Business Community > Gateways > Gateway ACL LAN to LAN feature is not working
< Gateways

Gateway ACL LAN to LAN feature is not working

Gateway ACL LAN to LAN feature is not working

Gateway ACL LAN to LAN feature is not working
Gateway ACL LAN to LAN feature is not working
Monday - last edited Monday
Model: ER707-M2  
Hardware Version: V1
Firmware Version: 1.2.3 Build 20240822 Rel.52946

I have configured VLANs 10, 20, 30, 100, and 200. The IPs are 192.168.x.0/24 (x being the VLAN ID).

 

VLAN 100 and 200 are applied on a SSID broadcast by my APs. I want to block access of VLAN 100 and 200 to all other VLANs. The VLANs are created with the purpose as interface, so routing is done on the gateway.

 

Gateway ACLs proven to be useless as I can still ping other VLANs when Im in both VLAN 100 and 200. A change the Switch ACL fixed the problem. What is the issue here and why does Gateway ACL not work?

  0      
 
  0      
 
#1
Options
4 Reply
Re:Gateway ACL LAN to LAN feature is not working
Monday

  @Jason7186 

 

Generally gateway ACLs still allow all the gatewai IPs of all vlans hosted on the gateway to be pingable.  Why? who knows, just how it is.

 

In all other ways gateway lan<>lan ACLs work fine

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300
  1  
  1  
#2
Options
Re:Gateway ACL LAN to LAN feature is not working
Tuesday

  @Jason7186 

Thank you for your post. They should indeed work. How did you configure the ACL? Two ACL entries are required here, or you should enable bidirectional ACL blocking when configuring—once enabled, two ACL entries will be created automatically.

  0  
  0  
#3
Options
Re:Gateway ACL LAN to LAN feature is not working
5 hours ago - last edited 5 hours ago

  @Jason7186

 

I just came across this thread so I may be late in commenting here.  In my network, the gateway ACLs work fine in preventing VLANs from reaching each other EXCEPT for the VLAN interfaces on the gateway.  I can still ping the VLAN gateway address and navigate to the VLAN gateway's GUI.  Just yesterday, I discovered that by creating an additional gateway rule to deny access for certain VLANs to the destination "Gateway Management Page", those VLANs can no longer access the gateway GUI.  Setting the protocols to "All" also prevents the VLAN devices from pinging the gateway.  In my case, I sometimes use a laptop on a particular VLAN for maintenance and testing.  I changed the new gateway ACL to only deny the TCP protocol and this allows me to ping the gateway when needed.

 

1x ER706W 1x OC300 4x SG2008 1x EAP610 2x EAP650
  1  
  1  
#5
Options
Re:Gateway ACL LAN to LAN feature is not working
5 hours ago

  @Jason7186 

 

Be careful setting a lan<>lan ACL to the gateway page with "ALL" protocols - this will totally kill internet access for the vlans in the rule.  (what actually kills it is having the ICMP protocol selected either on its own or with others / all).  Selecting TCP is enough to prevent GMP GUI access

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300
  0  
  0  
#6
Options

Information

Helpful: 0

Views: 196

Replies: 4

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.