ER605 LAN Security Configurations
Basic configuration is three WAN ports (WAN, WAN/LAN1, WAN/LAN2) and two LAN Ports.
I wish to achieve a LAN for secure traffic (e.g. PCs, etc) on Port 4 while traffic on Port 5 is an isolated LAN for public traffic.
Network/LAN
ID 1, LAN, 10.0.0.1, 255.255.255.0, DHCP Enabled
ID 2, Futile, 10.0.100.1, 255.255.255.0, DHCP Enabled
Network/VLAN
ID 1, VLAN ID 4, Name vlan4, Ports (4 UNTAG), Description LAN
ID 2, VLAN ID 5, Name vlan5, Ports (5 UNTAG), Description Futile
Firewall/Access Control
ID 1, Name FutileBlock, Policy Block, Service Type ALL, Direction LAN->LAN, Source Network Futile, Destination Network LAN, Effective Time ANY
ID 2, Name LANBlock, Policy Block, Service Type ALL, Direction LAN->LAN, Source Network LAN, Destination Network Futile, Effective Time ANY
If I connect a PC to Port 5, DHCP configures the PC with 10.0.100.100 which is correct but using a web browser I can connect to the ER605 using the URL http://10.0.0.1
The expectation was LAN traffic is isolated to specific Ports. Access Control limits access in both directions. Unfortunately a connection across LANs still exists.
Reboot does not change behaviour, can still login to LAN management port from the Futile LAN.
VLAN 1 is obviously missing so this was created.
Network/LAN
ID 1, LAN, 10.0.0.1, 255.255.255.0, DHCP Enabled
ID 2, Futile, 10.0.100.1, 255.255.255.0, DHCP Enabled
ID 3, VLAN1, 192.168.0.1, 255.255.255.0, DHCP Enabled
Network/VLAN
ID 1, VLAN ID 1, Name vlan1, Ports 4(TAG) 5(TAG), Description VLAN1
ID 2, VLAN ID 4, Name vlan4, Ports (4 UNTAG), Description LAN
ID 3, VLAN ID 5, Name vlan5, Ports (5 UNTAG), Description Futile
Reboot does not change behaviour, can still login to LAN management port from the Futile LAN.
Changed VLAN1 Port configuration.
Network/VLAN
ID 1, VLAN ID 1, Name vlan1, Ports 4(TAG), Description VLAN1
ID 2, VLAN ID 4, Name vlan4, Ports (4 UNTAG), Description LAN
ID 3, VLAN ID 5, Name vlan5, Ports (5 UNTAG), Description Futile
Can still login to LAN management port 10.0.0.1 from the Futile LAN.
Try URL filtering to block traffic.
Preferences/IP Group/IP Address
ID 1, Name IP_LAN, IP Address Type IP Address/Mask, IP Address Range 10.0.0.0/24, 10.0.100.0/24, 192.168.0.0/24 IP Address/Mask 10.0.0.0/24, 10.0.100.0/24, 192.168.0.0/24 Description IP_LAN
ID 2, Name IP_Futile, IP Address Type IP Address/Mask, IP Address Range 10.0.100.0/24, IP Address/Mask 10.0.100.0/24, Description IP_Futile
Preferences/IP Group
ID 1, Group Name IPGROUP_ANY, Address Name ---, Description IPGROUP_ANY
ID 2, Group Name IPGROUP_LAN, Address Name IP_LAN, Description IPGROUP_LAN
ID 3, Group Name IPGroup_Futile, Address Name IP_Futile, Description IPGroup_Futile
Behavior Control/Web Filtering/URL Filtering
Enable URL Filtering
ID 1, IP Group IPGroup_Futile, Policy Deny, Mode URL Path, Filtering Content 10.0.0.1 10.0.100.1, Effective Time Any, Status Enabled, Description Management Restrictions
PC on Futile LAN at IP Address 10.0.100.100 can still login to ER605 management web page at 10.0.0.1 on LAN, unable to isolate access.
Currently testing with one PC so no testing from PC to PC across the two LANS.
What have I misconfigured?
