How to Configure ACL to Block Unauthorized VPN Clients Bypassing the Portal

How to Configure ACL to Block Unauthorized VPN Clients Bypassing the Portal

How to Configure ACL to Block Unauthorized VPN Clients Bypassing the Portal
How to Configure ACL to Block Unauthorized VPN Clients Bypassing the Portal
2024-06-20 03:08:36 - last edited 2024-06-20 06:42:46

Background:

 

This guide aims to help you configure an Access Control List (ACL) to block unauthorized TCP/UDP 53 connections which commonly is used by clients who is connected to the portal and bypass the portal via a VPN connection. Since the portal landing page needs to be accessed, TCP/UDP 53 is allowed. Psiphon VPN or other types of VPN uses port 53 to establish a VPN tunnel with the server, which bypasses the portal authentication. To mitigate this issue, you can set up an ACL to block this unauthorized connection. The goal is to block both TCP and UDP on port 53.

 

This Article Applies to:

 

Omada routers.

 

Configuration Steps:

 

1. Log in to your router. Go to the Preference > Service Type. Create a Service. Create a new service with the following settings:

 

Service Name: TCP_UDP_53

Protocol: TCP and UDP

Source Port: All (any port 1-65535)

Destination Port: 53

 

2. Go to Preference > IP Group. Create a new IP Group which is your allowed DNS server.

  • Go to IP Address and create the DNS IP first. Then create the IP Group naming it after DNS_Server.
  • Create an IP Group which is your portal subnet naming it after Portal_LAN.

 

3. Go to the Firewall > Access Control settings page.

Create a new ACL entry with the following settings:

 

Policy: Block

Direction: LAN -> WAN

Source IP: Portal_LAN, or select the LAN interface.

Destination IP: !DNS_Server

Service: TCP_UDP_53

 

Use the destination IP - !DNS_Server

(If you choose IPGROUP-ANY as the Destination IP, which will not affect DNS proxy but will affect DNS forwarding.)

Note:

1. The portal will also by default allow traffic on port 67 (DHCP). Although local tests did not show the tested VPN provider - Psiphon was using this port during the connection establishment process, you can configure an additional rule as a precaution, following the steps outlined above.
2. We have observed that after configuring ACL in this way, Psiphon may still indicate a successful connection attempt. However, packet capture does not show any successful tunnel establishment, nor is there any actual traffic.

3. After this configuration, the VPN clients will need to authenticate the portal first before it gets Internet access. After the authentication, the VPN can function properly.

4. The guide is described in the Standalone mode. The steps for configuration in Controller mode is the same.

 

Update Log:

 

Jun 20th, 2024:

Release of this guide.

 

Recommended Threads:

 

Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates

Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates

 

Feedback:

 

  • If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
  • If there is anything unclear in this solution post, please feel free to comment below.

 

Thank you in advance for your valuable feedback!

 

------------------------------------------------------------------------------------------------

Have other off-topic issues to report? 

Welcome to > Start a New Thread < and elaborate on the issue for assistance.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0      
  0      
#1
Options