Business Community > Gateways > RDP ACL
< Gateways

RDP ACL

RDP ACL

RDP ACL
RDP ACL
2025-05-23 05:20:10 - last edited 2025-07-25 07:26:43
Model: ER7412-M2  
Hardware Version: V1
Firmware Version:

Hi, I have a case related to ACLs.

In my organization, I have configured multiple VLANs with different network addresses. For now, I’m focusing on two of them:

  • Default VLAN: 192.168.10.0/24

  • LocalLabComputer VLAN: 192.168.23.0/24

In the Default VLAN, there is a server managing antivirus software, with the IP address 192.168.10.22 (for example).

 

 Objective:

I want to block all traffic from the LocalLabComputer network to the Default network,
but still allow two-way communication between the antivirus server and the hosts in the LocalLabComputer network.

 

 I have configured 3 ACL rules (in order):

  1. Rule 1:

    • Source: IP-Port Group ST00 (the server)

    • Destination: Network: LocalLabComputer

    • Permit: TCP, UDP, ICMP, RDP

  2. Rule 2:

    • Source: Network: LocalLabComputer

    • Destination: IP-Port Group: ST00

    • Permit: TCP, UDP, ICMP, RDP

  3. Rule 3 (last one):

    • Source: Network: LocalLabComputer

    • Destination: Network: Default

    • Deny: All protocols

 

 Problem:

  • From the LocalLabComputer network, RDP and port 4000 connections to the Default VLAN are still working — even though they should be blocked.

  • But from the Default VLAN, RDP to LocalLabComputer doesn't work — even though it should be allowed.

I'm wondering what I might have done wrong. Can someone point out where the mistake could be?

 

I forgot to add that these are rules made on Switch ACL

 

 

 

 

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:RDP ACL-Solution
2025-07-25 07:26:38 - last edited 2025-07-25 07:26:43

  @Pablo_PL 

There are two aspects for you to be careful about. But let's set the expectation first, ACL is entirely based on what you configure, it works straight as you configured. There is no reports about the GW or SW ACL. 

1. When you set this kind of network, you need to make sure you are using 0-65535 as the source initiates the connection to the 3389, in your example, from a random port. 

2. And if you bear this in mind, you should configure as I have. Yet, there is a problem with the controller when you use the IP-Port Group. 

The switch or the router does not pose a problem at all. It's the controller issue. See the config below, you'll see.

 

You should set it as follows. 

You can ignore the 3 and 4, which are not effective, because 0-65535 is not effective as of now, V5.15.24.18. Will explain this in the end.

* If this bug is fixed in the future, anyone else who reads this can simply use the rules 1, 2, and 3 or 4. Or simply go for the 1, 2, and 5. Rule 3 and 4 are the same. If you have rule 3, rule 4 is not necessary. Vice versa.

 

 

See, the port is using a mask instead of 0-65535. The rest of the config, you can keep it like mine or yours. Using the single port for that IP port range is okay. 

Instead of using the IP-Port range, use the IP-Port mask. There is a bug in the controller where it cannot properly set the range. As I read the CLI output from the controller, this is clearly wrong when I set 0-65535. Port mask should not be fffc.

 

The key in this is misconfig. The source port should be 0-65535. And the scheme is basically correct. 

Recommended Solution
  1  
  1  
#5
Options
4 Reply
Re:RDP ACL
2025-05-27 07:02:57

  @Pablo_PL 

 

Do you have an omada switch on the network?  switch rules only work on switches, not gateways

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300
  0  
  0  
#2
Options
Re:RDP ACL
2025-05-28 20:23:57

  @GRL 

yes, I have switch omada in network

  0  
  0  
#3
Options
Re:RDP ACL
2025-07-18 04:51:09

  @Pablo_PL 

hi, my site and devices 

  0  
  0  
#4
Options
Re:RDP ACL-Solution
2025-07-25 07:26:38 - last edited 2025-07-25 07:26:43

  @Pablo_PL 

There are two aspects for you to be careful about. But let's set the expectation first, ACL is entirely based on what you configure, it works straight as you configured. There is no reports about the GW or SW ACL. 

1. When you set this kind of network, you need to make sure you are using 0-65535 as the source initiates the connection to the 3389, in your example, from a random port. 

2. And if you bear this in mind, you should configure as I have. Yet, there is a problem with the controller when you use the IP-Port Group. 

The switch or the router does not pose a problem at all. It's the controller issue. See the config below, you'll see.

 

You should set it as follows. 

You can ignore the 3 and 4, which are not effective, because 0-65535 is not effective as of now, V5.15.24.18. Will explain this in the end.

* If this bug is fixed in the future, anyone else who reads this can simply use the rules 1, 2, and 3 or 4. Or simply go for the 1, 2, and 5. Rule 3 and 4 are the same. If you have rule 3, rule 4 is not necessary. Vice versa.

 

 

See, the port is using a mask instead of 0-65535. The rest of the config, you can keep it like mine or yours. Using the single port for that IP port range is okay. 

Instead of using the IP-Port range, use the IP-Port mask. There is a bug in the controller where it cannot properly set the range. As I read the CLI output from the controller, this is clearly wrong when I set 0-65535. Port mask should not be fffc.

 

The key in this is misconfig. The source port should be 0-65535. And the scheme is basically correct. 

Recommended Solution
  1  
  1  
#5
Options

Information

Helpful: 0

Views: 367

Replies: 4

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.