ER605 HW V1 + FW 1.3 + Software Controller 5.9.31 - Gateway LAN->WAN ACL with Internal IP issue
I have setup a number of VLANs and used ACL DENY rules to block traffic between them.
I want to open a path from one VLAN to a specific IP+PORT on another VLAN.
Based on my testing ACL on Gateway for LAN->WAN cannot be used to manage traffic to an internal (i.e., non WAN) IP.
Is this the expected behaviour?
Under the previous firmware I could make this work when I wasn't using a controller.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Thank you for reaching out and sharing your experience with VLANs and ACL DENY rules. It seems like you have encountered a specific challenge regarding traffic management between VLANs and an internal IP address.
Based on your description, it appears that you have been unable to achieve the desired outcome using the ACL on the Gateway for LAN->WAN configuration. This behavior might differ from your previous experience when you were not using a controller.
To provide you with accurate assistance, could you please provide us with additional details such as the specific equipment or software you are using? This will help us better understand the context and provide you with a more tailored solution.
In the meantime, it is worth mentioning that ACLs are typically used to control traffic flow between different networks, including electric VLANs. However, if you are encountering limitations when trying to manage traffic to an internal IP within a VLAN, it is essential to review your current setup and configuration.
- Copy Link
- Report Inappropriate Content
Hello,
I believe all the relevant equipment is in the description. I think the key problem is that you cannot use LAN->WAN ACL rules to influence traffic. I tried removing all ACL rules and created two new IP GROUPS
ipClients = 192.168.108.1/24
ipServers = 192.168.107.1/24
When I create a LAN->WAN ACL rule that denies ipClients -> ipServers I can still access all servers, on all ports, from all clients.
It feels like there needs to be the option to use IP groups and IP port groups in the LAN->LAN ACL rules.
Or am I missing something?
- Copy Link
- Report Inappropriate Content
thats correct, we need to use IP groups and IP port groups in the LAN->LAN ACL rules. LAN->WAN is for LAN to WAN ACL.
I hope this is a bug and that it will be fixed soon.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 482
Replies: 4
Voters 0
No one has voted for it yet.