Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares
Tested on:
ER8411 1.3.2
ER7206 v2 2.2.3
ER605 v2 2.3.0
I havent tested other types of VPN clients remotely conencted, only IPsec clients (both site-to-site and client-to-site both exhibit this problem
Before the controlelr 5.15 adapted firmwares, you could prevent VPN clients from accessing the Gateway management page of any LAN the gateway has an interface for that the VPN is connected to {VPN Config > Local Networks) by a simple gateway ACL
BLOCK > WAN-IN > TCP > [IP_GROUP OF CLIENTS] > Gateway Management Page
Now, this doesnt work on the latest batch of firmwares. And neither does a more targeted ACL of
BLOCK > WAN-IN > TCP > [IP_GROUP OF CLIENTS] > [IP_PORT_GROUP of Gateway IP 80,443)
Thinking outside the box, i also just tried to block the gateway response back to the remote client
BLOCK > LAN>WAN > TCP > [IP_PORT_GROUP of Gateway IP 80,443) > [IP_GROUP OF CLIENTS]
this also did not work.
It no longer seems possible to actually block access to the gateway IP for remote clients.
Is there any solution to this?
This can be easily tested
- Setup a network as an interface on the router
- Set up an IPsec VPN with the network defined in "Local Networks"
- Connect to the VPN with a remote client.
- Try any method of blocking the gateway management page