Management Page Block ACL blocks internet access

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Management Page Block ACL blocks internet access

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Management Page Block ACL blocks internet access
Management Page Block ACL blocks internet access
2024-02-07 11:45:10 - last edited 2024-02-10 04:21:01
Model: ER7212PC  
Hardware Version: V1
Firmware Version: 1.1.1

Hi support,

 

In continuation of a previous thread (locked) with similar topic:

https://community.tp-link.com/en/business/forum/topic/642230

 

I created an ACL as per link above, however, internet access will be blocked.

 

Followed the advice of the thread starter to allow TCP (instead of denying ALL protocol), still able to access the management page from the VLAN.

 

So any way to block management page from the VLAN without disrupting the internet access?

 

Thanks

  0      
  0      
#1
Options
2 Accepted Solutions
Re:Management Page Block ACL blocks internet access-Solution
2024-02-08 02:25:45 - last edited 2024-02-10 04:21:01

Hi @BengGaBoy,

 

If you want to prevent devices on other VLANs from accessing the GUI of the router, you need to set two Gateway ACL Rules as follows:

The first rule:

1. Policy as Allow

2. Services Type as DNS

3. Source as IPGROUP_ANY

4. Destination as IPGROUP_ANY

 

The second rule:

1. Policy as Deny

2. Services Type as All

3. Source as other VLANs

4. Destination as ME (Standalone Mode)/ Gateway Management Page (Controller Mode)

 

These steps above are just for your reference.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#2
Options
Re:Management Page Block ACL blocks internet access-Solution
2024-02-09 01:43:42 - last edited 2024-02-10 04:21:06

Continue to experiment and seems to yield some positive result.

 

TLDR

 

  1. Only 1 deny / LAN-LAN / All protocol / VLAN to Gateway Management Page / ACL rule is needed @ Gateway
  2. For newly created LAN, do not use DNS=Auto setting

 

Background info

 

Secure LAN @ 192.168.0.1 (default network)

DNS: 1.1.1.3 / 1.0.0.3 (Using Cloudflare family DNS)

 

IPCam LAN @ 192.168.10.1 (VLAN ID @ 10)

DNS: Auto

 

 

ACL settings @ Gateway

 

 

With the above rule, the notebook will NOT be able to access the router UI page. Likewise, it cannot ping both 192.168.0.1 and 192.168.10.1 as well. However, IPCam LAN will lose internet access.

 

Observation

 

I observed that my notebook was issued with a DNS @ 192.168.10.1 which is expected since the VLAN was created with "DNS = Auto" setting. This maybe expected since with the deny ACL rule, the notebook is unable to ping the gateway @ 192.168.10.1. Performed a sainty check and tried pinging 1.1.1.3 and yes, it works.

 

 

Possible solution

 

So I went back to Settings -> Wired Networks -> LAN -> Edit IPCam DNS settings to be similar to Secure using Cloudflare Family DNS @ 1.1.1.3. And viola, internet works and it continue to block the router UI.

 

However, not too sure the above method will cause any security issues but so far, it's working as intended.

Recommended Solution
  0  
  0  
#5
Options
8 Reply
Re:Management Page Block ACL blocks internet access-Solution
2024-02-08 02:25:45 - last edited 2024-02-10 04:21:01

Hi @BengGaBoy,

 

If you want to prevent devices on other VLANs from accessing the GUI of the router, you need to set two Gateway ACL Rules as follows:

The first rule:

1. Policy as Allow

2. Services Type as DNS

3. Source as IPGROUP_ANY

4. Destination as IPGROUP_ANY

 

The second rule:

1. Policy as Deny

2. Services Type as All

3. Source as other VLANs

4. Destination as ME (Standalone Mode)/ Gateway Management Page (Controller Mode)

 

These steps above are just for your reference.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#2
Options
Re:Management Page Block ACL blocks internet access
2024-02-08 02:28:35

  @BengGaBoy 

Do you see there's a management page in destination?

 

 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#3
Options
Re:Management Page Block ACL blocks internet access
2024-02-08 11:27:29 - last edited 2024-02-08 11:29:30

  @Hank21 

 

Thanks for your input.

 

However, your screen options seems to be different from mine.

 

Policy #1 - Allow

 

For direction, should I choose "LAN - LAN"?

 

And I can't seem to find "Service Type as DNS". Is this referring to protocol? Even so, I did not find any DNS over there.

 

Rule #1 - Permit

 

 

Policy #2 - Deny

 

Likewise, "Service type as ALL" is referring to protocol?

 

@Tedd404

 

See screenshot below, it does have "Management page" @ destination.

 

Rule #2 - Deny

 

  0  
  0  
#4
Options
Re:Management Page Block ACL blocks internet access-Solution
2024-02-09 01:43:42 - last edited 2024-02-10 04:21:06

Continue to experiment and seems to yield some positive result.

 

TLDR

 

  1. Only 1 deny / LAN-LAN / All protocol / VLAN to Gateway Management Page / ACL rule is needed @ Gateway
  2. For newly created LAN, do not use DNS=Auto setting

 

Background info

 

Secure LAN @ 192.168.0.1 (default network)

DNS: 1.1.1.3 / 1.0.0.3 (Using Cloudflare family DNS)

 

IPCam LAN @ 192.168.10.1 (VLAN ID @ 10)

DNS: Auto

 

 

ACL settings @ Gateway

 

 

With the above rule, the notebook will NOT be able to access the router UI page. Likewise, it cannot ping both 192.168.0.1 and 192.168.10.1 as well. However, IPCam LAN will lose internet access.

 

Observation

 

I observed that my notebook was issued with a DNS @ 192.168.10.1 which is expected since the VLAN was created with "DNS = Auto" setting. This maybe expected since with the deny ACL rule, the notebook is unable to ping the gateway @ 192.168.10.1. Performed a sainty check and tried pinging 1.1.1.3 and yes, it works.

 

 

Possible solution

 

So I went back to Settings -> Wired Networks -> LAN -> Edit IPCam DNS settings to be similar to Secure using Cloudflare Family DNS @ 1.1.1.3. And viola, internet works and it continue to block the router UI.

 

However, not too sure the above method will cause any security issues but so far, it's working as intended.

Recommended Solution
  0  
  0  
#5
Options
Re:Management Page Block ACL blocks internet access
2024-02-10 04:20:43

Hi @BengGaBoy 

Protocols, you can have more than 1. Or all. DNS is included as I recall.

 

If you set up like this, you of course do not have have any access to the gateway 80 and 443 anymore.

 

 

New VLAN interface, what DNS you set, will be assigned to the clients. If Auto, that defaults to the gateway IP and port 53.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#6
Options
Re:Management Page Block ACL blocks internet access
2024-02-10 13:58:25

  @Clive_A 

 

Thanks.

 

Just to check, which protocol(s) should I exclude to avoid the internet issue but still able to block management web GUI access?

 

  0  
  0  
#7
Options
Re:Management Page Block ACL blocks internet access
2024-02-11 12:15:03

  @BengGaBoy 

BengGaBoy wrote

  @Clive_A 

 

Thanks.

 

Just to check, which protocol(s) should I exclude to avoid the internet issue but still able to block management web GUI access?

 

Doesnt the Hank's answer you?? Regardless the protocols, use the destination gateway management page.

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#8
Options
Re:Management Page Block ACL blocks internet access
2024-04-26 03:45:12 - last edited 2024-04-26 03:51:04

  @BengGaBoy Did you find a resolution to this issue?

 

OC200 v2, ER605 v2, SG2008P v3 - all up to date firmware as of 26-April-2024. 


I'm running into the same thing and I'm not sure how to proceed. Fairly basic scenario... 

Scenario: "IoT" network should not be able to communicate with "Home" network but "Home" should be able to communicate with "IoT

- Switch ACL does not allow for this scenario because the switch cannot do stateful inspections

- Gateway ACL does allow this function;

- Implement Gateway ACL (1, LAN>LAN: Permit Home to IoT, and 2, LAN>LAN: Deny IoT to Home, both ALL protocols)

- Works as expected

 

But now the IoT network can still reach the router management page (and ping all VLAN gateway IPs, of which there are 5).

 

So I created a "Deny IoT to Home" Gateway ACL with the destination being "Gateway Management Page" but that blocks IoT from accessing the internet. 

 

What am I missing? 

  0  
  0  
#9
Options