Gateway ACL doen't seem to work

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Gateway ACL doen't seem to work

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Gateway ACL doen't seem to work
Gateway ACL doen't seem to work
2023-11-13 15:25:54 - last edited 2023-11-15 09:42:10
Model: OC200  
Hardware Version: V1
Firmware Version:

And again its me ....

The concept of TP-Link is a bit strange to me, thats why I'm asking a lot. Hope this is okay...
Hope it will hepl other people.

My problem:

 

I have severa networks defined:

 

I would like to deny access from DMZ to any other network by creating a stateful ACL rule. (no traffic from DMZ to any other, but traffic should be allowed if coming from e.g. MGMT into DMZ)-


Should be able with a Gateway ACL (or should not it?):

 

 

Because this is not working. Traffic can still leave DMZ freely. 
I'm connected to a ClientPC inside DMZ network and pinging to Guest-Network for example.--> works, but shouldn't.

 

 

 

What am I doing wrong?

 

 

 

 

 

 

 

And this by the way is ridiculous :-D:

  0      
  0      
#1
Options
1 Accepted Solution
Re:Gateway ACL doen't seem to work-Solution
2023-11-15 09:42:07 - last edited 2023-11-15 09:42:10

@d0ugmac1 
I Just found out whats going on here.
I was always trying to ping the gateway IP of the VLAN which seems to be pingable at any time.

The ACL is LAN-LAN related, but the ping to the gateway IP stays inside the gateway, so the ACL will not match here.

 

I just tried my scenario with two clients connected to different VLAN (DMZ and Gastnetz) and now the ACL works.

Gateway IP of all VLANS stays reachable, which makes sense if the concept is understood :-)

 

 

Thank you for your help.
 

Recommended Solution
  0  
  0  
#10
Options
9 Reply
Re:Gateway ACL doen't seem to work
2023-11-14 02:14:17 - last edited 2023-11-14 02:15:21

  @SebastianH 

 

What router and firmware version are you trying to make ACLs work on...there are very limited options (7206 may) that can and a lot that don't work at all (605, 7212 etc).  I'll be honest, the easiest solution to your problem is just to add an Omada managed switch, like the SG2008 into the mix...then it will just work.

 

Yes the forum language rules are pretty odd, for instance, an ellipsis (three dots) are interpreted as an illegal IP address, sigh.  Somebody needs to go back to Regex school.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#2
Options
Re:Gateway ACL doen't seem to work
2023-11-14 06:22:27 - last edited 2023-11-14 06:28:28

  @d0ugmac1 

Hi.

My setup is:

OC200 

ER7206

SG3428 

SG2218P

 

Every device is on the newest available firmware 

 

  0  
  0  
#3
Options
Re:Gateway ACL doen't seem to work
2023-11-14 13:42:37

  @SebastianH 

 

Just redo your gateway ACLs as switch ACLs and you should be fine.  It's all abstracted by the controller, so as long as your switches' port profiles are done correctly, the controller should manage the rest for you.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#4
Options
Re:Gateway ACL doen't seem to work
2023-11-14 13:51:17

  @d0ugmac1 

Okay... the blocking is working on Switch layer and with switch ACL. But then egress traffic will be blocked even if the session is initiated from outside.
Thats the reason I was looking for a solution to use stateful ACL. Ingress traffic shall be allowed. And this is only possible on gateway layer. But here the rule doesn't work.

Its not a solution to just do something else than needed :-D

  0  
  0  
#5
Options
Re:Gateway ACL doen't seem to work
2023-11-14 15:22:33

  @SebastianH 

 

Well, a 7206 running current firmware should be able to do it with your setup.  Have a look at this video, start at 02:40 for the stateful ACL setup

 

https://youtu.be/qR9QhcgA8BY

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#6
Options
Re:Gateway ACL doen't seem to work
2023-11-14 15:31:18 - last edited 2023-11-14 15:31:37

  @d0ugmac1 

Yes, and now tell me why its not. 

See my configuration above. Just one blocking rule and no success. Still able to ping to "Gastnetz" IP from DMZ

  0  
  0  
#7
Options
Re:Gateway ACL doen't seem to work
2023-11-14 15:44:53

  @SebastianH 

 

Ok, well, let's break it down.

 

First, let's temporarily replace your (probably LAG'd) SFP links with a single ethernet patch cable from Sw1 to Sw2.  Remove both SFP physically from one of the switches.

 

Retest.  What are results?

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#8
Options
Re:Gateway ACL doen't seem to work
2023-11-15 09:04:10 - last edited 2023-11-15 09:10:04

  @d0ugmac1 

 

Ok, I changed the cabeling (removed my optical LAG and now use a ethernet connection from PORT 24 to 16)

For the configuration have a look here:

https://www.youtube.com/watch?v=x-TXp9QHPSg


It seems that it blocks access a short time after configuration is done. But then the SSH commection returns (which is expected, due to stateless ACL - my connection is coming from MGMT network). But also the Ping from DMZ towards "Kinder" and "Gastnetz" is still working, which shouldn't in my opinion.

  0  
  0  
#9
Options
Re:Gateway ACL doen't seem to work-Solution
2023-11-15 09:42:07 - last edited 2023-11-15 09:42:10

@d0ugmac1 
I Just found out whats going on here.
I was always trying to ping the gateway IP of the VLAN which seems to be pingable at any time.

The ACL is LAN-LAN related, but the ping to the gateway IP stays inside the gateway, so the ACL will not match here.

 

I just tried my scenario with two clients connected to different VLAN (DMZ and Gastnetz) and now the ACL works.

Gateway IP of all VLANS stays reachable, which makes sense if the concept is understood :-)

 

 

Thank you for your help.
 

Recommended Solution
  0  
  0  
#10
Options