Secured Admin, Home, IoT, Cameras and Guest VLAN using Gateway ACL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Secured Admin, Home, IoT, Cameras and Guest VLAN using Gateway ACL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Secured Admin, Home, IoT, Cameras and Guest VLAN using Gateway ACL
Secured Admin, Home, IoT, Cameras and Guest VLAN using Gateway ACL
2023-03-01 19:13:20 - last edited 2023-05-09 16:39:49
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version:

Hey everyone,

 

This applies to ER-7206 at the time of writing and testing. ER-605 v2 is supposed to support it as well as the beta firmware for ER-605 v1 but I have not tested it there.

 

Prior to  v1.2.3 ER-7206 Firmware, I rely mostly on Switch ACLs but with the latest firmware, I am able to transition my Switch ACLs to Gateway ACLs.

 

I attached a diagram of the network and a table with how each VLAN functions:

* Admin - this is the Native/Default VLAN 1. Access to all VLANs

* Home - Access to all except Admin VLAN

* Guest - Access to Internet only, no access to same-VLAN devices. Wireless ONLY

* Cameras - Access to same-VLAN devices only, no Internet

* IoT - Access to same-VLAN devices with Internet

 

I also have a full-length video full-length video (long one) that shows this, including all the tests I did. It is Part 12 of the video. 

 

ACLs:

For Guests, make sure the Guest Network check box for Wifi is checked

 

  1. Deny Home to Admin
    Direction: LAN > LAN
    Policy: Deny
    Protocols: All
    Source > Network > Home
    Destination > Network > Admin
     
  2. Deny Camera to Internet
    Direction: LAN > WAN
    Policy: Deny
    Protocols: All
    Source > Network > Camera
    Destination > IP Group > IPGroup_Any
     
  3. Deny Camera to All
    Direction: LAN > LAN
    Policy: Deny
    Protocols: All
    Source > Network > Camera
    Destination > Network > Admin
    Destination > Network > Home
    Destination > Network > Guest
    Destination > Network > IoT
     
  4. Deny IoT to All
    Direction: LAN > LAN
    Policy: Deny
    Protocols: All
    Source > Network > IoT
    Destination > Network > Admin
    Destination > Network > Home
    Destination > Network > Guest
    Destination > Network > Cameras

 

 

  19      
  19      
#1
Options
3 Reply
Re:Secured Admin, Home, IoT, Cameras and Guest VLAN using Gateway ACL
2023-03-06 14:12:46 - last edited 2023-03-07 08:45:24

  @Death_Metal Thank you all for those who bookmarked and marked this as helpfuil.

 

Just to let those subscribed here know, that I am going to use this design as a "baseline" in my YT channel. What that means is, I will try and adress some of the feedback and comments I got from other sources mainly, the "limitation" of this design: port-based control for ACL. While I agree that the current Gateway ACL is still lacking compared to competition, I do not believe that port-based ACL is a limitation of this design. It is just that this design mainly focused on some of the use-case scenarios of Gateway ACL that was convoluted to implement prior to this feature.And the main reason I focused on the areas I covered in this post, is that, based on my (warning: anecdotal and limited) experience, the features I covered are applicable to most of the users.

 

thanks again all....

  6  
  6  
#2
Options
Re:Secured Admin, Home, IoT, Cameras and Guest VLAN using Gateway ACL
2023-03-10 06:00:20 - last edited 2023-05-09 16:34:15

Hello. this is a follow up for this topic. In this installment, the same wiring, VLAN, and devices are used but there is a change in the ACL configuration. I covered the ACL portion below, and if you like a video, I have it covered in the Part 4 of this new video that shows all the test and the configuration I did. The use-case addressed in the ACL revision, is to permit IoT VLAN devices to initiate communication to Home VLAN. With Gateway ACL, the communication always needs to be initiated from Home VLAN to IoT VLAN i.e. Home VLAN can connect to IoT but not vice-versa.

 

A scenario where this communication is needed is when there is a service, or server, that IoT devices needs to access in Home VLAN. With Switch ACL implementation, Stateful ACL will be out of the picture. This means, ACLs needs to be more granular, requires more work and is not suited for the impatient. All communication to/from IoT NEEDS TO BE EXPLICITLY DEFINED.

 

For this use case, I will only cover the IoT to Home (and back) communication. 

 

  • Admin - this is the Native/Default VLAN 1. Access to all VLAN, can get granular Access to IoT VLAN with VNC and SSH
  • Home - Access to all except Admin VLAN, granular access to IoT VLAN with VNC and SSH
  • Guest - Access to Internet only, no access to same-VLAN devices. Wireless ONLY
  • Cameras - Access to same-VLAN devices only, no Internet
  • IoT - Access to same-VLAN devices with Internet, granular access to Home VLAN with DNS

 

Note: DNS Server @ Home VLAN: 192.168.10.75

 

Gateway ACLs:

  1. Deny Home to Admin
    Direction: LAN > LAN
    Policy: Deny
    Protocols: All
    Source > Network > Home
    Destination > Network > Admin
     
  2. Deny Camera to Internet
    Direction: LAN > WAN
    Policy: Deny
    Protocols: All
    Source > Network > Camera
    Destination > IP Group > IPGroup_Any
     
  3. Deny Camera to All
    Direction: LAN > LAN
    Policy: Deny
    Protocols: All
    Source > Network > Camera
    Destination > Network > Admin
    Destination > Network > Home
    Destination > Network > Guest
    Destination > Network > IoT

 

Switch ACLs:

  1. Permit VNC to IoT
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.90.1/24, Ports: 5800, 5900)
    Destination > Network > Home
     
  2. Permit SSH to IoT
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.90.1/24, Port: 22)
    Destination > Network > Home
     
  3. Permit DNS Port to Home
    Policy: Permit
    Protocols: All
    Source > Network > IoT
    Destination > IP Port Group > (Subnet 192.168.10.75/32, Port: 53)
     
  4. Deny IoT to All
    Policy: Deny
    Protocols: All
    Source > Network > IoT
    Destination > Network > Admin
    Destination > Network > Home
    Destination > Network > Guest
    Destination > Network > Camera

 

Hope this helps...

  3  
  3  
#3
Options
Re:Secured Admin, Home, IoT, Cameras and Guest VLAN using Gateway ACL
2023-08-10 06:47:48

  @Death_Metal 

 

Hello Death Metal

 

I followed your tips about denying cctv vlan to all but the default vlan1 cannot ping or access the cctv vlan below are my configuration:

 

vlan:

default (vlan1) 192.168.0.1/24

cctv vlan10 192.168.10.1/24

 

switch acl:

 

rule name: deny cctv to all vlan

policy: deny

protocols: all

type: network

source: cctv vlan10

 

type: network

destination: default(vlan1)

 

in port9 in switch i change it to cctv vlan when i try to access or ping other vlans i cannot access it, on port 10 vlan1(default) i tried to access the cctv lan i cannot access it when in fact it is the default management vlan. can you help me on this sir?

 

i used OC300 1.0 firmware: 1.17.0 Build 20230328 Rel.52369

7206 router and TL-SG3428X

 

 

 

  0  
  0  
#4
Options

Information

Helpful: 19

Views: 4951

Replies: 3

Related Articles