Switch ACL blocking acting bidirectionally instead of just one way

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Switch ACL blocking acting bidirectionally instead of just one way

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Switch ACL blocking acting bidirectionally instead of just one way
Switch ACL blocking acting bidirectionally instead of just one way
2022-08-17 18:11:47 - last edited 2022-08-28 17:58:16
Hardware Version: V2
Firmware Version: 2.0.6

I have a network with 3 distinct IP Ranges.  The first range I use for management, the second range I use for my families activites including wired and wireless device connections, video streamers, printers and the like.  Because my family isn't very sophisticated, I isolated my personal computer and backup devices on a 3rd IP range.  I want to access any address on the second IP range from my PC in the third IP range, but don't want any device on the 2nd range to be able to initiate a connection the third range.  

 

Problem is that when I institute the switch ACL rule, it is blocking traffic in both directions, not just one.  I am stumped and not a network specialist so am looking for guidance.

 

Network Topology (note all devices have been updated to most recent stable release).

 

Omada OC200 Controller

Router: ER7206 v1.0

Switch #1: TL-SG2008P v1.0

Switch #2: T1500G-10PS v2.0

Multiple TP-Link Omada AP's

 

My netowrks are configured as follows:

 

Network 1 --- Management Network

 

Configured as Interface

All wan and lan interface boxes checked.

VLAN ID 1 

Gateway Subnet: 192.168.5.1/24

Gateway IP 192.168.5.1

Network IP Range 192.168.5.1 - 192.168.5.254

Network Subnet Mask 255.255.255.0

DHCP Server Enabled

Default Gateway Auto

 

Network 2: Household Network

 

Configured as Interface

All wan and lan interface boxes checked.

VLAN ID 100

Gateway Subnet: 192.168.100.1/24

Gateway IP 192.168.100.1

Network IP Range 192.168.100.1 - 192.168.100.254

Network Subnet Mask 255.255.255.0

DHCP Server Enabled

Default Gateway Auto

 

Network 3: MYNet

 

Configured as Interface

All wan and lan interface boxes checked.

VLAN ID 104 

Gateway Subnet: 192.168.104.1/24

Gateway IP 192.168.104.1

Network IP Range 192.168.104.1 - 192.168.104.254

Network Subnet Mask 255.255.255.0

DHCP Server Enabled

Default Gateway Auto

 

My personal computer is connected to Switch #2: the T1500G-10PS v2.0 on port  1 with a Port Profile of MYNet (network 3)

 

Without any ACL rules applied, I can see all of Network 2 from Network 3 and vice-a-versa.  When I apply the following ACL rule using the Omada Network Controller interface, I can no longer see devices on Network 2 from Network 3 nor Network 3 from Network 2. My intent is to see Network 2 from 3 but NOT network 3 from 2.

 

ACL Switch Rule:

Name: Protect MYNet

Policy: Deny

Protocols: ALL

EtherType: NOT Enabled

Bi-Directional: NOT Enabled

Rule (Source): Network = Household

Rule (Destination): Network = MYNet

Binding Type: Ports

Ports: All Ports

 

Any guidance as  to where I have gone wrong would be appreciated ... and thanks.

 

P.S.  A separate rule that I created to protect the Management network from the Household network functioned as intended.

 

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:Switch ACL blocking acting bidirectionally instead of just one way-Solution
2022-08-28 17:34:11 - last edited 2022-08-28 17:58:16

  @ianmud I would need to see your actual rules list to help you.

 

One thing I would point out is that if you want a single IP address that would be 192.168.100.30/32 not /1.  /1 would refer to a massively large range of addresses.

Recommended Solution
  0  
  0  
#6
Options
6 Reply
Re:Switch ACL blocking acting bidirectionally instead of just one way
2022-08-17 21:40:46 - last edited 2022-08-17 21:41:18

  @ianmud Switch ACLs are not the same as stateful firewall rules, they are stateless.

 

When you work with stateless ACLs you need to consider that return traffic will also be blocked.

 

For example, you have two networks A and B.  If you block traffic from A->B, that will also block the return traffic from B->A.

 

This means you can't create a rule set that lets traffic freely flow in one direction but not the other.

 

You need to get more specific about it.  For example, block all traffic from A->B but then allow the return traffic only on certain ports to certain destination.

 

A stateful firewall would be more flexible and easier to configure but that isn't an option across LAN segments here.

  0  
  0  
#2
Options
Re:Switch ACL blocking acting bidirectionally instead of just one way
2022-08-17 22:20:43

Thanks for the guidance.  I will try this but I do have a question.  I assume that sequencing is important and that I would have to include the rule allowing certain traffic acitivity (eg: allow activity on port 515 for my printer) in advance of the deny rule?  

Again, Thanks

  0  
  0  
#3
Options
Re:Switch ACL blocking acting bidirectionally instead of just one way
2022-08-18 00:20:40

  @ianmud Yes, the pass rules that allows specific traffic need to be above the rule that blocks all traffic

  0  
  0  
#4
Options
Re:Switch ACL blocking acting bidirectionally instead of just one way
2022-08-28 17:31:45

  @Alex789 

 

So, I have now tried to create multiple ACL switch rules to access the printer on the Household network VLAN100 (address 192.168.100.30) from  MYNet VLAN104.

 

I have tried using the MAC Address of the printer to create a MAC Group with and then permitting bidirectional traffic to that group from Network MYNet. I placed the permit rules above the Network to Network Deny rule in the sequence.  This didn't work.

 

I then tried using creating an IP Group for the printer using 192.168.100.30/1 and then permitting bidirectional traffic to that IP Group from Network MYNet.  I again placed the permit rules above the Network Deny rule.  This didn't work either.

 

I am stumped.

 

Any and all guidance appreciated.

  0  
  0  
#5
Options
Re:Switch ACL blocking acting bidirectionally instead of just one way-Solution
2022-08-28 17:34:11 - last edited 2022-08-28 17:58:16

  @ianmud I would need to see your actual rules list to help you.

 

One thing I would point out is that if you want a single IP address that would be 192.168.100.30/32 not /1.  /1 would refer to a massively large range of addresses.

Recommended Solution
  0  
  0  
#6
Options
Re:Switch ACL blocking acting bidirectionally instead of just one way
2022-08-28 17:58:10

  @Alex789 That solved the problem. When I added the /32, the system now behaves as I was hoping.  Much appreciated.

  0  
  0  
#7
Options