Blocking traffic except IPsec VPN traffic (esp port 5432)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Blocking traffic except IPsec VPN traffic (esp port 5432)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Blocking traffic except IPsec VPN traffic (esp port 5432)
Blocking traffic except IPsec VPN traffic (esp port 5432)
2023-03-11 15:36:23
Tags: #VPN #Firewall
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: V1.2.3

Hi, guys. 


I would like to know if I can block all the traffic except the traffic over the IPsec VPN. 

 

We have AWS RDS (Postgres) database, we would like to block all communication from specific computer except the pgAdmin4 access to the Postgres database. 

 

Router will be only connected to this PC, so far, I created rule "Block all access except THIS COMPUTER and AWS IP". It didn't work. 

 

They I tried to create allow only communication between these two. And the few others, nothing seemed to work. It does block the traffic, but pgAdmin doesn't connect to the DB. 

 

Let me know if you have any suggestions on this. Or if someone else has already done it. Really appreicate it. 

 

Thank you in advance.

 

Max

  0      
  0      
#1
Options
5 Reply
Re:Blocking traffic except IPsec VPN traffic (esp port 5432)
2023-03-13 06:49:33

 Hi @Max_TP 

 

Are you using Omada Controller to manage your router? The IPSec VPN tunnel is LAN-to-LAN right?

 

Try this rules:

Policy: Permit

 

Direction: LAN->WAN

 

Source: specific computer IP

 

Des: database LAN IP

 

Note you will need another Deny All rule on the end, so it can block all other communication. 

 

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Blocking traffic except IPsec VPN traffic (esp port 5432)
2023-03-13 10:06:56

  @Hank21 

 

Hi Hank,

 

Thank you for your suggestion. 

 

I tried yours but pgAdmin4 still doesn't connect.

 

Currently, I have these rules in my firewall. 

 

  0  
  0  
#3
Options
Re:Blocking traffic except IPsec VPN traffic (esp port 5432)
2023-03-13 10:53:32 - last edited 2023-03-13 10:55:30

Hi  @Max_TP 

 

The block_all rule, what will happen if you change the Source to "Me"?  

 

Can I have more details about your IPSec VPN configuration?

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options
Re:Blocking traffic except IPsec VPN traffic (esp port 5432)
2023-03-14 01:59:18

  @Hank21 

 

 

The block_all rule, if I change the Source to "Me", it doesn't block anything. 

 

IPsec VPN is connected to AWS Site-to-Site VPN. There is nothing special about it. In fact, I followed this post here -> https://community.tp-link.com/en/business/forum/topic/515292

 

However, I found one way to do block traffic: 

Basically including https, http, ICMP into firewall rules. But it is not very efficient one. I read somewhere that all ports are closed by default on TP-link router. Not sure if that's true. 

 

But still want to block all ports and internet communication except 5432 which is port for AWS RDS Postgres.

 

If I can't find good solution to do that, maybe I will just include all of the ports one by one which is tedious task. 

 

Let me know if you have any other ways, Hank!

 

Thank you.

  0  
  0  
#5
Options
Re:Blocking traffic except IPsec VPN traffic (esp port 5432)
2023-03-14 04:19:30

Hi  @Max_TP 

 

I have no other idea. 

 

But about how to add the service ports, you can create two service type, so no need to add the ports one by one.

One service type from port 1 to 5431, another service type from port 5433 to 65535.

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#6
Options