ACL "Me" Interface
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
The "Me" interface in the ACL looks to be like the INPUT rules of iptables... I'm attempting to block ping from all interfaces except for the interface the traffic originates. If a host is on Interface 1 they can ping interface 1 but not interface 2, interface 3, etc. I can configure the ACL to block all pings to the "Me" interface, but it seems that the web interface is not granular enough to write a rule for traffic on interface 1 to not ping the interface on interface 2. Blocking all other traffic except ping is pretty straight forward. I even attempted to block via IP Groups, but I am still able to ping across VLANs/ interfaces on the router... What am I missing?
@Clive_A Here's a hopefully more clear example:
Example Network:
LAN1 - LAN Router Interface 1 - VLAN 1 - 10.0.0.1/24
LAN2 - LAN Router Sub-Interface 2 - VLAN 99 - 10.0.1.1/24
LAN3 - LAN Router Sub-Interface 3 - VLAN 100 - 10.0.2.1/24
Requirement:
1. If a user is on LAN1 the user should be able to ping the interface IP of LAN1. User should not be able to ping the IP of LAN2 and LAN3.
2. If a user is on LAN2 the user should be able to ping the interface IP of LAN2. User should not be able to ping the IP of LAN1 and LAN3.
3. If a user is on LAN3 the user should be able to ping the interface IP of LAN3. User should not be able to ping the IP of LAN1 and LAN2.
Without an ACL in place the default experience is that any user on any LAN can ping any LAN Router interface.
An ACL can be built to deny traffic to the "Me" interface, which looks to me similiar to the iptables INPUT chain. The "Me" interface decribes any traffic destined for an interface configured on the router directly. If you configure the ACL to deny ICMP to the "Me" interface, it block pings from ALL LANs to ALL configured interfaces.
I have been able to isolate ping responses from all interface but one (see pic below). This allows pings from users on the LAN1 interface to the LAN1 router interface IP. But it denies ping from all other router interfaces. This indicates to me that there that the "Me" interface is considered by the ACL as a global parameter and there is no ability to set the ACL more granularly on a per router interface level. Is this assumption true?
I've tried this on both the interface level and the IP level by blocking 10.0.0.0/24 to 10.0.1.0/24 but ping replys still occur from all subnets configured on the router. I've also tried to block traffic from 10.0.0.0/24 to 10.0.1.1/32 and ping replys still occured...
I'll try some more combinations of ACL rules and see if I stumble across something that may work...
Hi @Roaming9231
Thanks for posting in our business forum.
Roaming9231 wrote
@Clive_A Here's a hopefully more clear example:
Example Network:
LAN1 - LAN Router Interface 1 - VLAN 1 - 10.0.0.1/24
LAN2 - LAN Router Sub-Interface 2 - VLAN 99 - 10.0.1.1/24
LAN3 - LAN Router Sub-Interface 3 - VLAN 100 - 10.0.2.1/24
Requirement:
1. If a user is on LAN1 the user should be able to ping the interface IP of LAN1. User should not be able to ping the IP of LAN2 and LAN3.
2. If a user is on LAN2 the user should be able to ping the interface IP of LAN2. User should not be able to ping the IP of LAN1 and LAN3.
3. If a user is on LAN3 the user should be able to ping the interface IP of LAN3. User should not be able to ping the IP of LAN1 and LAN2.
Without an ACL in place the default experience is that any user on any LAN can ping any LAN Router interface.
An ACL can be built to deny traffic to the "Me" interface, which looks to me similiar to the iptables INPUT chain. The "Me" interface decribes any traffic destined for an interface configured on the router directly. If you configure the ACL to deny ICMP to the "Me" interface, it block pings from ALL LANs to ALL configured interfaces.
I have been able to isolate ping responses from all interface but one (see pic below). This allows pings from users on the LAN1 interface to the LAN1 router interface IP. But it denies ping from all other router interfaces. This indicates to me that there that the "Me" interface is considered by the ACL as a global parameter and there is no ability to set the ACL more granularly on a per router interface level. Is this assumption true?
I've tried this on both the interface level and the IP level by blocking 10.0.0.0/24 to 10.0.1.0/24 but ping replys still occur from all subnets configured on the router. I've also tried to block traffic from 10.0.0.0/24 to 10.0.1.1/32 and ping replys still occured...
I'll try some more combinations of ACL rules and see if I stumble across something that may work...
To meet your requirements, try this.
