Problems with ACLs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Problems with ACLs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Problems with ACLs
Problems with ACLs
2023-05-12 06:37:31 - last edited 2023-05-16 06:30:41
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.2 Build 20230210 Rel.62992

Dear all,

 

I have been trying to set ACLs for a few days. At the beginning I succeeded well, but now I don't anymore.

I want VLAN2 not to be able to access the GUI of the router. For this I only need two ACLs that block http and https.

 

VLAN config:
Default: 192.168.0.0
VLAN2: 192.168.2.0

 

Router:
Default: 192.168.0.1
VLAN2: 192.168.2.1

 

IP Groups:

VLAN2_Router: 192.168.2.1 - 192.168.2.1
VLAN2_Network: 192.168.2.0/24

 

Services Type:

HTTPS: Source Port = 0-65535; Destination Port = 433-433
HTTP: Source Port = 0-65535; Destination Port = 80-80

 

ACLs:
Name:
VLAN2_HTTPS
Policy:
Block
Service Type:
HTTPS
Direction:
ALL
Source:
VLAN2_Network
Destination:
VLAN2_Router
Effective Time:
Any
States:
New, Established, Invalid, Related

 

Name:
VLAN2_HTTP
Policy:
Block
Service Type:
HTTP
Direction:
ALL
Source:
VLAN2_Network
Destination:
VLAN2_Router
Effective Time:
Any
States:
New, Established, Invalid, Related

 

It should also be mentioned that I already have a regulation that prevents Default and VLAN2 from communicating in any way. This also works with the individual devices. Unfortunately, I can still access 192.168.2.1 from the default network, although I cannot otherwise communicate between the networks. The same applies the other way round. I can access the GUI from VLAN2 via 192.168.0.1 but cannot reach any other devices on the other network. This looks like a bug to me. I couldn't find a solution on the internet and some have faced the problem. I hope someone can help me

  0      
  0      
#1
Options
2 Accepted Solutions
Re:Problems with ACLs-Solution
2023-05-15 06:07:17 - last edited 2023-05-16 06:30:41

Hello @A_O,

 

If you want to prevent devices on other VLANs from accessing the GUI of the router, you need to set two Gateway ACL Rules as follows:

The first rule:

1. Policy as Allow

2. Services Type as DNS

3. Source as IPGROUP_ANY

4. Destination as IPGROUP_ANY

 

The second rule:

1. Policy as Deny

2. Services Type as All

3. Source as other VLANs

4. Destination as ME (Standalone Mode)/ Gateway Management Page (Controller Mode)

 

These steps above are just for your reference.

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  1  
  1  
#2
Options
Re:Problems with ACLs-Solution
2023-06-04 10:38:34 - last edited 2023-06-05 02:21:12

  @Hank21 

 

I have given the DNS servers to VLAN10. This way I don't have to adjust the clients individually. Now I have managed to lock out VLAN10 from all other VLANs and only allow Internet access. That was the goal. Thank you!

 

 

By way of explanation. 

1. for DNS requests to work at all
2. so that the router is not accessible (GUI)
3. so that other devices in other VLANs cannot be reached.

Recommended Solution
  0  
  0  
#10
Options
9 Reply
Re:Problems with ACLs-Solution
2023-05-15 06:07:17 - last edited 2023-05-16 06:30:41

Hello @A_O,

 

If you want to prevent devices on other VLANs from accessing the GUI of the router, you need to set two Gateway ACL Rules as follows:

The first rule:

1. Policy as Allow

2. Services Type as DNS

3. Source as IPGROUP_ANY

4. Destination as IPGROUP_ANY

 

The second rule:

1. Policy as Deny

2. Services Type as All

3. Source as other VLANs

4. Destination as ME (Standalone Mode)/ Gateway Management Page (Controller Mode)

 

These steps above are just for your reference.

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  1  
  1  
#2
Options
Re:Problems with ACLs
2023-05-16 20:54:59
Thank you!, it worked for me. What exactly is meant by "Me" as destination?
  0  
  0  
#3
Options
Re:Problems with ACLs
2023-05-17 02:30:44

Hi  @A_O,

 

From my knowledge, it is just a different name in Standalone mode ("Me") and Controller mode (" Gateway Management Page ").

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options
Re:Problems with ACLs
2023-05-17 08:57:48
Thank you @Hank21 for the answers. I now have the problem that when I block the GUI, everything else is blocked too. I can no longer call up youtube, for example, in the VLAN. How do I get around this, only the GUI should be blocked by the router?
  0  
  0  
#5
Options
Re:Problems with ACLs
2023-05-18 02:28:41

Hi @A_O,

 

Do you mean the devices in the other VLANs can not access the Internet now?

Can you do some Ping tests? Ping the router's LAN IP address and Ping 8.8.8.8, please share the result with us.

Please also share the screenshots of your ACL settings.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#6
Options
Re:Problems with ACLs
2023-05-21 18:38:05

  @Hank21 

 

i can ping 8.8.8.8 but cant access as example Youtube.

 

 

 

 

  0  
  0  
#7
Options
Re:Problems with ACLs
2023-05-29 18:51:15

  @Hank21 

 

Reminder :)

  0  
  0  
#8
Options
Re:Problems with ACLs
2023-05-31 02:19:19

Hi @A_O,

 

Sorry for the late answer.

Please change the Direction to LAN-WAN, not ALL.

You may also try to set the DNS manually on the client device which is in the VLAN_10, like change to 8.8.8.8/8.8.4.4.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  1  
  1  
#9
Options
Re:Problems with ACLs-Solution
2023-06-04 10:38:34 - last edited 2023-06-05 02:21:12

  @Hank21 

 

I have given the DNS servers to VLAN10. This way I don't have to adjust the clients individually. Now I have managed to lock out VLAN10 from all other VLANs and only allow Internet access. That was the goal. Thank you!

 

 

By way of explanation. 

1. for DNS requests to work at all
2. so that the router is not accessible (GUI)
3. so that other devices in other VLANs cannot be reached.

Recommended Solution
  0  
  0  
#10
Options