Home

Forums

Stories

Knowledge Base

Business Community > Routers > Problems with ACLs

< Routers

Problems with ACLs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Problems with ACLs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Problems with ACLs

A_O

2023-05-12 06:37:31 - last edited 2023-05-16 06:30:41

Posts: 6

Helpful: 0

Solutions: 1

Stories: 0

Registered: 2023-05-11

Problems with ACLs

2023-05-12 06:37:31 - last edited 2023-05-16 06:30:41

Tags: #Gateway ACL #VLAN & Multi-Networks

Model: ER605 (TL-R605)

Hardware Version: V2

Firmware Version: 2.1.2 Build 20230210 Rel.62992

Dear all,

I have been trying to set ACLs for a few days. At the beginning I succeeded well, but now I don't anymore.

I want VLAN2 not to be able to access the GUI of the router. For this I only need two ACLs that block http and https.

VLAN config:
Default: 192.168.0.0
VLAN2: 192.168.2.0

Router:
Default: 192.168.0.1
VLAN2: 192.168.2.1

IP Groups:

VLAN2_Router: 192.168.2.1 - 192.168.2.1
VLAN2_Network: 192.168.2.0/24

Services Type:

HTTPS: Source Port = 0-65535; Destination Port = 433-433
HTTP: Source Port = 0-65535; Destination Port = 80-80

ACLs:
Name:
VLAN2_HTTPS
Policy:
Block
Service Type:
HTTPS
Direction:
ALL
Source:
VLAN2_Network
Destination:
VLAN2_Router
Effective Time:
Any
States:
New, Established, Invalid, Related

Name:
VLAN2_HTTP
Policy:
Block
Service Type:
HTTP
Direction:
ALL
Source:
VLAN2_Network
Destination:
VLAN2_Router
Effective Time:
Any
States:
New, Established, Invalid, Related

It should also be mentioned that I already have a regulation that prevents Default and VLAN2 from communicating in any way. This also works with the individual devices. Unfortunately, I can still access 192.168.2.1 from the default network, although I cannot otherwise communicate between the networks. The same applies the other way round. I can access the GUI from VLAN2 via 192.168.0.1 but cannot reach any other devices on the other network. This looks like a bug to me. I couldn't find a solution on the internet and some have faced the problem. I hope someone can help me

2 Accepted Solutions

Hank21

2023-05-15 06:07:17 - last edited 2023-05-16 06:30:41

Posts: 3673

Helpful: 718

Solutions: 497

Stories: 8

Registered: 2021-12-13

Re:Problems with ACLs-Solution

2023-05-15 06:07:17 - last edited 2023-05-16 06:30:41

Hello @A_O,

If you want to prevent devices on other VLANs from accessing the GUI of the router, you need to set two Gateway ACL Rules as follows:

The first rule:

1. Policy as Allow

2. Services Type as DNS

3. Source as IPGROUP_ANY

4. Destination as IPGROUP_ANY

The second rule:

1. Policy as Deny

2. Services Type as All

3. Source as other VLANs

4. Destination as ME (Standalone Mode)/ Gateway Management Page (Controller Mode)

These steps above are just for your reference.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*

Recommended Solution

A_O

LV1

2023-06-04 10:38:34 - last edited 2023-06-05 02:21:12

Posts: 6

Helpful: 0

Solutions: 1

Stories: 0

Registered: 2023-05-11

Re:Problems with ACLs-Solution

2023-06-04 10:38:34 - last edited 2023-06-05 02:21:12

@Hank21

I have given the DNS servers to VLAN10. This way I don't have to adjust the clients individually. Now I have managed to lock out VLAN10 from all other VLANs and only allow Internet access. That was the goal. Thank you!

By way of explanation.

1. for DNS requests to work at all
2. so that the router is not accessible (GUI)
3. so that other devices in other VLANs cannot be reached.

Recommended Solution

#10

9 Reply

Hank21

2023-05-15 06:07:17 - last edited 2023-05-16 06:30:41

Posts: 3673

Helpful: 718

Solutions: 497

Stories: 8

Registered: 2021-12-13

Re:Problems with ACLs-Solution

2023-05-15 06:07:17 - last edited 2023-05-16 06:30:41

Hello @A_O,

If you want to prevent devices on other VLANs from accessing the GUI of the router, you need to set two Gateway ACL Rules as follows:

The first rule:

1. Policy as Allow

2. Services Type as DNS

3. Source as IPGROUP_ANY

4. Destination as IPGROUP_ANY

The second rule:

1. Policy as Deny

2. Services Type as All

3. Source as other VLANs

4. Destination as ME (Standalone Mode)/ Gateway Management Page (Controller Mode)

These steps above are just for your reference.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*

Recommended Solution

A_O

LV1

2023-05-16 20:54:59

Posts: 6

Helpful: 0

Solutions: 1

Stories: 0

Registered: 2023-05-11

Re:Problems with ACLs

2023-05-16 20:54:59

Thank you!, it worked for me. What exactly is meant by "Me" as destination?

Hank21

2023-05-17 02:30:44

Posts: 3673

Helpful: 718

Solutions: 497

Stories: 8

Registered: 2021-12-13

Re:Problems with ACLs

2023-05-17 02:30:44

Hi @A_O,

From my knowledge, it is just a different name in Standalone mode ("Me") and Controller mode (" Gateway Management Page ").

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*

A_O

LV1

2023-05-17 08:57:48

Posts: 6

Helpful: 0

Solutions: 1

Stories: 0

Registered: 2023-05-11

Re:Problems with ACLs

2023-05-17 08:57:48

Thank you @Hank21 for the answers. I now have the problem that when I block the GUI, everything else is blocked too. I can no longer call up youtube, for example, in the VLAN. How do I get around this, only the GUI should be blocked by the router?