@stealth23 

 

Are you using Omada Controller?

 

I also have ER605 and I take a screenshot of the example settings you need:

Hi Somnus, and thanks for your reply. No, as I posted I'm using the ER605's admin panel, I did not install Omada's Software Controller, but maybe the controller's gui is more intuitive.

In the screenshot that you show I don't see any IP that is specified (are they included in the "group"??). You only seem to block the LAN to WAN connections, I'd also add the WAN to LAN (outbound AND inbound)

Also, I do not understand what "source" and "Destination" refer to, and where it says "Type" you specify "group1"? If you can outline the steps to follow I'd appreciate.

  @stealth23 

 

Below is how ive configured my VPN router to basically only allow VPN users access to AFP and SMB service to my NAS and block everything else, in standalone mode (no omada software)

 

this shows my custom port settings for my nas, which will be applied in ACLs

Although what im doing is different to what you want, it shows how each stage is configured and how it all ties togther.  You should be able to adapt for your own needs.  In your case, on the ACLs, you would be setting the "direction" as "WAN In" and "LAN>WAN"

Hi GRL, many thanks for your detailed answer. So taking NAS as an example, you added NAS as an IP Address Range where start and finish is 10.0.0.82, which I assume is your NAS fixed IP? This is confusing, calling a fixed IP a "range" Can you include a screenshot of how you created (added) the group "Grp_NAS"? So I assume that the group "Grp_NAS" contains only one device, the NAS, right?

  @stealth23 

 

Yep, if you have only one IP you want to include in a group, its still considered a "range" so in my case i enter 10.0.0.82 in the From and To boxes.

 

When you set up a group, you give it a name, and then can select which IP "objects" you set up, you can have more than one if you want too

 

Thanks GRL, I think that now I understand the logical flow of steps. I'm trying to resolve another network issue, but once I'm ready to upgrade to the ER605 I'll post back the results

  @GRL 

Hi GRL again, I'm back after resolving my network issue

So I have a NAS at my LAN IP 192.168.1.3. I want to create a rule to have the ER605 block the NAS from Internet access (inbound and outbound).

So I followed your steps:

First I create the IP Address for the NAS in Preferences/IP Group/IP Address:

Then I create an IP Group to include this NAS IP Address:

And then I create the Access Rule in the Firewall:

 

The issue is the following: in the last screenshot, if I set "Direction" to include "[WAN] IN" and "LAN-WAN" the NAS will still have internet access. The only way to block the NAS from internet access is by choosing "ALL" as seen above. How come? And also, if I choose ALL which alos blocks LAN to LAN, then my PC in my LAN wouldn't be able to access the NAS, but it does have access. Can't get it.

 

Problem with using IPGroup any is it will literally block any IP.  WAN, LAN, All of them

 

Is your WAN a static IP ?

 

Also, try setting the "Source" as the NAS group

 

EDIT:  might need two rules, one for Allow LAN<>LAN and one for blocking WAN, ill do some testing with a random device i have here

GRL wrote

Problem with using IPGroup any is it will literally block any IP.  WAN, LAN, All of them

 

Is your WAN a static IP ?

 

Also, try setting the "Source" as the NAS group

 

EDIT:  might need two rules, one for Allow LAN<>LAN and one for blocking WAN, ill do some testing with a random device i have here

  @GRL 

My WAN is supposed to be Dynamic, however unless I renew the connection it seems to always stay with the same WAN IP.

Yes, but even when setting IPGroup Any as source or destination and ALL as Direction, the PC in my LAN is able to connect to the NAS

I just tested setting NAS group as Source and IPGroup Any as Destination and now NAS is blocked from Internet when setting Direction WAN/IN and LAN/WAN (no need to set it to ALL), however PC in the LAN is still able to access de NAS

  @stealth23 

 

Im not sure i follow you

 

I just tested the following ACL to my spare NAS

 

 

This sucessfully blocks the device from the WAN connection, but allows devices on my LAN to access it.