Home

Forums

Stories

Knowledge Base

Business Community > Switches > ACL not work

< Switches

ACL not work

Pablo_PL

2025-07-06 11:44:08

Posts: 72

Helpful: 22

Solutions: 0

Stories: 0

Registered: 2024-09-28

ACL not work

2025-07-06 11:44:08

Tags: #ACL

Model: TL-SG3428

Hardware Version: V1

Firmware Version:

I would like to ask for help with the following issue:

I’m trying to configure ACL access exclusively for the Samba service between two IP addresses located in separate VLAN networks.

I'm keeping the setup as simple as possible – relying on ACLs configured on the switch. My configuration looks as follows:

The first rule is an allow rule – it permits traffic from a group of source IP addresses in one VLAN, targeting the Samba service ports in the second VLAN.
The second rule is a deny rule – it blocks all remaining traffic between these two VLANs.

Unfortunately, this configuration does not work as expected. When I disable the ACL rules, everything works fine.

So my question is:
Am I doing something wrong in the configuration, or could the issue be on the device side (e.g., the switch or the server)?

access-list create 1000

access-list combined 1000 rule 1 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 445 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 2 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 445 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 3 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 445 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 4 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 445 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 5 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 445 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 6 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 445 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 7 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 445 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 8 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 445 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 9 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 139 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 10 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 139 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 11 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 139 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 12 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 139 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 13 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 139 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 14 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 139 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 15 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 139 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 16 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 139 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 17 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 138 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 18 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 138 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 19 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 138 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 20 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 138 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 21 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 138 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 22 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 138 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 23 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 138 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 24 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 138 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 25 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 137 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 26 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 137 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 27 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 137 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 28 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 137 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 29 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 137 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 30 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 137 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 31 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 17 s-port 137 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 32 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 17 s-port 137 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 33 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 445 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 34 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 445 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 35 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 445 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 36 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 445 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 37 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 445 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 38 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 445 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 39 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 445 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 40 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 445 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 41 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 139 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 42 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 139 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 43 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 139 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 44 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 139 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 45 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 139 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 46 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 139 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 47 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 139 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 48 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 139 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 49 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 138 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 50 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 138 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 51 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 138 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 52 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 138 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 53 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 138 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 54 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 138 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 55 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 138 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 56 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 138 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 57 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 137 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 58 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 137 s-port-mask ffff d-port 445 d-port-mask ffff

access-list combined 1000 rule 59 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 137 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 60 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 137 s-port-mask ffff d-port 139 d-port-mask ffff

access-list combined 1000 rule 61 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 137 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 62 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 137 s-port-mask ffff d-port 138 d-port-mask ffff

access-list combined 1000 rule 63 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.11 dip-mask 255.255.255.255 protocol 6 s-port 137 s-port-mask ffff d-port 137 d-port-mask ffff

access-list combined 1000 rule 64 permit logging disable sip 192.168.198.10 sip-mask 255.255.255.255 dip 192.168.201.10 dip-mask 255.255.255.255 protocol 6 s-port 137 s-port-mask ffff d-port 137 d-port-mask ffff

access-list create 1001

access-list combined 1001 rule 1 deny logging disable sip 192.168.198.1 sip-mask 255.255.255.0 dip 192.168.201.1 dip-mask 255.255.255.0

6 Reply

MR.S

LV5

2025-07-06 12:25:11

Posts: 2824

Helpful: 1004

Solutions: 397

Stories: 0

Registered: 2018-08-17

Re:ACL not work

2025-07-06 12:25:11

@Pablo_PL

Switch ACL is not stateful, try enabling bidirectional ACL rules

Pablo_PL

LV2

2025-07-06 16:06:04

Posts: 72

Helpful: 22

Solutions: 0

Stories: 0

Registered: 2024-09-28

Re:ACL not work

2025-07-06 16:06:04

@MR.S

not work, I checked it

Clive_A

2025-07-07 02:46:26

Posts: 8362

Helpful: 4288

Solutions: 2178

Stories: 0

Registered: 2023-06-09

Re:ACL not work

2025-07-07 02:46:26

@Pablo_PL

Pablo_PL wrote

@MR.S

not work, I checked it

MR.S is correct. So, the previous setup was incorrect.

This given picture is now correct.

Yet, if it does not work, you might consider your device setup if they have blocked unknown sources. Firewall issues.

Or misconfig in your ACL.

At least enable the ICMP to ping and learn the current status.

Pablo_PL

LV2

2025-07-07 14:51:30

Posts: 72

Helpful: 22

Solutions: 0

Stories: 0

Registered: 2024-09-28

Re:ACL not work

2025-07-07 14:51:30

@Clive_A

I’ve already checked that as well – disabling the firewall on my QNAP didn’t help. The idea with ICMP worked and the traffic goes through, but once port rules are added, it stops working. Generally speaking, it seems that ACLs for ports are not functioning properly

Clive_A

2025-07-08 00:58:08

Posts: 8362

Helpful: 4288

Solutions: 2178

Stories: 0

Registered: 2023-06-09

Re:ACL not work

2025-07-08 00:58:08

@Pablo_PL

Pablo_PL wrote

@Clive_A

I’ve already checked that as well – disabling the firewall on my QNAP didn’t help. The idea with ICMP worked and the traffic goes through, but once port rules are added, it stops working. Generally speaking, it seems that ACLs for ports are not functioning properly

If you rule out the ICMP in the ACL, and it works in your test, then it means the ACL is effective.

It is a misconfig.

You can refer to the docs from QNAP about what ports are required to be open for access.

Pablo_PL

LV2

2025-07-08 03:33:13

Posts: 72

Helpful: 22

Solutions: 0

Stories: 0

Registered: 2024-09-28

Re:ACL not work

2025-07-08 03:33:13

@Clive_A

ICMP works as a protocol. and the samba service works based on TCP, ports are unblocked, firewall was disabled for testing. there is no point in checking if it does not work

ACL not work

ACL not work

Information

Voters 0

Tags