Business Community > Gateways > Gateway ACL's not working (can ping denied interfaces)
< Gateways

Gateway ACL's not working (can ping denied interfaces)

Gateway ACL's not working (can ping denied interfaces)

Gateway ACL's not working (can ping denied interfaces)
Gateway ACL's not working (can ping denied interfaces)
2025-03-28 06:54:12 - last edited 2025-04-01 00:48:42
Model: ER707-M2  
Hardware Version: V1
Firmware Version: 1.2.3 Build 20240822 Rel.52946

Hardware in use:

 

Gateway (router) : Er707 M2

Core Switch:         SG3428

PoE switch:           SG2210MP

WAP:                     EA615

Switch:                   ES205G

 

Controller :            OC200

 

Hello:

 

I have configured my network as per this guide. But using only a single management vlan.

ie: gateway is 10.10.10.2 and devices are on 10.10.50.1/24 (also note devices have after readoption been asigned a static ip)

 

Is there any reason why gateway ACL's would not work with this config?

 

Whether or not i connect a device to a gateway Lan port (with a Vlan configured as interface on gateway & PVID set correctly) or a switch port .

 

Note: 2 separate vlan interfaces are being used here 10.10.100.1/24 & 10.10.110.1/24

ACL's with a deny in either direction simply do not function. 

I am able to ping in both directions always.

 

Is there any reason why this would be?

 

Is it because...of

--> Mangement Vlan configured on switch?

-->

--> Easy managed switch has been intergrated into network?

or....

 

note:

*switch ACL's work as intended but all are off for testing gateway ACL)

 

and as per guide...

 

*static route on switch is 0.0.0.0/0 --> 10.10.10.2 (static gateway ip)

*Static transmission route set as 10.10.50.0/24 next hop --> 10.10.10.1

 

 

I do require some stateful ACL's in my network.

 

Please advise.

 

Thanykou in advance.

 

 

 

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Gateway ACL's not working (can ping denied interfaces)-Solution
2025-03-31 05:47:53 - last edited 2025-04-01 00:48:42

Hi @Defty 

Thanks for posting in our business forum.

Defty wrote

 Hi  @Clive_A 

 

As I require the use of statefull ACL's I did indeed set the DHCP host on the Gateway interface.

 

I'm aware that stateful ACL's can only be configured on the gateway.

 

So, with all protocols selected:

Network Interface (A) 10.10.100.1/24 ---> deny--->10.10.200.1/24 (B)  

 

Is it expected behaviour that I can ping the gateway of interface of B when connected to a Lan port assigned with A?

 

 

Thanks for you time.

 

 

 

Yes. Gateway is always pingable regardless of the VLAN or ACL. If you block the A to B, the gateway, you will lose the whole access to either of them.

And you can access the http/https on other VLANs even though you have ACL set to block A to B or B to A. It is normal. Just another rule to block the IP-Port or Gateway Management Page to stop the page access.

Recommended Solution
  0  
  0  
#6
Options
6 Reply
Re:Gateway ACL's not working (can ping denied interfaces)
2025-03-28 07:16:22

  @Defty 
 

It sounds like you've set up your network correctly, but the gateway ACLs aren't working as expected. Here are a few things to check:

  1. ACL Placement – Ensure that the ACLs are applied to the correct interfaces (LAN or VLAN) and are processed in the right order. Some gateways apply ACLs differently depending on inbound/outbound traffic.

  2. Management VLAN – If your switches and gateway are using the same VLAN for management, it’s possible that traffic is bypassing the ACLs. Try moving management to a separate VLAN and see if that helps.

  3. Easy Managed Switch – Some smart switches handle VLANs differently. If the ES205G is not fully VLAN-aware, it might be forwarding traffic in a way that bypasses ACLs.

  4. Firewall/NAT Rules – Check if there are existing firewall or NAT rules on the ER707-M2 that could be overriding your ACLs. Sometimes, default rules allow all traffic unless explicitly blocked.

  5. Testing Approach – Since switch ACLs work but gateway ACLs do not, try enabling logging on the ACLs (if available) to see if they are even being hit. Also, testing with different VLANs might help identify if the issue is VLAN-related.

Since you need stateful ACLs, you may need to look into the router’s firewall settings instead of just ACLs. Let me know if any of this helps!

  0  
  0  
#2
Options
Re:Gateway ACL's not working (can ping denied interfaces)
2025-03-28 07:47:24

  @Saleem_Al_Shera 

 

Thanks for the reply.

 

1. yes checked and triple checked

2.Management vlan is on a separate vlan (10.10.10.50 ) are you suggesting to palce MGMt vlan separate from devices?  I dont see how this would function.

3.No vlans intended for stateful ACL are on easy managed switch.  I have also dissconnect the switch to elimate this but in controller i still have the check box ticked that says im using easy manged switches.

4. Will look into this.  As im new, is there anything in particular i should be looking for?

5. having difficulty with the logging procedure on controller, but will look further.  have extensivly tested with different vlans with no success.

 

Please do have a wee look at the guide i used from Tp link for initial config.

 

thanks for posting :)

  0  
  0  
#3
Options
Re:Gateway ACL's not working (can ping denied interfaces)
2025-03-31 01:50:28

Hi @Defty 

Who is the DHCP server, or who hosts the DHCP, it should be set up with the ACL.

If you are using a VLAN interface, you set up the Gateway ACL. You use Switch as the DHCP, you set up the Switch ACL.

  1  
  1  
#4
Options
Re:Gateway ACL's not working (can ping denied interfaces)
2025-03-31 05:29:23

 Hi  @Clive_A 

 

As I require the use of statefull ACL's I did indeed set the DHCP host on the Gateway interface.

 

I'm aware that stateful ACL's can only be configured on the gateway.

 

So, with all protocols selected:

Network Interface (A) 10.10.100.1/24 ---> deny--->10.10.200.1/24 (B)  

 

Is it expected behaviour that I can ping the gateway of interface of B when connected to a Lan port assigned with A?

 

 

Thanks for you time.

 

 

 

  0  
  0  
#5
Options
Re:Gateway ACL's not working (can ping denied interfaces)-Solution
2025-03-31 05:47:53 - last edited 2025-04-01 00:48:42

Hi @Defty 

Thanks for posting in our business forum.

Defty wrote

 Hi  @Clive_A 

 

As I require the use of statefull ACL's I did indeed set the DHCP host on the Gateway interface.

 

I'm aware that stateful ACL's can only be configured on the gateway.

 

So, with all protocols selected:

Network Interface (A) 10.10.100.1/24 ---> deny--->10.10.200.1/24 (B)  

 

Is it expected behaviour that I can ping the gateway of interface of B when connected to a Lan port assigned with A?

 

 

Thanks for you time.

 

 

 

Yes. Gateway is always pingable regardless of the VLAN or ACL. If you block the A to B, the gateway, you will lose the whole access to either of them.

And you can access the http/https on other VLANs even though you have ACL set to block A to B or B to A. It is normal. Just another rule to block the IP-Port or Gateway Management Page to stop the page access.

Recommended Solution
  0  
  0  
#6
Options
Re:Gateway ACL's not working (can ping denied interfaces)
2025-03-31 10:02:22

  Great, simple and effective explaination thankyou @Clive_A 

  1  
  1  
#7
Options

Information

Helpful: 0

Views: 452

Replies: 6

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.