Geolocation ACL is not working

Geolocation ACL is not working

Geolocation ACL is not working
Geolocation ACL is not working
2025-02-23 16:45:19 - last edited 2025-02-24 02:58:30

Hello, 

I have an OMADA ER7206 V1 1.4.1

 

i am constantly receiving WAN PING ATTACKS from China. 

I have put in an ACL that blocks all protocols from location "china" WAN IN, "Ipgroup-all" and yet I am still receiving the alerts. 

The IP is a fixed line ISP in China, so any networking provider that gives you geo-data on IPs should have it accurate. 

Why would that be? Please let me know how to fix this. 

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:Geolocation ACL is not working -Solution
2025-02-23 22:41:40 - last edited 2025-02-24 01:49:37

  @Domada 

 

I have had success blocking these with location groups, but using this as the acl

WAN IN [location group] > Gateway Management Page
This seems to function as a pre-nat blocker in some way and seems to internally refer to not just the management page, but the entire front internet-facing side of the router.

this seems to block wan in much more thoroughly than,as Mr S said, the wan in > ipgoup/network as in that case the destination is behind NAT 

Recommended Solution
  2  
  2  
#7
Options
12 Reply
Re:Geolocation ACL is not working
2025-02-23 19:24:58

  @Domada 

 

There is something missing on the router ACL, wan/in does not work on the wan interface itself but from wan to lan, port NAT and things like that will be blocked from country. If I compare with e.g. unifi, there is acl for internet local, translated to tp-link, wan local that we need to make this work. For now, there is no way to block access to wan directly, that is, there are some settings under Attack Defense that can block ping. There are still some ACLs missing on the router, strange that it is not prioritized.

 

 

 

 

  1  
  1  
#2
Options
Re:Geolocation ACL is not working
2025-02-23 21:39:10 - last edited 2025-02-24 01:10:19

  @MR.S

 That's bad that you cannot customize the ACL on the wan interface itself. Also, it can potentially have negative impacts on the router DOS 

To reduce the noise I can only disable the notification "gateway detected attack" but that category includes other attacks I want to watch out for if it's occurring in bulk. Unless there is something else I can do. 

  0  
  0  
#4
Options
Re:Geolocation ACL is not working
2025-02-23 21:50:00

  @Domada 

 

basically everything should be blocked on the wan interface so it shouldn't be necessary to block anything, but i use wan local or internet local as it's called on unifi quite a lot to open up for ping ssh or web management to the router from the administration network i have. but location acl with wan/in works pretty well i think. i have blocked the whole world with wan/in and opened up only for my home country,

 

to avoid the warning you can disable this, the router does what it's supposed to and then blocks :-)

 

 

  0  
  0  
#5
Options
Re:Geolocation ACL is not working
2025-02-23 22:23:37

  @MR.S 

Well its two different things, as you are aware the router is receiving the traffic from China, determing it as a WAN ping attack and then dropping it. I should be able to make an ACL which denies all the traffic from China without the router receiving it and reading the traffic. It puts more work on the router to do it the way it is now, hence why I said it can impact performance. I should be able to place an ACL which completely overrides this and requires no need for the router to determine if its a WAN ping attack on WAN interface as you mentioned and simply deny the traffic and not see any alerts. 

I appreciate your response but it's not much of a solution to disable all "Gateway Detected Attack" notifications. Surely, there should be some other way to make it work better. 

Can anybody from TPLink advise? 

  0  
  0  
#6
Options
Re:Geolocation ACL is not working -Solution
2025-02-23 22:41:40 - last edited 2025-02-24 01:49:37

  @Domada 

 

I have had success blocking these with location groups, but using this as the acl

WAN IN [location group] > Gateway Management Page
This seems to function as a pre-nat blocker in some way and seems to internally refer to not just the management page, but the entire front internet-facing side of the router.

this seems to block wan in much more thoroughly than,as Mr S said, the wan in > ipgoup/network as in that case the destination is behind NAT 

Recommended Solution
  2  
  2  
#7
Options
Re:Geolocation ACL is not working
2025-02-24 11:01:55 - last edited 2025-02-24 11:33:13

  @GRL 

 

it was cool that you can block the Gateway Management Page on the WAN interface too, I didn't know that. learn something new every day :-)

 

This way I can also ensure that the VPN cannot connect from countries other than the ones I have chosen. Now I suddenly got a much more secure network.

 

 

  0  
  0  
#8
Options
Re:Geolocation ACL is not working
2025-02-24 22:52:36 - last edited 2025-02-24 22:52:53

  @GRL 

I turned that setting on for the day and it seemed to have gotten rid of the alerts. 

It's interesting. The docs isn't too clear on that it will block on the wan interface from the internet:

Gateway Management Page:This option will allow/block LAN network devices to access the gateway management page.

but it seems to work. 
 

Thanks a lot!

  0  
  0  
#9
Options
Re:Geolocation ACL is not working
2025-02-25 00:43:45

Glad it helped you both !

  0  
  0  
#10
Options
Re:Geolocation ACL is not working
2025-02-25 00:55:41

Another one that also works is you can make an ip group with your wan ip and block wan in to that, but it seems to function the same way as the gateway management page one, uses up an ip group and is only applicable if you have a static public ip

  0  
  0  
#11
Options
Re:Geolocation ACL is not working
2025-04-23 18:32:26

  @Domada 

Just going to reply to this thread quickly before starting my own.

 

I have applied very strict Geo-IP blocking. Basically only Europe and North America are allowed. I have a Gateway ACL like so:

 

 

Blocking everything to the IPGroup_Any.

 

But whenever I look at my NGINX access logs, countries that are most definitely blocked are still coming through:

 

 

So you're suggesting I should also create a Gateway ACL, specifically for the Management Page instead of just the ipgroup_any?

  0  
  0  
#12
Options