Home

Forums

Stories

Knowledge Base

Business Community > General Discussion > Gateway ACL rule doesn't work, but same rule on Switch ACL works

< General Discussion

Gateway ACL rule doesn't work, but same rule on Switch ACL works

wiub

3 weeks ago - last edited 2 weeks ago

Posts: 9

Helpful: 0

Solutions: 0

Stories: 0

Registered: 2025-09-16

Gateway ACL rule doesn't work, but same rule on Switch ACL works

3 weeks ago - last edited 2 weeks ago

Model: ER605 (TL-R605) OC200 SG2008P

Hardware Version:

Firmware Version:

I am a beginner and I would like to understand why if I create a Gateway ACL that denies all protocols from VLAN 10 to VLAN 01 (as in first image), it doesn't work. In fact I would expect that the PC on VLAN 10 would stop ping the device on VLAN 01 but it doesn't!

r/TPLink_Omada - Gateway ACL doesn't work, but same Switch ACL works

Instead if I create the same exact rule but on Switch ACL (as in second image), it works as expected and the PC on VLAN 10 can't ping the device on VLAN 01 anymore.

r/TPLink_Omada - Gateway ACL doesn't work, but same Switch ACL works

Is Gateway ACL completely useless?

1 Accepted Solution

GRL

LV4

3 weeks ago - last edited 2 weeks ago

Posts: 847

Helpful: 355

Solutions: 101

Stories: 0

Registered: 2022-01-02

Re:Gateway ACL rule doesn't work, but same rule on Switch ACL works-Solution

3 weeks ago - last edited 2 weeks ago

@wiub

It takes a few seconds for gateway ACLs to kick-in once you active the rule. And, if you are actively pinging something that will be considered a current session going through the firewall and will continue until you break the cycle - as you noted. this is normal. it doesn't indicate that the rules don't work.

As said above - switch rules ate stateless and therefor there is no connection tracking. This means that in effect a rule that block say vlan 1 > vlan 10 will also inherently block vlan 10 > vlan 1 since either the reach-out or the response will be blocked by the same rule

Recommended Solution

4 Reply

jra11500

LV4

3 weeks ago - last edited 3 weeks ago

Posts: 436

Helpful: 172

Solutions: 29

Stories: 2

Registered: 2022-12-20

Re:Gateway ACL rule doesn't work, but same rule on Switch ACL works

3 weeks ago - last edited 3 weeks ago

@wiub

With the gateway ACL, if your PC on VLAN 10 is pinging the gateway on VLAN 1, you will get a response. If your PC pings any other device on VLAN 1, it should not get a response. The gateway is always accessible unless you create an ACL to deny access to the Gateway Management Page..

Switch ACLs are stateless, which means the switch does not remember anything about an established connection. If you do not have a switch ACL to allow the ping response, then the response will never be seen and that is why everything appears to be working with the switch ACL.

1x ER706W 1x OC300 4x SG2008 1x EAP610 2x EAP650

wiub

LV1

3 weeks ago

Posts: 9

Helpful: 0

Solutions: 0

Stories: 0

Registered: 2025-09-16

Re:Gateway ACL rule doesn't work, but same rule on Switch ACL works

3 weeks ago

Thank you very much for the answer. Actually, I noticed that the Gateway ACL works but not while I am pinging. I mean, If I create a rule to block from vlan 10 to vlan 1 but I am already pinging the device on vlan 1 with my device on vlan 10, the Gateway ACL rule doesn't work until I stop pinging for some seconds. This problem doesn't happen with Switch ACL that works even if I am pinging. Is it normal?

GRL

LV4

3 weeks ago - last edited 2 weeks ago

Posts: 847

Helpful: 355

Solutions: 101

Stories: 0

Registered: 2022-01-02

Re:Gateway ACL rule doesn't work, but same rule on Switch ACL works-Solution

3 weeks ago - last edited 2 weeks ago

@wiub

Gateway ACL rule doesn't work, but same rule on Switch ACL works

Gateway ACL rule doesn't work, but same rule on Switch ACL works

Information

Voters 0

Tags