TD-W8961N bridge mode VLAN access control

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TD-W8961N bridge mode VLAN access control

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TD-W8961N bridge mode VLAN access control
TD-W8961N bridge mode VLAN access control
2023-02-18 08:02:54
Model: TD-W8961N  
Hardware Version: V4
Firmware Version: 3.2.0 Build 210914 Rel.24052

At the office I work at we have a TD-W8961N that we use in bridge mode to connect another router that doesn't have an ADSL modem built in. The ADSL settings (modulation, annex, VPI/VCI) are configured on TD-W8961N and the PPPoE settings are on the other router. It's meant as a temporary setup until we get fiber and an ONT.

 

DHCP, IGMP snooping, multicast, dynamic route, NAT etc. on the TD-W8961N are disabled. Firewall is enabled. SPI is disabled.

 

The ADSL PVC2 with the proper VPI/VCI settings (other PVCs are disabled) and Ethernet port 1 of the TD-W8961N are set on VLAN 35. Ethernet port 1 is connected to WAN port of the other router.

Ethernet port 2 of the TD-W8961N is set on VLAN 10 and connected to one of the LAN ports on the other router, for access to the TD-W8961N management interface.

The PVIDs for the ports are also properly set. PVC2 and eth1 have PVID 35, eth2 has PVID 10. All other PVCs and Ethernet ports are set on VLAN 1 which is disabled.

 

This configuration works as expected, other router gets its public IP properly and we can access TD-W8961N for management.

 

However, I noticed that during configuration, before connecting the other router, I could access the TD-W8961N's web management interface, no matter if I connected to eth1 or eth2.

 

I don't think that's good, as it would mean that whoever is at the other end of the ADSL line could also see it and attempt to access it. However I can't test this as I don't have my own DSLAM.

 

I have looked through the ACL settings but I can't find anything related to setting access per VLAN. It seems that it can only be set for an IP address range.

 

Is there any way to prevent access to the management page from VLAN 35? I'm afraid this might be a similar situation to the one I had with a TL-SG116E, where the management page is accessible from every VLAN that goes through it, as long as I set a static IP to match the subnet on the PC I'm accessing it from, and this couldn't really be fixed.

 

I'd like to ask if that's the same issue here, or is there a setting somewhere that I'm missing? Is it possible to do anything about it?

 

Also here is a diagram of how it is configured right now:

  0      
  0      
#1
Options