ACL "Me" Interface

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACL "Me" Interface

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ACL "Me" Interface
ACL "Me" Interface
2023-12-19 02:59:49 - last edited 2023-12-19 03:03:51
Tags: #ACL
Model: ER8411  
Hardware Version: V1
Firmware Version: 1.1.0 Build 20230705 Rel.64091

The "Me" interface in the ACL looks to be like the INPUT rules of iptables... I'm attempting to block ping from all interfaces except for the interface the traffic originates. If a host is on Interface 1 they can ping interface 1 but not interface 2, interface 3, etc. I can configure the ACL to block all pings to the "Me" interface, but it seems that the web interface is not granular enough to write a rule for traffic on interface 1 to not ping the interface on interface 2. Blocking all other traffic except ping is pretty straight forward. I even attempted to block via IP Groups, but I am still able to ping across VLANs/ interfaces on the router... What am I missing?

  0      
  0      
#1
Options
3 Reply
Re:ACL "Me" Interface
2023-12-20 01:42:04

Hi @Roaming9231 

Thanks for posting in our business forum.

Do you need to describe again your issue in a clearer way? Not sure what you mean and your expectations.

And what's your current ACL rule? Would be nice if you have the screenshot.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#3
Options
Re:ACL "Me" Interface
2023-12-22 19:04:07

  @Clive_A Here's a hopefully more clear example:

 

Example Network:

 

LAN1 - LAN Router Interface 1 - VLAN 1 - 10.0.0.1/24

 

LAN2 - LAN Router Sub-Interface 2 - VLAN 99 - 10.0.1.1/24

 

LAN3 - LAN Router Sub-Interface 3 - VLAN 100 - 10.0.2.1/24

 

Requirement:

 

1. If a user is on LAN1 the user should be able to ping the interface IP of LAN1. User should not be able to ping the IP of LAN2 and LAN3.

 

2. If a user is on LAN2 the user should be able to ping the interface IP of LAN2. User should not be able to ping the IP of LAN1 and LAN3.

 

3. If a user is on LAN3 the user should be able to ping the interface IP of LAN3. User should not be able to ping the IP of LAN1 and LAN2.

 

Without an ACL in place the default experience is that any user on any LAN can ping any LAN Router interface.

 

 

An ACL can be built to deny traffic to the "Me" interface, which looks to me similiar to the iptables INPUT chain. The "Me" interface decribes any traffic destined for an interface configured on the router directly.  If you configure the ACL to deny ICMP to the "Me" interface, it block pings from ALL LANs to ALL configured interfaces.

 

I have been able to isolate ping responses from all interface but one (see pic below). This allows pings from users on the LAN1 interface to the LAN1 router interface IP. But it denies ping from all other router interfaces. This indicates to me that there that the "Me" interface is considered by the ACL as a global parameter and there is no ability to set the ACL more granularly on a per router interface level. Is this assumption true?

 

 

I've tried this on both the interface level and the IP level by blocking 10.0.0.0/24 to 10.0.1.0/24 but ping replys still occur from all subnets configured on the router. I've also tried to block traffic from 10.0.0.0/24 to 10.0.1.1/32 and ping replys still occured... 

 

I'll try some more combinations of ACL rules and see if I stumble across something that may work...

 

  0  
  0  
#4
Options
Re:ACL "Me" Interface
2023-12-25 05:48:38

Hi @Roaming9231 

Thanks for posting in our business forum.

Roaming9231 wrote

  @Clive_A Here's a hopefully more clear example:

 

Example Network:

 

LAN1 - LAN Router Interface 1 - VLAN 1 - 10.0.0.1/24

 

LAN2 - LAN Router Sub-Interface 2 - VLAN 99 - 10.0.1.1/24

 

LAN3 - LAN Router Sub-Interface 3 - VLAN 100 - 10.0.2.1/24

 

Requirement:

 

1. If a user is on LAN1 the user should be able to ping the interface IP of LAN1. User should not be able to ping the IP of LAN2 and LAN3.

 

2. If a user is on LAN2 the user should be able to ping the interface IP of LAN2. User should not be able to ping the IP of LAN1 and LAN3.

 

3. If a user is on LAN3 the user should be able to ping the interface IP of LAN3. User should not be able to ping the IP of LAN1 and LAN2.

 

Without an ACL in place the default experience is that any user on any LAN can ping any LAN Router interface.

 

 

An ACL can be built to deny traffic to the "Me" interface, which looks to me similiar to the iptables INPUT chain. The "Me" interface decribes any traffic destined for an interface configured on the router directly.  If you configure the ACL to deny ICMP to the "Me" interface, it block pings from ALL LANs to ALL configured interfaces.

 

I have been able to isolate ping responses from all interface but one (see pic below). This allows pings from users on the LAN1 interface to the LAN1 router interface IP. But it denies ping from all other router interfaces. This indicates to me that there that the "Me" interface is considered by the ACL as a global parameter and there is no ability to set the ACL more granularly on a per router interface level. Is this assumption true?

 

 

I've tried this on both the interface level and the IP level by blocking 10.0.0.0/24 to 10.0.1.0/24 but ping replys still occur from all subnets configured on the router. I've also tried to block traffic from 10.0.0.0/24 to 10.0.1.1/32 and ping replys still occured... 

 

I'll try some more combinations of ACL rules and see if I stumble across something that may work...

 

To meet your requirements, try this.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#5
Options