T2600G-28TS Time Range and ACL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

T2600G-28TS Time Range and ACL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
T2600G-28TS Time Range and ACL
T2600G-28TS Time Range and ACL
2019-12-01 18:14:15 - last edited 2019-12-06 15:49:34
Hardware Version: V4
Firmware Version: 4.0.0 Build 20190530 Rel.52928(s)

Hello all,

 

I have defined a Time Range in order to inhibit WWW access deep in the night for my kids. System time ist set using ntp with local time zone, time range follows local time.

 

An ACL with DENY_ALL on all protocols and bound to specific ports works as desired (blocks always).

 

Now adding the TimeRange to the ACL does not trigger ACL, it seems to be always active. I tested this with my desired time range outside its "active" duty range (the time range is shown properly as "inactive" on the time range definition pane). A cross check with a second "active" time range (replaced in the ACL in question) did not change the behaviour. The ACL acts as if no time range was inserted, i.e. it blocks all the time.

 

What do I get wrong here?

 

-Michael

  0      
  0      
#1
Options
1 Accepted Solution
Re:T2600G-28TS Time Range and ACL-Solution
2019-12-06 07:49:15 - last edited 2019-12-06 15:49:34

 

R1D2 wrote

 

The switch seems to add a default Deny rule at the end of the ACL ruleset much like Cisco switches do. @Mitya, can you confirm this?

  

Yes, in new firmware design it works as white-list as cisco-style, so it has "deny all" by default in the end (unlike old design, where blacklist and "permit all" by default is).

Because of deny all by default, your ACL will block everything anyway and you need to create rule "permit all" with Time-Range binding. I totally agree with R1D2. (or reverse way, which is also described)

The logic in tplink is a bit weird, but yes, it will work, like this.

Recommended Solution
  3  
  3  
#7
Options
12 Reply
Re:T2600G-28TS Time Range and ACL
2019-12-03 08:06:40

@Mike63 

 

Why you do not configure web filter or ACL in your router?

Certainly, you can upload the screenshots about your ACL rules, maybe we can find the reason.

  0  
  0  
#2
Options
Re:T2600G-28TS Time Range and ACL
2019-12-04 10:09:02 - last edited 2019-12-04 10:09:23

@Mike63 

 

Also check your system time, if NTP works properly, so switch knows, when it needs to block.

  0  
  0  
#3
Options
Re:T2600G-28TS Time Range and ACL
2019-12-04 11:23:59

Hi Mike63,

 

I would be interested to see a screenshot of your ACL time-range settings, too. I couldn't find those settings in the latest SW emulator for T2600G-28TS. Maybe I overlooked it, but would be interested to learn whether those options have been added in latest firmware for this switch model. Thanks!

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#4
Options
Re:T2600G-28TS Time Range and ACL
2019-12-05 16:20:15 - last edited 2019-12-05 16:21:03

OK, Screenshots

 

Time Ranges under System-> Time Range (note Status "Inactive" out of defined time span, becomes "active" if within.

 

 

This specific time rage is defined as follows:


 

and used in the ACL under "Rime Range"

 

 

 

see drop-down (time range)

 

This ACL, if bound to a port, blocks even if the time range in question is inactive.

 

 

  0  
  0  
#5
Options
Re:T2600G-28TS Time Range and ACL
2019-12-05 20:26:45 - last edited 2019-12-05 21:46:56

This is how it works for me on a T1500G-10PS, which also runs the new firmware:

 

Time range (your settings leave one hour for your kids to surf at the weekend's Geisterstunde, intentional?):

 

 

ACL needs two rules:

 

 

First rule to deny access during sleeptime:

 

 

Second rule to permit access by default:

 

 

 

The switch seems to add a default Deny rule at the end of the ACL ruleset much like Cisco switches do. @Mitya, can you confirm this?

 

However, I would reverse the logic to allow for a more readable continguous time range:

 

 – First rule bound to time period (say, Daytime) allows use of the port or VLAN.

 – Second rule always denies use of the port or VLAN. Not necessarily needed b/c of the default Deny rule, but IMHO it's good style to explicitly state what you want for better readability and for documentation.

 

Thus, this should work, too:

 

 

 

ACL rule 1 is bound to the time range, rule 999 is the catch all:

 

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  1  
  1  
#6
Options
Re:T2600G-28TS Time Range and ACL-Solution
2019-12-06 07:49:15 - last edited 2019-12-06 15:49:34

 

R1D2 wrote

 

The switch seems to add a default Deny rule at the end of the ACL ruleset much like Cisco switches do. @Mitya, can you confirm this?

  

Yes, in new firmware design it works as white-list as cisco-style, so it has "deny all" by default in the end (unlike old design, where blacklist and "permit all" by default is).

Because of deny all by default, your ACL will block everything anyway and you need to create rule "permit all" with Time-Range binding. I totally agree with R1D2. (or reverse way, which is also described)

The logic in tplink is a bit weird, but yes, it will work, like this.

Recommended Solution
  3  
  3  
#7
Options
Re:T2600G-28TS Time Range and ACL
2019-12-06 09:07:36 - last edited 2019-12-06 09:12:46

Thank you @Mitya!

 

This is much like a default policy in firewalls except that it is hardwired.

 

I like the new firmware more and more for the new functions such as time range, albeit IMO the new web UI is a big step back regarding useability, which is the reason I didn't update the firmware on my own switches so far.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#8
Options
Re:T2600G-28TS Time Range and ACL
2019-12-06 15:43:12 - last edited 2019-12-06 15:51:24

@R1D2 @Mitya Thank you all

 

If I coverd your discussion correctly so far, then what happens is this

- as long as ACLs are just defined, not bound, nothing happens (expected)

- if I bind an ACL to any port, then implicitly and hidden, a DENY_ALL rule will be added to the beginning of the ACL queue by firmware/default/TP-Link

- therefore, to counter this, I have to define a corresponding explicit ALLOW_ALL rule at  the begining of the visible queue (takes second place after the hidden one)

- followed by a time range controlled DENY_ALL to fulfil my initial wish

 

Correct so far? And why should this be a good practise firmware-wise?

 

I correct my assumptions: because of the whitelisting-approach, a time ranged PERMIT_ALL in the allowed time frame would be sufficient.

  0  
  0  
#9
Options
Re:T2600G-28TS Time Range and ACL
2019-12-06 15:45:00

@R1D2 Yes, "Geisterstunde" at weekends is intentional. Kids like to play over midnight...

  0  
  0  
#10
Options
Re:T2600G-28TS Time Range and ACL
2019-12-06 15:47:40

@TPTHZ I want to block Kids only at given "sleeping times", not the whole traffic. Therefore, I am bound to the ports where the Kids hardware ist attached...

  0  
  0  
#11
Options