Problem with the Firewall configuration / best-practice tips on TL-R605
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Hi all,
I just installed a new TL-R605 router in exchange for an existing pfSense setup.
The initial setup was straight forward and without problems.
But now I am configuring/replicating the firewall rules and it seems that I cannot wrap my head around the way the rules for the TP-Link should be configured.
One of the rules that seemed to work but then failed were configured the following in pfSense:
Super easy: one client was allowed to use any port outgoing:
Now it is configured that this IPGROUP is allowed to use all ports to any IPGROUP with all services (this should include UDP) and on all interfaces:
This was one of the first new rules I added to the router and it worked right away. It is a bit difficult to determine, when changes are applied.
After that I added other rules (with higher id, so lower priority), but now it seems it does not work anymore.
I already searched here and also been through the manual a couple of times, but found nothing that would help.
Do you maybe have a source, with a more detailed explanation on how the rules should be configured?
Thanks a lot,
Ben
Edit: better title
Dear @BenHH,
One of the rules that seemed to work but then failed were configured the following in pfSense:
Super easy: one client was allowed to use any port outgoing:
Now it is configured that this IPGROUP is allowed to use all ports to any IPGROUP with all services (this should include UDP) and on all interfaces:
This was one of the first new rules I added to the router and it worked right away. It is a bit difficult to determine, when changes are applied.
After that I added other rules (with higher id, so lower priority), but now it seems it does not work anymore.
What other rules did you add to the router? How did you test and find it works or not?
Hi @Fae,
thanks for your reply.
I basically followed the example from the user guide:
(From the user guide p91)
Where I replaced RD_Dept with the default IPGROUP_LAN and added an additional IPGROUP (shown in my initial post) that should be allowed to use all ports/services.
I did some further testing and came to the conclusion, when I exchange the source and the destination, the rule works:
Why?
In the example only the IPs from the RD_Dept are affected by the rules shown (and those rules seems to work as expected in my setup).
When I want to allow all ports only for this specific IPGROUP, I assumed, this group should be the source (I mean, this ip addresses request/access those ports).
Thanks a lot,
Ben
Edit: my rule was added on top of the rules from the user guide with id 1
@BenHH I am not sure, if I am blind, but I adopted the R605 to a controller and cannot find, where to configure the firewall rules after.
Only thing I can find are the ACL, and there it seems, as if I am not able to block INCOMING traffic:
Only block (effect on) traffic from LAN to WAN?
I want the router to be invisible from the WAN (ignore/drop requests instead of respond with "closed").
Is there a configuration i missed?
Ben
Dear @BenHH,
Only thing I can find are the ACL, and there it seems, as if I am not able to block INCOMING traffic:
Only block (effect on) traffic from LAN to WAN?
I want the router to be invisible from the WAN (ignore/drop requests instead of respond with "closed").
Is there a configuration i missed?
Sorry that the Gateway ACL can only block traffic from LAN to WAN at the time being. The product team has a plan to support blocking traffic from LAN to LAN, as for blocking traffic from WAN to LAN, I'll forward this to the product team for further evaluation.
Edit:
The gateway TL-R605 is a NAT device, it will block traffic from WAN to LAN automatically. But if you want to limit specific external IPs to access the internal server, you may configure Port Forwarding to make it, in controller mode, we can configure Source IP.
In standalone mode, we need to configure ACL to set the source IP, refer to this FAQ for details.