Bug Report: ER707-M2 (v1.4.2) - IDS/IPS silently drops traffic and completely ignores Allow List
Hello everyone,
I want to report a critical bug regarding the IDS/IPS engine and the Allow List processing on the ER707-M2. When IDS/IPS is enabled, the router silently drops traffic to certain dynamic CDN IPs (specifically Akamai / Microsoft Teams) and completely ignores any explicit Allow List entries created to bypass this block.
Environment:
-
Router: ER707-M2 v1.20
-
Firmware: 1.4.2
-
Issue: Silent drops, False Positives blocking MS Teams, Allow List bypass fails.
Steps to Reproduce:
-
Enable IDS/IPS (Security Level: Custom, with standard categories like Malware, Botcc, DShield enabled). GEO Enforcer is OFF.
-
Attempt to connect to Microsoft Teams or run a connection test:
curl -Iv -4 https://<url to statics dot teams dot cdn dot office dot net>--connect-timeout 10 -
The connection times out. No entry is generated in the Threat Management logs ("Silent Drop").
-
To whitelist the Akamai CDN, create an Allow List entry for the affected subnets (e.g.,
2.16.168.0/24or23.32.238.0/24), setting both Source and Destination to "Subnet". -
Reboot the router to clear the state table / cache.
-
Run the connection test again.
Expected Behavior: The IDS/IPS engine should respect the Allow List and let the traffic to the specified subnets pass, even if the IP is flagged in one of the threat categories (like DShield, Botcc, or Malware).
Actual Behavior: The Allow List is completely ignored. The traffic is still silently dropped.
Troubleshooting performed:
-
Disabling GEO Enforcer did not resolve the issue.
-
Disabling single categories (e.g., only Botcc or only Malware) did not resolve the issue due to overlapping IP flags in multiple databases.
-
Proof of Bug: Only when turning the IDS/IPS main switch completely OFF and rebooting the router to clear the state table, the traffic passes immediately (
HTTP/2 400from the Microsoft Server).
Conclusion: The Suricata engine in firmware 1.4.2 drops packets based on signature matches before checking or respecting the user-defined Allow List. Since MS Teams relies on these CDNs, the IDS/IPS feature currently breaks essential Office 365 communication and cannot be mitigated via the Allow List.
Could the R&D team please look into why the Allow List is ignored by the IDS module?
Thank you and best regards!
Deutsche Version (Für den DACH-Support)
Betreff: Bug Report: ER707-M2 (v1.4.2) - IDS/IPS ignoriert Allow List und blockiert unbemerkt Traffic
Nachricht: Sehr geehrtes TP-Link Support-Team,
ich möchte einen kritischen Fehler in der Firmware des ER707-M2 melden. Sobald das IDS/IPS-Modul aktiviert ist, werden Verbindungen zu bestimmten dynamischen CDN-IPs (insbesondere Akamai / Microsoft Teams) stumm ("Silent Drop") verworfen. Das Hauptproblem dabei: Die Firewall ignoriert manuell angelegte "Allow List"-Einträge, die dieses Verhalten umgehen sollen, komplett.
Systemumgebung:
-
Router: ER707-M2 v1.20
-
Firmware: 1.4.2
Fehlerbeschreibung & Reproduktion:
-
IDS/IPS ist aktiviert (Security Level: Custom, Kategorien wie Malware, Botcc, DShield sind an). GEO Enforcer ist deaktiviert.
-
Ein Verbindungsversuch zu MS Teams (z.B.
curl -Iv -4 https://<url zu statics dotteams dot cdn dot office dot net> --connect-timeout 10) läuft in einen Timeout. Im Threat Management Log gibt es dazu keinen Eintrag. -
Um das Akamai-CDN freizugeben, wird eine Allow List angelegt (Direction: Source & Destination, Track By: Subnet, IP: z.B.
2.16.168.0/24). -
Der Router wird neu gestartet, um den State Table / Zwischenspeicher zu leeren.
-
Der Verbindungstest wird wiederholt.
Erwartetes Verhalten: Die Engine muss die Allow List respektieren und den Traffic durchlassen, selbst wenn die IP in einer der Signatur-Listen (Botcc, Malware etc.) steht.
Tatsächliches Verhalten: Die Allow List wird vom System komplett ignoriert. Die Pakete werden weiterhin verworfen.
Bereits durchgeführte Tests: Das Problem liegt nachweislich am IDS-Modul. Nur wenn das IDS/IPS über den Hauptschalter komplett deaktiviert wird UND der Router danach neu gestartet wird (Cache-Leerung), läuft der Traffic zu Microsoft sofort fehlerfrei durch.
Es scheint, als würde die Deep Packet Inspection Engine in Version 1.4.2 Pakete aufgrund von Signaturen verwerfen, bevor die nutzerdefinierte Allow List überhaupt geprüft wird. Da das Modul globale CDNs blockiert und Whitelisting ignoriert, ist es in Office 365-Umgebungen derzeit unbrauchbar.
Ich bitte darum, diesen Fehler an die Entwicklungsabteilung (R&D) weiterzuleiten, damit die Priorisierung der Allow List in der Firmware korrigiert werden kann.
Vielen Dank und freundliche Grüße, Tobias Kellermann
Hi @Vincent-TP ,
Thank you for getting back to me so quickly. Here is the requested information to help you investigate the issue:
1. Firmware Upgrade Context: I had already experienced intermittent connectivity and loading issues with Microsoft Teams prior to the 1.4.2 upgrade. However, I only conducted the in-depth technical analysis (using curl tests and isolating the specific Allow List behavior) after upgrading the ER707-M2 to firmware 1.4.2. Therefore, I can confirm that the false-positive drops for the Akamai CDN happened on the previous firmware as well, but I cannot definitively say if the Allow List was already being ignored back then, as I created these specific Subnet Allow List entries during my troubleshooting on 1.4.2.
2. IPS/IDS config page: As you can see, the GEO Enforcer is turned OFF, but standard Threat Categories are enabled.
3. Allow List screenshots: The screenshots show both Source and Destination rules explicitly set to "Subnet" for the affected Akamai IP range.
4. Controller Info: II am currently using the Omada Software Controller version 6.2.0.17
5. Test Results: [Please see attached screenshot: "Curl-Test.png"] The screenshot shows the terminal output of the curl command. It clearly demonstrates the connection running into a timeout when the IDS is ON, despite the active Allow List for that exact IP range. (As a reminder: When the IDS main switch is turned OFF and the state table is cleared via reboot, the exact same curl command succeeds instantly).
Please let me know if you need any further logs, packet captures, or additional tests.
Best regards, Tobias
Hi @Vincent-TP
Thanks for the quick response.
Regarding
Point 4: As requested, I have successfully updated my Omada Software Controller to the latest version 6.2.10.17. After the update, I made sure the Allow List was successfully provisioned to the router, and I performed a hard reboot of the ER707-M2 to completely clear its state table. Unfortunately, the issue persists exactly as described. The router on firmware 1.4.2 still ignores the Allow List and drops the packets silently as long as the IDS module is turned on. (This points to a bug in the router's firmware/Suricata engine itself, rather than a controller provisioning issue).
Regarding
Point 5: I apologize for the upload issue. I am attaching the screenshot of the terminal output as zip-file again to this message. Please let me know if you can view it this time.
I really hope this can be forwarded to the R&D team, as the IDS feature currently breaks MS Teams for enterprise/home-office environments.
Best regards, Tobias
