limit specific IP to access to internal server
limit specific IP to access to internal server
Hi
Need some help with the following issue.
I want to open up port 22 but then restrict which external IP can access it.
I've tried to follow these instructions but it's so confusing.
https://www.tp-link.com/us/support/faq/2026/
Any help would be appreciated.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
the source IP can i put in the range as 203.xx.xx.144 - 230.xx.xx.144 rather than 203.xx.xx.144/30?
- Copy Link
- Report Inappropriate Content
Clive_A wrote
Hi @locn
Thanks for posting in our business forum.
locn wrote
Clive_A wrote
Hi @locn
Thanks for posting in our business forum.
locn wrote
Clive_A wrote
Hi @locn
Thanks for posting in our business forum.
locn wrote
thanks. the description is confusing. none the less I think i've set it up as per the instructions but i can still access the server behind the firewall from a different IP. i'm using SFTP to backup some websites onto a nas so port 22 is open and i've restricted it to the website IP but i can still SFTP into the nas from the different external IP.Be sure you reply to my post instead of replying to yourself. I may miss your post if you did not mention me.
So you are certain that every single step be followed as the guide writes? The block SRC is any IP address? And the direction is correct as the guide?
Behind the firewall from a different IP? Do you mean a different router with a different public IP address?
no i'm not behind the firewall. i'm logging in from a different public IP to test and it's allowing me to connect using SFTP
What about the service you created and the DST IP group?
service is SFTP TCP Source Port = 22-22; Destination Port = 22-22
DST IP group is local ip address of NAS 192.168.13.0/24
Should be /32
And the IP should be 192.168.13.X/32.
i changed the ip to 192.168.13.0/32 but didn't make any difference. I can still SFTP into it from a different external IP.
- Copy Link
- Report Inappropriate Content
Hi @locn
Thanks for posting in our business forum.
locn wrote
Clive_A wrote
Hi @locn
Thanks for posting in our business forum.
locn wrote
Clive_A wrote
Hi @locn
Thanks for posting in our business forum.
locn wrote
Clive_A wrote
Hi @locn
Thanks for posting in our business forum.
locn wrote
thanks. the description is confusing. none the less I think i've set it up as per the instructions but i can still access the server behind the firewall from a different IP. i'm using SFTP to backup some websites onto a nas so port 22 is open and i've restricted it to the website IP but i can still SFTP into the nas from the different external IP.Be sure you reply to my post instead of replying to yourself. I may miss your post if you did not mention me.
So you are certain that every single step be followed as the guide writes? The block SRC is any IP address? And the direction is correct as the guide?
Behind the firewall from a different IP? Do you mean a different router with a different public IP address?
no i'm not behind the firewall. i'm logging in from a different public IP to test and it's allowing me to connect using SFTP
What about the service you created and the DST IP group?
service is SFTP TCP Source Port = 22-22; Destination Port = 22-22
DST IP group is local ip address of NAS 192.168.13.0/24
Should be /32
And the IP should be 192.168.13.X/32.
i changed the ip to 192.168.13.0/32 but didn't make any difference. I can still SFTP into it from a different external IP.
No.
X stands for the number of your device, its IP. If you are not familiar with the CIDR configuration, please kindly Google this part.
If it is a range of IP addresses, you should use the IP range instead of CIDR.
BTW, your firmware is not up-to-date. You should update its firmware at least.
- Copy Link
- Report Inappropriate Content
Clive_A wrote
Hi @locn
Thanks for posting in our business forum.
locn wrote
Clive_A wrote
Hi @locn
Thanks for posting in our business forum.
locn wrote
Clive_A wrote
Hi @locn
Thanks for posting in our business forum.
locn wrote
Clive_A wrote
Hi @locn
Thanks for posting in our business forum.
locn wrote
thanks. the description is confusing. none the less I think i've set it up as per the instructions but i can still access the server behind the firewall from a different IP. i'm using SFTP to backup some websites onto a nas so port 22 is open and i've restricted it to the website IP but i can still SFTP into the nas from the different external IP.Be sure you reply to my post instead of replying to yourself. I may miss your post if you did not mention me.
So you are certain that every single step be followed as the guide writes? The block SRC is any IP address? And the direction is correct as the guide?
Behind the firewall from a different IP? Do you mean a different router with a different public IP address?
no i'm not behind the firewall. i'm logging in from a different public IP to test and it's allowing me to connect using SFTP
What about the service you created and the DST IP group?
service is SFTP TCP Source Port = 22-22; Destination Port = 22-22
DST IP group is local ip address of NAS 192.168.13.0/24
Should be /32
And the IP should be 192.168.13.X/32.
i changed the ip to 192.168.13.0/32 but didn't make any difference. I can still SFTP into it from a different external IP.
No.
X stands for the number of your device, its IP. If you are not familiar with the CIDR configuration, please kindly Google this part.
If it is a range of IP addresses, you should use the IP range instead of CIDR.
BTW, your firmware is not up-to-date. You should update its firmware at least.
that is the latest firmware from my country.
https://www.tp-link.com/au/support/download/er706w-4g/#Firmware
- Copy Link
- Report Inappropriate Content
I appreciate your time trying to help :-)
i figured i would start again from scratch to rule out any issues.
Service - SFTP port 22 - 22
IP Address - SFTP_Server IP Address/Mask 192.168.13.251/32 192.168.13.251/32
IP Group - Website_Allow SFTP_Server
then in Firewall
1 Allow Block SFTP [WAN2] IN IPGROUP_ANY Website_Allow Any
this techinically should block all incoming sftp / ssh?
but i can still log into SFTP into the server.
Oh i haven't been able to reboot the router yet. Will this make any difference?
- Copy Link
- Report Inappropriate Content
Hi @locn
Thanks for posting in our business forum.
locn wrote
I appreciate your time trying to help :-)
i figured i would start again from scratch to rule out any issues.
Service - SFTP port 22 - 22
IP Address - SFTP_Server IP Address/Mask 192.168.13.251/32 192.168.13.251/32
IP Group - Website_Allow SFTP_Server
then in Firewall
1 Allow Block SFTP [WAN2] IN IPGROUP_ANY Website_Allow Any
this techinically should block all incoming sftp / ssh?
but i can still log into SFTP into the server.
Oh i haven't been able to reboot the router yet. Will this make any difference?
The latest firmware can be found on my signature. For your wireless products, make sure you check the country code before the upgrade.
Shouldn't it be the Block - WAN IN - ANY IP? Then allow a certain IP address to access?
- Copy Link
- Report Inappropriate Content
The latest firmware can be found on my signature. For your wireless products, make sure you check the country code before the upgrade.
Shouldn't it be the Block - WAN IN - ANY IP? Then allow a certain IP address to access?
Ok thanks i will try to upgrade to the newer Stable release tonight once everyone is gone. I can see there are a lot of upgrades in the newer beta but since it's in production i'll wait until it's stable.
as for the block i'm trying to open the port then via objects block everything.
Sorry for the confusion but the Allow at the front is just the Name. the settings are from Block onwards.
So essentiall the firewall settings are:
Block SFTP [WAN2] IN IPGROUP_ANY Website_Allow Any
This in theory should block everything to this service on port 22?
But i can still manually SFTP in.
- Copy Link
- Report Inappropriate Content
Hi @locn
Thanks for posting in our business forum.
locn wrote
The latest firmware can be found on my signature. For your wireless products, make sure you check the country code before the upgrade.
Shouldn't it be the Block - WAN IN - ANY IP? Then allow a certain IP address to access?
Ok thanks i will try to upgrade to the newer Stable release tonight once everyone is gone. I can see there are a lot of upgrades in the newer beta but since it's in production i'll wait until it's stable.
as for the block i'm trying to open the port then via objects block everything.
Sorry for the confusion but the Allow at the front is just the Name. the settings are from Block onwards.
So essentiall the firewall settings are:
Block SFTP [WAN2] IN IPGROUP_ANY Website_Allow Any
This in theory should block everything to this service on port 22?
But i can still manually SFTP in.
You might compile everything in the same reply instead of separating them in the replies. I so far got information one piece at a time.
If you have followed the guide strictly, it should work.
Please get a reply with two rules listed for me, IP Group, and the Service you created. And what's the allowed IP address?
Your test IP address and screenshots that you are logged in.
Please mosaic your sensitive information. Here is a list of information considered sensitive:
1. Public IP address on your WAN if your WAN is.
2. Real MAC address of your device.
3. Your personal information including address, domain name, and credentials.
For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.
You did not pay attention to the firmware release post which has official firmware releases as well. Might take a look at the global website where you have newer firmware. This is the latest one.
https://www.tp-link.com/en/support/download/er706w-4g/#Firmware
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 394
Replies: 18
Voters 0
No one has voted for it yet.