Gateway ACL doen't seem to work
And again its me ....
The concept of TP-Link is a bit strange to me, thats why I'm asking a lot. Hope this is okay...
Hope it will hepl other people.
My problem:
I have severa networks defined:
I would like to deny access from DMZ to any other network by creating a stateful ACL rule. (no traffic from DMZ to any other, but traffic should be allowed if coming from e.g. MGMT into DMZ)-
Should be able with a Gateway ACL (or should not it?):
Because this is not working. Traffic can still leave DMZ freely.
I'm connected to a ClientPC inside DMZ network and pinging to Guest-Network for example.--> works, but shouldn't.
What am I doing wrong?
And this by the way is ridiculous :-D:
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@d0ugmac1
I Just found out whats going on here.
I was always trying to ping the gateway IP of the VLAN which seems to be pingable at any time.
The ACL is LAN-LAN related, but the ping to the gateway IP stays inside the gateway, so the ACL will not match here.
I just tried my scenario with two clients connected to different VLAN (DMZ and Gastnetz) and now the ACL works.
Gateway IP of all VLANS stays reachable, which makes sense if the concept is understood :-)
Thank you for your help.
- Copy Link
- Report Inappropriate Content
What router and firmware version are you trying to make ACLs work on...there are very limited options (7206 may) that can and a lot that don't work at all (605, 7212 etc). I'll be honest, the easiest solution to your problem is just to add an Omada managed switch, like the SG2008 into the mix...then it will just work.
Yes the forum language rules are pretty odd, for instance, an ellipsis (three dots) are interpreted as an illegal IP address, sigh. Somebody needs to go back to Regex school.
- Copy Link
- Report Inappropriate Content
Hi.
My setup is:
OC200
ER7206
SG3428
SG2218P
Every device is on the newest available firmware
- Copy Link
- Report Inappropriate Content
Just redo your gateway ACLs as switch ACLs and you should be fine. It's all abstracted by the controller, so as long as your switches' port profiles are done correctly, the controller should manage the rest for you.
- Copy Link
- Report Inappropriate Content
Okay... the blocking is working on Switch layer and with switch ACL. But then egress traffic will be blocked even if the session is initiated from outside.
Thats the reason I was looking for a solution to use stateful ACL. Ingress traffic shall be allowed. And this is only possible on gateway layer. But here the rule doesn't work.
Its not a solution to just do something else than needed :-D
- Copy Link
- Report Inappropriate Content
Well, a 7206 running current firmware should be able to do it with your setup. Have a look at this video, start at 02:40 for the stateful ACL setup
https://youtu.be/qR9QhcgA8BY
- Copy Link
- Report Inappropriate Content
Yes, and now tell me why its not.
See my configuration above. Just one blocking rule and no success. Still able to ping to "Gastnetz" IP from DMZ
- Copy Link
- Report Inappropriate Content
Ok, well, let's break it down.
First, let's temporarily replace your (probably LAG'd) SFP links with a single ethernet patch cable from Sw1 to Sw2. Remove both SFP physically from one of the switches.
Retest. What are results?
- Copy Link
- Report Inappropriate Content
Ok, I changed the cabeling (removed my optical LAG and now use a ethernet connection from PORT 24 to 16)
For the configuration have a look here:
https://www.youtube.com/watch?v=x-TXp9QHPSg
It seems that it blocks access a short time after configuration is done. But then the SSH commection returns (which is expected, due to stateless ACL - my connection is coming from MGMT network). But also the Ping from DMZ towards "Kinder" and "Gastnetz" is still working, which shouldn't in my opinion.
- Copy Link
- Report Inappropriate Content
@d0ugmac1
I Just found out whats going on here.
I was always trying to ping the gateway IP of the VLAN which seems to be pingable at any time.
The ACL is LAN-LAN related, but the ping to the gateway IP stays inside the gateway, so the ACL will not match here.
I just tried my scenario with two clients connected to different VLAN (DMZ and Gastnetz) and now the ACL works.
Gateway IP of all VLANS stays reachable, which makes sense if the concept is understood :-)
Thank you for your help.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1036
Replies: 9
Voters 0
No one has voted for it yet.