No monitoring/statistics for clients connected to ER605 OpenVPN server?

No monitoring/statistics for clients connected to ER605 OpenVPN server?

17 Reply
Re:No monitoring/statistics for clients connected to ER605 OpenVPN server?-Solution
2024-06-28 08:38:55 - last edited 2024-06-28 16:20:36

Hi all,

The reason has been that the ACL blocks the reading of the VPN stats.

 

To avoid such a problem, please examine if you have created an ACL in your router. If you have an ACL like blocking all service and all directions, please consider doing the following steps:

1. Create a new Service.

2. Create an ACL and place this at a higher priority than any other entries you have.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#12
Options
Re:No monitoring/statistics for clients connected to ER605 OpenVPN server?
2024-06-28 16:21:41
Yes. That fixes the issue. And that ACL can't be tightened up any further - it has to come from IPGROUP_ANY as it's the remote client accessing that port is it? Thanks.
  0  
  0  
#13
Options
Re:No monitoring/statistics for clients connected to ER605 OpenVPN server?
2024-07-01 02:45:40

Hi  @Cold_in_Canada 

Cold_in_Canada wrote

Yes. That fixes the issue. And that ACL can't be tightened up any further - it has to come from IPGROUP_ANY as it's the remote client accessing that port is it? Thanks.

I think you can. But you should know what you are doing. 127.0.0.1 is the local host. You can use the local host IP address in source. You can try that.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#14
Options
Re:No monitoring/statistics for clients connected to ER605 OpenVPN server?
2024-07-01 19:09:38

  @Clive_A , I'm not sure how to implement that suggestion, at least using the standalone web interface.  Because:

 

  1. I don't think that we can enter in a direct IP address as a source or destination for an ACL, only an IP group or network.
  2. It doesn't let us build an IP group for localhost 127.0.0.1 (in neither IP-range or CIDR format).

 

Am I missing something from your suggestion?  Can you please guide me on how to implement an ACL based on localhost 127.0.0.1?  Thanks.

  0  
  0  
#15
Options
Re:No monitoring/statistics for clients connected to ER605 OpenVPN server?
2024-07-02 07:04:28

Hi  @Cold_in_Canada 

Cold_in_Canada wrote

  @Clive_A , I'm not sure how to implement that suggestion, at least using the standalone web interface.  Because:

 

  1. I don't think that we can enter in a direct IP address as a source or destination for an ACL, only an IP group or network.
  2. It doesn't let us build an IP group for localhost 127.0.0.1 (in neither IP-range or CIDR format).

 

Am I missing something from your suggestion?  Can you please guide me on how to implement an ACL based on localhost 127.0.0.1?  Thanks.

If it doesn't allow you to build the 127.0.0.1/32 then there is no options for this implementation. We don't have any ways to work around it.

That's a system restriction.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#16
Options
Re:No monitoring/statistics for clients connected to ER605 OpenVPN server?
2024-07-02 16:29:21

  @Clive_A so is this not a security concern for TP-Link?  As perhaps it's something that should be handled in the router's firmware vs a user-created ACL.

 

Because as it stands, the only way to get OpenVPN to work properly then on the ER605 is to expose that port 7510 as a "closed" port to the public internet.  While all other ports are properly "stealth".

 

I don't have to to this with other routers.  Hence is this not a bug or at the very least a deficiency in the ER605 that should be corrected in the firmware?

  1  
  1  
#17
Options
Re:No monitoring/statistics for clients connected to ER605 OpenVPN server?-Solution
2024-07-04 00:24:04 - last edited 2024-07-08 03:51:38

Hi  @Cold_in_Canada 

Cold_in_Canada wrote

  @Clive_A so is this not a security concern for TP-Link?  As perhaps it's something that should be handled in the router's firmware vs a user-created ACL.

 

Because as it stands, the only way to get OpenVPN to work properly then on the ER605 is to expose that port 7510 as a "closed" port to the public internet.  While all other ports are properly "stealth".

 

I don't have to to this with other routers.  Hence is this not a bug or at the very least a deficiency in the ER605 that should be corrected in the firmware?

Not really.

You can try the IP of the router instead of 127.0.0.1.

As the 127.0.0.1 is a generic way to stand for the local host. That might not be considered as legal in the ACL rule or forbidden.

The actual router IP like 192.168.0.1 or try the "Me" which is also indicates the router local IP.

 

The default block to that port will be optimized in the future firmware updates which is what I learned from the dev.

 

This is actually not a bug as it fits the ACL rules as it configured. But a point which can be improved/optimized.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#18
Options