAN access to specific ip/device but keep connect to LAN/VLAN network. 

Why? Some devices work with cloud and others not need cloud, I want block their untrusted comunications with ouside of my LAN network but I need rule to permit comunicate que with vlan "Admin" where is my home server.  

 

I have some ACL rules work but I cant make their work together.  

 

Gateway ACL

At this moment I able deny all WAN access to a specific Vlan ( rule number 2). Rule number 1(is a permit specific ip can connect to Internet) i cant make it work.   

 

Switch ACL

2 top ACL rules are work but I cant Block WAN access. 

 

Any recomendation ? 

Thanks   

  0      
  0      
#1
Options
1 Accepted Solution
Re:LAN access without WAN access-Solution
2023-11-10 03:58:42 - last edited 2023-11-10 09:54:43

Hi @LinkX92 

Thanks for posting in our business forum.

LinkX92 wrote

  @Clive_A 

 

Hello,

 

Yes, i have no problem with share my configs to others. Sometimes we need help and sometimes we can help others :)

 

But my problem still persists crying

 

Picture number two:

Second rule its ok, no internet on IOT VLAN.

 

But i need device A53 (only this device) has access to the internet/WAN on IOT VLAN (this Vlan has no internet) and make the rule number 1 - Permit WAN in and out at IOT vlan on A53 device. (picure number 2 on GW ACL)

 

My problem is that rule number 1 dont work, i cant have internet access in A53 device with this ACL rule.

 

What i do wrong ?

 

 

Thanks all again yes

Use GW ACL. GW ACL is your primary choice.

DO something like this. Only allow one IP(create yourself) in the SRC > IP Group. Then it can access the Internet.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#6
Options
6 Reply
Re:LAN access without WAN access
2023-11-09 01:10:29

Hi @LinkX92 

Thanks for posting in our business forum.

LinkX92 wrote

What I need?  

I need this config on some IoT vlan devices: Block WAN access to specific ip/device but keep connect to LAN/VLAN network. 

Why? Some devices work with cloud and others not need cloud, I want block their untrusted comunications with ouside of my LAN network but I need rule to permit comunicate que with vlan "Admin" where is my home server.  

 

1. GW ACL to block WAN access to specific devices.

However, you should be clear about what you need. Is this gonna be an ingress or egress?

Literal meaning here in the Direction.

If you are talking about the incoming traffic, set up the WAN IN ACL.

If outgoing, you should set up LAN > WAN ACL.

Source(SRC) and Destination(DST) should be based on your plan. I cannot point out how to configure ACL in every thread on the forum. But show you how to do it.

 

I do hope people can study the ACL guide which is a rather hard if you are new to this. There are examples in the User Guide of the router and switch in standalone mode User Guide.

 

2. I understand you want to stop the IoT devices from talking to the servers. Why? Some devices work with cloud and others not need cloud, I want block their untrusted comunications with ouside of my LAN

Basically, you should set up the LAN > WAN ACL for them. Since WAN cannot access the LAN, you should simply stop the IoT VLAN from getting Internet. Then this stops them from connecting to the IoT server.

You don't have to worry about the WAN IN as for the NAT.

(Note if you are gonna specify every traffic based on your discretion, then it's gonna be a large amount of work. If there are any issues, you should at least run multiple times self-check.)

 

3. but I need rule to permit comunicate que with vlan "Admin" where is my home server.  By default, the VLAN interfaces you created can talk to each other. You can try to ping it yourself.

If you are talking about cross-VLAN discovery, set up the mDNS then.

If you want to only allow one IP from Admin VLAN to talk to the IoT VLAN, you can achieve this by 1 deny Admin - IoT and 1 allow IoT(All) - Admin(one IP). Deny should has higher priority. This works.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:LAN access without WAN access
2023-11-09 10:30:09

  @Clive_A 

 

  @Clive_A 

 

Hello, thanks for you reply.

In geral i know apply ACL rules, i make various tests and do it with sucess but at this moment i have only problem to apply one of them.

1- Omada translate, to my language, not very correct on WAN IN option, now i change to english and see if exist WAN IN and "WAN OUT", thats good.

First step i want block comunicate from internet or to internet, i think for my case no matter, the objective is block comunications to their servers or possible hiden comunications to their servers.

 

2- This point i made sucessfully. I can block my IOT Vlan ACL GW rule (see in pic below)

 

3- This rules are ok too, no problem with that. I described wat i need to help when someone try help me.

 

 

Picture number one:

Deny IOT vlan comunicate with others but, i need 1 device to comunicate with other vlan, rule 1. This ACL are tested and work.

 

Picture number two:

Second rule its ok, no internet on IOT VLAN. But i need device A53 (only this device) has access to the internet on IOT VLAN and make the rule number 1. My problem is that rule number one dont work, i cant have internet access in A53 device

 

Note: IPgroup have A43 name but is my mistake, is A53 device IP.

 

1

 

2

 

Thanks for help

  1  
  1  
#3
Options
Re:LAN access without WAN access
2023-11-10 01:15:04

Hi @LinkX92 

Thanks for posting in our business forum.

So this is a sharing config post to help anyone if they are interested in a config like yours?

I thought there was an issue.

I can tag your thread if this is a misunderstanding. Love to see people share their config and plan with others.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#4
Options
Re:LAN access without WAN access
2023-11-10 01:50:34

  @Clive_A 

 

Hello,

 

Yes, i have no problem with share my configs to others. Sometimes we need help and sometimes we can help others :)

 

But my problem still persists crying

 

Picture number two:

Second rule its ok, no internet on IOT VLAN.

 

But i need device A53 (only this device) has access to the internet/WAN on IOT VLAN (this Vlan has no internet) and make the rule number 1 - Permit WAN in and out at IOT vlan on A53 device. (picure number 2 on GW ACL)

 

My problem is that rule number 1 dont work, i cant have internet access in A53 device with this ACL rule.

 

What i do wrong ?

 

 

Thanks all again yes

  0  
  0  
#5
Options
Re:LAN access without WAN access-Solution
2023-11-10 03:58:42 - last edited 2023-11-10 09:54:43

Hi @LinkX92 

Thanks for posting in our business forum.

LinkX92 wrote

  @Clive_A 

 

Hello,

 

Yes, i have no problem with share my configs to others. Sometimes we need help and sometimes we can help others :)

 

But my problem still persists crying

 

Picture number two:

Second rule its ok, no internet on IOT VLAN.

 

But i need device A53 (only this device) has access to the internet/WAN on IOT VLAN (this Vlan has no internet) and make the rule number 1 - Permit WAN in and out at IOT vlan on A53 device. (picure number 2 on GW ACL)

 

My problem is that rule number 1 dont work, i cant have internet access in A53 device with this ACL rule.

 

What i do wrong ?

 

 

Thanks all again yes

Use GW ACL. GW ACL is your primary choice.

DO something like this. Only allow one IP(create yourself) in the SRC > IP Group. Then it can access the Internet.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#6
Options
Re:LAN access without WAN access
2023-11-10 09:26:32

  @Clive_A, i test it and work !

 

Thank you very much, you solve my problem laugh

 

  1  
  1  
#7
Options