Isolate Hosts from each other, but make dedicated traffic possible

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Isolate Hosts from each other, but make dedicated traffic possible

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Isolate Hosts from each other, but make dedicated traffic possible
Isolate Hosts from each other, but make dedicated traffic possible
2023-11-12 17:09:39 - last edited 2023-11-12 18:53:32
Model: OC200  
Hardware Version: V1
Firmware Version:

Hello everybody. 
It's me again with some problems regarding ACLs.

 

I would like to create an isolated VLAN where no host can reach any other host or VLAN.
But I would like to be able to allow dedicated services to the VLAN. In my special case SSH (port 22) and VNC (port 5800/5900).

 

I followed the guide from @Death_Metal (https://community.tp-link.com/en/business/forum/topic/603136), but its doesn't seem to work.

What i did:
1. I created a Switch ACL block rule to forbid the whole VLAN to any other VLAN (at this step not from itself)

 

2. I added a IP/PORT Group for SSH and VNC

 

3. I created a PERMIT rule for the SSH and VNC Group

 

 

With this configuration everything works like expected. But the hosts are reachable among themself (like expected)

Know I add the VLAN DMZ to the block rule to block it from itself.


I would furthermore expect the PERMIT rule work. But it don't.
The connection to SSH and VNC stays alive, but I'm not able to open a new connection. Even if I reverse the PERMIT rule.


And its also not working if I PERMIT the whole MGMT subnet instead of the dedicated SSH and VNC group.

 


Any suggestion here?


Thank you and best wishes
Sebastian

  0      
  0      
#1
Options
9 Reply
Re:Isolate Hosts from each other, but make dedicated traffic possible
2023-11-13 07:11:21

  @SebastianH 

 

Uhmmm, why did you set a rule like this? Block itself?

 

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:Isolate Hosts from each other, but make dedicated traffic possible
2023-11-13 07:56:38 - last edited 2023-11-13 07:56:54

  @Virgo I followed the guide to isolate all hosts inside this VLAN from each other. But it seems that then no exception works.

Now I found a way by using "port isolation" which works perfectly :-) 

  0  
  0  
#3
Options
Re:Isolate Hosts from each other, but make dedicated traffic possible
2023-11-13 09:36:41

  @SebastianH 

you seem to mess up with the subnet. that could be the reason why you have a different result than the OP.

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#4
Options
Re:Isolate Hosts from each other, but make dedicated traffic possible
2023-11-13 09:50:14

  @Tedd404 

What do you mean I messed up with the subnets?
My MGMT subnet is a /28 and my DMZ subnet is a /29 network. Thats correct.

  0  
  0  
#5
Options
Re:Isolate Hosts from each other, but make dedicated traffic possible
2023-11-13 09:55:44

  @SebastianH 

10.0.0.0/29 means the whole available IP addresses, so is this gonna be a single server or everything in it? 

and 10.0.0.0/29 means 0.1-0.6, is your server inside this range?

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#6
Options
Re:Isolate Hosts from each other, but make dedicated traffic possible
2023-11-13 15:14:37

  @Tedd404 

10.0.0.0/29 is the hole network. correct.
and yes, of course are my hosts/servers inside this range. 

  0  
  0  
#7
Options
Re:Isolate Hosts from each other, but make dedicated traffic possible
2023-11-14 06:44:43

  @SebastianH 

so i am lost, i read your OP again. can you list your question again? i don't understand when you posted the picture blocking itself after the "3."

why would you do that? if you do that, it blocks, permit should not work. that's expected, then what's your question? 

1-3, that's done correctly. i am not seeing an explicit question. 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#8
Options
Re:Isolate Hosts from each other, but make dedicated traffic possible
2023-11-14 07:37:11 - last edited 2023-11-14 07:37:27

  @Tedd404 

Like described in my initial post:
I would like to create a network where I have to control the communication behaviour:
1. hosts shall not reach any other VLAN

2. hosts shall not reach the management page of the gateway

3. hosts should not see each other

  --> for number 3 I tried to create this block DMZ - DMZ rule.
      I followed the guide from @Death_Metal (https://community.tp-link.com/en/business/forum/topic/603136)

 

I would expect the rule to block everything within this VLAN. But a PERMIT rule before this blocking rule should enable things again (first see, first serve).

But this is not working. 

 

Hope you know unterstand what I try to archive.

  0  
  0  
#9
Options
Re:Isolate Hosts from each other, but make dedicated traffic possible
2023-11-15 00:56:23

  @SebastianH 

inside the vlan, not seeing each other? 

i think there is a mistake. so, if you block dmz to dmz, that'll block access to the gateway as well. which eventually you to lose internet. 

 

you have to make sure the access to the acl.

and based on my experience, arp is for discovery and if you do a blocking from dmz to dmz, it blocks arp(broadcast) and any other types of protocols. and if arp is blocked, network shuts down too. 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#10
Options