ER605 access control not working
ER605 access control not working

Hello to everyone! I am trying to create some ACL rules on my ER605 but i don't understand why it looks impossible.
I have blocked two networks from reaching themselves and it works ("Domotica" and "LAN_1").
 The problem is that if i try to create a rule to block a single IP from reaching another IP it does not work.
 As you see in the following screenshot i set a rule to block ALL between two IP groups "Test_pcluca" and "NAS" but it is like this rule is not there, from that pc i can see and use the NAS.
 I need to make rules to allow only some machines to get to the NAS and block everything else.
 I'm getting mad.
 Thank you in advance

  
EDIT: upgraded to firmware 2.2.6 Build 20240718 Rel.82712.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Bmark
Thanks for posting in our business forum.
You may use the label and tag to filter the existing guides and solutions for your ACL situation.
A glance at the screenshot doesn't provide any insights into the problem.
You should at least specify what group you have created and verify if you created them correctly.
Group creation involves the knowledge of CIDR and subnet. Make sure you know what you are doing before making a judgment that the ACL does not work.
It looks pretty easy to set up the ACL but it requires a way clearer mind of logic to configure them and understand how it works with some examples.
- Copy Link
- Report Inappropriate Content
Hi  @Clive_A ,
 thank for your help. I literally passed the last two days searching for every topic, guide, tutorial, i was not able to solve this.
 I show you how i created the IP groups:
 For example "Computer_Luca" is a range that covers from 192.168.1.1 to 192.168.1.19. 
 "NAS" is just 192.168.1.20.
 
 
 
Every machine in the "Computer_Luca" range can reach the nas.
 
 As you can see i created other groups with other devices, to test them.
 I tried with other ranges, pc's, printers.
 I am doing something wrong for sure but it is not easy to understand what.
 If i try to block access within two networks it works fine, within two IP ranges i see no result.
 
 Thank you again, hope to hear you back soon 
  
- Copy Link
- Report Inappropriate Content
Hi @Bmark
Thanks for posting in our business forum.
Bmark wrote
Hi @Clive_A ,
thank for your help. I literally passed the last two days searching for every topic, guide, tutorial, i was not able to solve this.
I show you how i created the IP groups:
For example "Computer_Luca" is a range that covers from 192.168.1.1 to 192.168.1.19.
"NAS" is just 192.168.1.20.
Every machine in the "Computer_Luca" range can reach the nas.
As you can see i created other groups with other devices, to test them.
I tried with other ranges, pc's, printers.
I am doing something wrong for sure but it is not easy to understand what.
If i try to block access within two networks it works fine, within two IP ranges i see no result.
Thank you again, hope to hear you back soon
OK. Diagram of your network with IP specified.
Would be strange. Judging from the setup, it looks okay. It should be effective.
- Copy Link
- Report Inappropriate Content
  @Clive_A thank for your support.
 If there is something more i can share in order to understand what is the problem please tell me.
 With this setup every machine in the IP range of the "Computer_Luca" range reaches the "NAS" range.
 I can make a screen recording if needed, i just don't understand why it does not work. The other rule between two networks works fine.
 What you suggest to try?
 I updated to the last firmware, rebooted, deleted the rule and made it again, i'm trying everything 
- Copy Link
- Report Inappropriate Content
@Bmark ,
It's been a while since I've been using an ER605 in standalone mode and I'm not going to drop it from my Omada setup to test but:
It looks like all the IPs involved are in the same subnet.
Traffic between such clients is entirely handled by the switches and never reaches the router, thus can't be controlled there.
The first couple rules have source and destination on separate networks (requiring some routing) so the router is clearly involved here.
If you want control within the subnet, you need to apply it at the switch level...
- Copy Link
- Report Inappropriate Content
@EricPerl thank you for your support, it is very helpful right now.
The devices that should reach the NAS and the NAS itself are actually directly connected to the ER605 router, there is not a switch between the router and those devices (i don't know if this makes a difference).
 If a switch would solve my problem i'll get one as soon as possible but i don't understand why the ER605 has the IP group option at this point. If a switch would be the best way would you reccomend me some model?
- Copy Link
- Report Inappropriate Content
Hi @Bmark
Thanks for posting in our business forum.
I don't have a suggestion for you to try now. I require a diagram with IP specified to check if there is anything wrong.
I also need you to paste the screenshots of the verification that the PC to the NAS is accessible via ping and web access. Additionally, ipconfig /all to display all the adapters and IP addresses.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A thank you again for the support!
Here is a diagram of the VLAN1 network:
 
The devices marked in green are the ones that i need to access the nas (all of them as usual now reach the nas), the ones i marked red are the one i need to cut out from reaching the NAS.
There are then other devices in other vlans but i have no problem blocking a full network so that is ok.
 
 The pc i am using is 192.168.1.16

 Here is a ping from my pc to the NAS 

This the login page to the NASThis the login page to the NAS

The rules on the router are applied to block all the ip range from 192.168.1.1 to 192.168.1.19 (as a test, so my pc should be out).
 
 Thank you for your support, tell me if i can provide anything else 
- Copy Link
- Report Inappropriate Content
Hi @Bmark
Thanks for posting in our business forum.
Bmark wrote
Hi @Clive_A thank you again for the support!
Here is a diagram of the VLAN1 network:
The devices marked in green are the ones that i need to access the nas (all of them as usual now reach the nas), the ones i marked red are the one i need to cut out from reaching the NAS.
There are then other devices in other vlans but i have no problem blocking a full network so that is ok.
The pc i am using is 192.168.1.16
Here is a ping from my pc to the NAS
This the login page to the NASThis the login page to the NAS
The rules on the router are applied to block all the ip range from 192.168.1.1 to 192.168.1.19 (as a test, so my pc should be out).
Thank you for your support, tell me if i can provide anything else
Use the LAN-LAN for rule #3 in your ACL. Will it be effective?
This is getting strange. Regardless of what you are connected to, the unmanaged switch or the router, it does not work all the way?
- Copy Link
- Report Inappropriate Content
  @Clive_A if i try to set it to LAN-LAN it will not make me to select the ip groups but just the full networks (and those device are in the same network).
 A solution could be to make separate networks, i should make a vlan for the devices that should reach the NAS (vlan5), a vlan for the NAS itself (vlan6) and a vlan for the devices that should not reach the NAS (vlan7) sinche i need to keep the devices from the ipothetic vlan5 to reach those from the vlan7 (i hope i explained myself).
 
 But it would be way easier if the ip group would work.

 
 At the moment the block rule on the ip does not work both on the devices connected directly to the router (192.168.1.16 for example) and for those connected to the switch (192.168.1.14) (i am editing the diagram image since those two machines were inverted).
 
 At the same time the block between the two networks (Domotica and LAN_1) is working for both devices connected to the router or to the switch, both ways.
 
 Thank you again!
- Copy Link
- Report Inappropriate Content

Information
Helpful: 0
Views: 2419
Replies: 18
Voters 0
No one has voted for it yet.


