Only Allow Access Internal Network (Including Remote Through VPN) on Some Device


Hello, I have a setup similar to the diagram above, with the difference being gateway A and B controlled by OC200 in HQ. I'm trying to setup some device to only be able to access internal network.
 
 I followed the guide from https://community.tp-link.com/en/business/forum/topic/696340, and it works well as expected for most of the part, but now the device on HQ cannot connect to the device on Branch Office and vice versa.
 
 How do I create an ACL rule that allow both internal network, and remote network that is connected through VPN?
 
 Thank you,
 
 Nikolas
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content

Hi @Nikolassss
Thanks for posting in our business forum.
Nikolassss wrote
Okay, so here is a simplification of my network. In my case, Device A, B, C, and D can communicate with each other thanks to Wireguard VPN. I want to keep it that way but, I want to block Device D's access to the Internet.
When I create ACL Rule to DENY device D access from LAN->WAN as shown above, Device D's access to internet is blocked successfully. BUT it also blocked Device D to Device A and B. Device D can still access Device C in this case, which is expected from the ACL rule.
Is ACL not the right tool for this?
OK. I have an idea.
If you create this block LAN > WAN. Then create another one to allow Device D to access the WG interface IP address.
That should fix it?
When you block, you use any IP, that might stop the connection to the WG int IP as well. Hope this idea helps.
- Copy Link
- Report Inappropriate Content
Hi @Nikolassss
Thanks for posting in our business forum.
So is this based on the Wireguard? You've selected the Wireguard, so for the Wireguard, you should specify the network in the allowed IPs. That determines what's accessible or not.
- Copy Link
- Report Inappropriate Content
Hello @Clive_A, Thank you for your reply.
 
 Correct, The VPN setup is using WireGuard, and it has been working well to allow device from HQ to communicate with device in Branch Office and vice versa. This was set up using the allowed IPs as you mentioned.
 
 My current problem is: I want to have some device to only able to access internal network (a.k.a block access to internet to some device only). BUT, when I set the ACL rule to deny the IP group access to the WAN, it also deny access to other devices on the other site (HQ to Branch and vice versa)

The desired output I'm looking for is: The devices that has it's access blocked to the WAN, can still communicate with devices BOTH on local network, and on the remote network that is connected through Wireguard VPN.
 
 Please give me some guidance, and any help would be appreciated.
 
 Thank you,
 Nikolas
- Copy Link
- Report Inappropriate Content
Hi @Nikolassss
Thanks for posting in our business forum.
Nikolassss wrote
Hello @Clive_A, Thank you for your reply.
Correct, The VPN setup is using WireGuard, and it has been working well to allow device from HQ to communicate with device in Branch Office and vice versa. This was set up using the allowed IPs as you mentioned.
My current problem is: I want to have some device to only able to access internal network (a.k.a block access to internet to some device only). BUT, when I set the ACL rule to dny the IP group access to the WAN, it also deny access to other devices on the other site (HQ to Branch and vice versa)
The desired output I'm looking for is: The devices that has it's access blocked to the WAN, can still communicate with devices BOTH on local network, and on the remote network that is connected through Wireguard VPN.
Please give me some guidance, and any help would be appreciated.
Thank you,
Nikolas
Block Internet access, so you are currently using the 0.0.0.0/0 as the allowed IP on one of the sites now, correct?
If that's the case, then you are routed to the peer site and use the remote gateway as the default gateway. If you stop accessing the Internet, it might cause a problem with the WG connection.
I think you might wanna try the allowed IP.
ACL might not be helpful in this situation because of the following concerns:
1. It might not be effective for the VPN.
2. IP Group or GW ACL in the controller mode is currently limited. You can only specify the CIDR instead of the range like from A to B. (But you can still manually specify these IPs). It might be hard to satisfy what you need to achieve.
As for the WG now, if you set it on the router, it's hard to specify the rules for it. I think it might not be possible to achieve what you asked at this moment.
- Copy Link
- Report Inappropriate Content
Clive_A wrote
Hi @Nikolassss
Thanks for posting in our business forum.
Nikolassss wrote
Hello @Clive_A, Thank you for your reply.
Correct, The VPN setup is using WireGuard, and it has been working well to allow device from HQ to communicate with device in Branch Office and vice versa. This was set up using the allowed IPs as you mentioned.
My current problem is: I want to have some device to only able to access internal network (a.k.a block access to internet to some device only). BUT, when I set the ACL rule to dny the IP group access to the WAN, it also deny access to other devices on the other site (HQ to Branch and vice versa)
The desired output I'm looking for is: The devices that has it's access blocked to the WAN, can still communicate with devices BOTH on local network, and on the remote network that is connected through Wireguard VPN.
Please give me some guidance, and any help would be appreciated.
Thank you,
NikolasBlock Internet access, so you are currently using the 0.0.0.0/0 as the allowed IP on one of the sites now, correct?
If that's the case, then you are routed to the peer site and use the remote gateway as the default gateway. If you stop accessing the Internet, it might cause a problem with the WG connection.
I think you might wanna try the allowed IP.
ACL might not be helpful in this situation because of the following concerns:
1. It might not be effective for the VPN.
2. IP Group or GW ACL in the controller mode is currently limited. You can only specify the CIDR instead of the range like from A to B. (But you can still manually specify these IPs). It might be hard to satisfy what you need to achieve.
As for the WG now, if you set it on the router, it's hard to specify the rules for it. I think it might not be possible to achieve what you asked at this moment.
  @Clive_A Not exactly. My WG is setup to only tunnel certain IP using the allowed IP parameter. Which should mean the default gateway is still the one local to the site.
 
 With my logic, if I can deny access using ACL to 0.0.0.0/0 EXCEPT for a certain allowed IP on the remote site, I should be able to achieve what I need. But I am not sure how to do that. Is there any way to do that with ACL?
- Copy Link
- Report Inappropriate Content
Hi @Nikolassss
Thanks for posting in our business forum.
Nikolassss wrote
Clive_A wrote
Hi @Nikolassss
Thanks for posting in our business forum.
Nikolassss wrote
Hello @Clive_A, Thank you for your reply.
Correct, The VPN setup is using WireGuard, and it has been working well to allow device from HQ to communicate with device in Branch Office and vice versa. This was set up using the allowed IPs as you mentioned.
My current problem is: I want to have some device to only able to access internal network (a.k.a block access to internet to some device only). BUT, when I set the ACL rule to dny the IP group access to the WAN, it also deny access to other devices on the other site (HQ to Branch and vice versa)
The desired output I'm looking for is: The devices that has it's access blocked to the WAN, can still communicate with devices BOTH on local network, and on the remote network that is connected through Wireguard VPN.
Please give me some guidance, and any help would be appreciated.
Thank you,
NikolasBlock Internet access, so you are currently using the 0.0.0.0/0 as the allowed IP on one of the sites now, correct?
If that's the case, then you are routed to the peer site and use the remote gateway as the default gateway. If you stop accessing the Internet, it might cause a problem with the WG connection.
I think you might wanna try the allowed IP.
ACL might not be helpful in this situation because of the following concerns:
1. It might not be effective for the VPN.
2. IP Group or GW ACL in the controller mode is currently limited. You can only specify the CIDR instead of the range like from A to B. (But you can still manually specify these IPs). It might be hard to satisfy what you need to achieve.
As for the WG now, if you set it on the router, it's hard to specify the rules for it. I think it might not be possible to achieve what you asked at this moment.
@Clive_A Not exactly. My WG is setup to only tunnel certain IP using the allowed IP parameter. Which should mean the default gateway is still the one local to the site.
With my logic, if I can deny access using ACL to 0.0.0.0/0 EXCEPT for a certain allowed IP on the remote site, I should be able to achieve what I need. But I am not sure how to do that. Is there any way to do that with ACL?
I don't think the ACL would be useful in this case.
I don't understand the use case then if you say so in the highlighted part. You want to block Internet access for some devices that could access the remote site?
Can you explain with a diagram?
- Copy Link
- Report Inappropriate Content

Okay, so here is a simplification of my network. In my case, Device A, B, C, and D can communicate with each other thanks to Wireguard VPN. I want to keep it that way but, I want to block Device D's access to the Internet.
 
 When I create ACL Rule to DENY device D access from LAN->WAN as shown above, Device D's access to internet is blocked successfully. BUT it also blocked Device D to Device A and B. Device D can still access Device C in this case, which is expected from the ACL rule.
 
 Is ACL not the right tool for this?
- Copy Link
- Report Inappropriate Content

Hi @Nikolassss
Thanks for posting in our business forum.
Nikolassss wrote
Okay, so here is a simplification of my network. In my case, Device A, B, C, and D can communicate with each other thanks to Wireguard VPN. I want to keep it that way but, I want to block Device D's access to the Internet.
When I create ACL Rule to DENY device D access from LAN->WAN as shown above, Device D's access to internet is blocked successfully. BUT it also blocked Device D to Device A and B. Device D can still access Device C in this case, which is expected from the ACL rule.
Is ACL not the right tool for this?
OK. I have an idea.
If you create this block LAN > WAN. Then create another one to allow Device D to access the WG interface IP address.
That should fix it?
When you block, you use any IP, that might stop the connection to the WG int IP as well. Hope this idea helps.
- Copy Link
- Report Inappropriate Content
@Clive_A Okay, will give this a try when I got the chance. Out of curiosity, how is the priority set up in ACL rules? Would my allow overule the deny?
- Copy Link
- Report Inappropriate Content
acl rules are read from top to bottom in access roule list,
so if you want to allow 192.168.1.10 and deny the rest of the network, you create the rules in this order.
Alow 192.168.1.10
deny 192.168.1.0/24
- Copy Link
- Report Inappropriate Content
Okay This works, Thank you all for the help.
- Copy Link
- Report Inappropriate Content

Information
Helpful: 0
Views: 942
Replies: 10
Voters 0
No one has voted for it yet.

