Business Community > General Discussion > Gateway ACL rule doesn't work, but same rule on Switch ACL works
< General Discussion

Gateway ACL rule doesn't work, but same rule on Switch ACL works

Gateway ACL rule doesn't work, but same rule on Switch ACL works

Gateway ACL rule doesn't work, but same rule on Switch ACL works
Gateway ACL rule doesn't work, but same rule on Switch ACL works
Thursday - last edited Thursday
Model: ER605 (TL-R605)   OC200   SG2008P  
Hardware Version:
Firmware Version:

I am a beginner and I would like to understand why if I create a Gateway ACL that denies all protocols from VLAN 10 to VLAN 01 (as in first image), it doesn't work. In fact I would expect that the PC on VLAN 10 would stop ping the device on VLAN 01 but it doesn't!

r/TPLink_Omada - Gateway ACL doesn't work, but same Switch ACL works

Instead if I create the same exact rule but on Switch ACL (as in second image), it works as expected and the PC on VLAN 10 can't ping the device on VLAN 01 anymore.

r/TPLink_Omada - Gateway ACL doesn't work, but same Switch ACL works

Is Gateway ACL completely useless?

 

 

 

  0      
 
  0      
 
#1
Options
3 Reply
Re:Gateway ACL rule doesn't work, but same rule on Switch ACL works
Thursday - last edited Thursday

  @wiub 

 

With the gateway ACL, if your PC on VLAN 10 is pinging the gateway on VLAN 1, you will get a response.  If your PC pings any other device on VLAN 1, it should not get a response.  The gateway is always accessible unless you create an ACL to deny access to the Gateway Management Page..

 

Switch ACLs are stateless, which means the switch does not remember anything about an established connection.  If you do not have a switch ACL to allow the ping response, then the response will never be seen and that is why everything appears to be working with the switch ACL.

 

 

1x ER706W 1x OC300 4x SG2008 1x EAP610 2x EAP650
  1  
  1  
#2
Options
Re:Gateway ACL rule doesn't work, but same rule on Switch ACL works
Friday
Thank you very much for the answer. Actually, I noticed that the Gateway ACL works but not while I am pinging. I mean, If I create a rule to block from vlan 10 to vlan 1 but I am already pinging the device on vlan 1 with my device on vlan 10, the Gateway ACL rule doesn't work until I stop pinging for some seconds. This problem doesn't happen with Switch ACL that works even if I am pinging. Is it normal?
  0  
  0  
#3
Options
Re:Gateway ACL rule doesn't work, but same rule on Switch ACL works
Friday - last edited Friday

  @wiub 

 

It takes a few seconds for gateway ACLs to kick-in once you active the rule.  And, if you are actively pinging something that will be considered a current session going through the firewall and will continue until you break the cycle - as you noted.  this is normal. it doesn't indicate that the rules don't work.

 

As said above - switch rules ate stateless and therefor there is no connection tracking.  This means that in effect a rule that block say vlan 1 > vlan 10 will also inherently block vlan 10 > vlan 1 since either the reach-out or the response will be blocked by the same rule

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300
  0  
  0  
#4
Options

Information

Helpful: 0

Views: 73

Replies: 3

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.