Looking for solutions in firmwares v1.2.0/v1.2.1 on TL-R605 v1 when using ACL rules with ! mark
Latest edit (26-10-2022):
I finally managed to set up the router on v1.2.1 firmware. Creating (bidirectional) ACL rule for each Vlan to block inter-vlan. Check this new post.
Edit (11-10-2022):
The latest firmware v1.2.1 still suffers from the same issue as v1.2.0 if both Source and Direction contain ! mark.
In standalone mode, if you have configured ACL rules (blocking something) in Firewall with ! in front of the vlan's name, the router will block everything, you can't even access to the config page, nor to WAN ports.
It's incorrectly stated at the v1.2.1 release note that this new update fixed the mentioned issue. No, it did not! Sorry.
We have to stay with the v1.1.1 again.
-------------------------------------
Unfortunately, the official thread doesn't inform you about it, so I'm compelled to create this one. I don't want others to screw their time with this nightmare I went through.
If you have an R605 router configured with ACL rules in standalone mode, the new update v1.2.0 will cause DHCP not working, leaving the device non-functioning.
Others have already reported about the issue here and someone confirmed that developers had recognized it as a bug in the new firmware.
Do not upgrade from v1.1.1 to v1.2.0!
Let's wait for the bugfix.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Dear @Arion, @Phoenclix, @btx,
Arion wrote
Unfortunately, the official thread doesn't inform you about it, so I'm compelled to create this one. I don't want others to screw their time with this nightmare I went through.
If you have an R605 router configured with ACL rules in standalone mode, the new update v1.2.0 will cause DHCP not working, leaving the device non-functioning.
Others have already reported about the issue here and someone confirmed that developers had recognized it as a bug in the new firmware.
Do not upgrade from v1.1.1 to v1.2.0!
Let's wait for the bugfix.
Sorry for any trouble caused. You didn't elaborate on your ACL configuration, but I guess that you used the "!" to set a Source/Destination Network to create the ACL rules. If it's the case, the issue you have is the same as it's mentioned in this post (yes, you already found it).
The main cause of the issue is that the 1.2.0 firmware has adjusted the ACL rules strategy, when the ACL rules created with a "!" network, it will also restrict the access to the gateway itself. That's why the clients are unable to obtain IP addresses from the DHCP after the 1.2.0 firmware update.
I'll add a note in the thread (link) you mentioned to inform others about this change. Thank you @Arion for your thoughtful suggestion.
Edit on October 9, 2022:
The 1.2.1 firmware has already corrected the ACL strategy, that is, when you use a "!" to set the Source/Destination Network to create the ACL rules, the Source/Destination Network won't include the Omada router itself anymore.
If you still have trouble using "!" to create the ACL rules with the 1.2.1 firmware (or the later firmware), it might be a different issue, or there might be something else we overlooked. To figure out the issue, it's recommended to start a new thread with your setup (Tips for efficiently report an issue in the community) or directly contact TP-Link support team via email for further assistance.
Thank you for your great cooperation and patience.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
EDIT
- Copy Link
- Report Inappropriate Content
Thanks for the reply and the information.
I was going to select your post as a solution then I got confused a bit.
First of all, on the official release thread I linked above, by the moment I'm writing this, still there's no info about this bug, nor about the beta fix.
It needs to be corrected in that thread!
I haven't tried this beta yet, so I can't be sure if it solves the problem I have faced because the description of the issue is a bit different.
The "use fixed IP address" issue has been present in earlier firmware, as well, I've always found it odd but other than that it wasn't such a huge issue for me.
I don't have IoT devices in my setup, I've just intended to reserve the IP address of the switches connected to the R605, so I can easily access their page.
As it has never worked properly, I could have even deleted those configuration if it helped temporarily manage to be able to run the v1.2.0 firmware.
Now, I'm confused. In the linked thread about "fixed IP..." I couldn't any mention about the router getting bricked after the update, they only complain about the IP reservation not taking effect.
Did the v1.2.0 firmware break my router's operation because of that insignificant IP address reservation setup?
It would be helpful if someone with knowledge could give an answer to make it sure that this is actually the same situation indeed.
- Copy Link
- Report Inappropriate Content
EDIT
- Copy Link
- Report Inappropriate Content
Thanks again.
I have this router in standalone mode, I don't have OC200, nor I want to connect a windows pc to use the software version of Omada.
I wrote my situation in that thread I linked in the first post here.
Unfortunately (and incidentally) I've already tried that scenario, too, when I reconfigured the router after hard reset and it became unaccessible right after I added the only ACL rule I needed. If it's not accessible, I assume that DHCP doesn't work. But I couldn't figure it out by my own, I just saw others' posts on this forum mentioning this possibility for the failing firmware update.
Now I can only use the router with the reverted v1.1.1 firmware.
I'm not in a hurry to upgrade, I don't want to push the developers to give me an ETA.
I prefer them to bake the new update without this sort of serious bug that didn't just break a feature, it made the router unusable for those who use ACL rules.
What do you mean "flash with defined ACL"?
- Copy Link
- Report Inappropriate Content
Dear @Arion, @Phoenclix, @btx,
Arion wrote
Unfortunately, the official thread doesn't inform you about it, so I'm compelled to create this one. I don't want others to screw their time with this nightmare I went through.
If you have an R605 router configured with ACL rules in standalone mode, the new update v1.2.0 will cause DHCP not working, leaving the device non-functioning.
Others have already reported about the issue here and someone confirmed that developers had recognized it as a bug in the new firmware.
Do not upgrade from v1.1.1 to v1.2.0!
Let's wait for the bugfix.
Sorry for any trouble caused. You didn't elaborate on your ACL configuration, but I guess that you used the "!" to set a Source/Destination Network to create the ACL rules. If it's the case, the issue you have is the same as it's mentioned in this post (yes, you already found it).
The main cause of the issue is that the 1.2.0 firmware has adjusted the ACL rules strategy, when the ACL rules created with a "!" network, it will also restrict the access to the gateway itself. That's why the clients are unable to obtain IP addresses from the DHCP after the 1.2.0 firmware update.
I'll add a note in the thread (link) you mentioned to inform others about this change. Thank you @Arion for your thoughtful suggestion.
Edit on October 9, 2022:
The 1.2.1 firmware has already corrected the ACL strategy, that is, when you use a "!" to set the Source/Destination Network to create the ACL rules, the Source/Destination Network won't include the Omada router itself anymore.
If you still have trouble using "!" to create the ACL rules with the 1.2.1 firmware (or the later firmware), it might be a different issue, or there might be something else we overlooked. To figure out the issue, it's recommended to start a new thread with your setup (Tips for efficiently report an issue in the community) or directly contact TP-Link support team via email for further assistance.
Thank you for your great cooperation and patience.
- Copy Link
- Report Inappropriate Content
I also use the ER605 in standalone mode, it is configured making extensive use of DHCP and ACL. The router is providing main internet access to my small business and as such cannot simply be turned off for hours of firmware upgrade and troubleshooting. The experience of upgrading to firmware 1.2 was painful and costly - not a common experience.
IMHO the described issue converts a perfectly working router into one that is incapable of using VLANs securely. For that reason I would recommend pulling it or at least clearly documenting it. Either should happen in a short time frame.
I am working in the IT industry and I am fully aware that issues happen. What separates the cream from the crop is how issues are dealt with.
This issue has been documented in multiple forum threads, yet not mentioned in a bug list of the firmware or the thread announcing the new firmware. I am used to upgrading firmware for bug fixes and new functionality and routinely check the documentation before applying - I don't think that the need to search a community forum should be necessary.
I am looking forward to a fix and upgrading to a new firmware because of other fixes (such as the one described) and the new features. Now I know that I need to guard my business and budget sufficient downtime for that endeavor.
- Copy Link
- Report Inappropriate Content
@Fae Thanks for documenting this issue. Your post arrived just as I was writing mine.
- Copy Link
- Report Inappropriate Content
Thanks. Yes, my only ACL rule was with ! before the vlan's name.
I've posted my setup here before. I had to use a trick to achieve blocking intervlan, creating an unused (phantom) vlan and adding an ACL rule with that after the mark "!".
Now I need some help. To use the new firmware I will need to find a new solution for my posted setup.
How can I block intervlan completely between about 50 vlans in standalone mode?
As the official thread has already added the following paragraph by @Fae, my previous question is unnecessary.
This has been confirmed to be a bug and will be fixed in the next firmware update. As a temporary solution, you may adjust your ACL rules without using "!" for the Source/Destination Network, or stay in the current firmware version and wait for the next firmware update patiently (I don't have ETA for it).
- Copy Link
- Report Inappropriate Content
EDIT
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 5964
Replies: 40