Inter VLAN Routing and Gateway Management Page

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Inter VLAN Routing and Gateway Management Page

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Inter VLAN Routing and Gateway Management Page
Inter VLAN Routing and Gateway Management Page
2024-04-29 13:55:48 - last edited 2024-04-30 11:44:20
Model: ER707-M2  
Hardware Version: V1
Firmware Version: 1.2.2

Trying to isolate each VLAN. I've created an ACL Rule which blocks the VLAN from accessing other VLANs. This seems to work. However, if I block a VLAN from accessing the Gateway Management Page it seems to cut those devices on the VLAN from accessing the internet. Although this has been inconsistent. For example, I've blocked a VLAN setup for VOIP from accessing other VLANs and also from the Gateway Management Page and it seems like calls still work. However, if I block the vlans which specific wifi devices are connected to from accessing the Gateway Management Page, then the internet doesn't work for those devices.

I understand when I block intervlan traffic and the Gateway Management Page is on a different VLAN, the rule is redundant. If want to block other devices on the same vlan from accessin the gateway management page, then the internet access ceases.

What then is the purpose of that rule? Isolated traffic from the internet alltogether? an isolated intranet?

Or do I need to block inter vlan traffic and access to the gateway management page for extra security?

 

I would appreciate any insight on this. Thank you very much.

 

Setup OC200 Omada Controller is connected via the main LAN to the ER707-M2 V1

  0      
  0      
#1
Options
2 Accepted Solutions
Re:Inter VLAN Routing and Gateway Management Page-Solution
2024-04-30 11:27:10 - last edited 2024-04-30 11:44:20

 Hello  @Clive_A 

It seems like I tested it out, and only if the deny access to gateway management page is with TCP protocol does it work.

If other protocols are used the internet access is disconnected.

Here is a thread where this person figured out a solution and may help others as well:

 

Management Page Block ACL blocks internet access

https://community.tp-link.com/en/business/forum/topic/642230

 

Thank you so much.

Recommended Solution
  1  
  1  
#3
Options
Re:Inter VLAN Routing and Gateway Management Page-Solution
2024-05-09 00:48:43 - last edited 2024-05-09 00:49:10

Hi @FlameOtter 

Thanks for posting in our business forum.

FlameOtter wrote

  @Clive_A 

Thank you so much. This is using the Omada Controller OC200 withv5.13.30.20

Confirmed with the dev that this was a bug and will be fixed in future firmware updates. I have notified them about this matter and its importance.

This was mainly because UDP was selected in the protocols which blocks the DNS query(UDP) and leads to the Internet not being accessible.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#8
Options
7 Reply
Re:Inter VLAN Routing and Gateway Management Page
2024-04-30 01:45:38

Hi @FlameOtter 

Thanks for posting in our business forum.

FlameOtter wrote

Trying to isolate each VLAN. I've created an ACL Rule which blocks the VLAN from accessing other VLANs. This seems to work. However, if I block a VLAN from accessing the Gateway Management Page it seems to cut those devices on the VLAN from accessing the internet.

I don't think this is correct. I've tried and tested it many times it does not affect the Internet connectivity. You should check your ACL or other config. This feature definitely works.

Feel free to create a new VLAN and test this ACL only.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:Inter VLAN Routing and Gateway Management Page-Solution
2024-04-30 11:27:10 - last edited 2024-04-30 11:44:20

 Hello  @Clive_A 

It seems like I tested it out, and only if the deny access to gateway management page is with TCP protocol does it work.

If other protocols are used the internet access is disconnected.

Here is a thread where this person figured out a solution and may help others as well:

 

Management Page Block ACL blocks internet access

https://community.tp-link.com/en/business/forum/topic/642230

 

Thank you so much.

Recommended Solution
  1  
  1  
#3
Options
Re:Inter VLAN Routing and Gateway Management Page
2024-05-08 01:24:41

Hi @FlameOtter 

Thanks for posting in our business forum.

FlameOtter wrote

 Hello  @Clive_A 

It seems like I tested it out, and only if the deny access to gateway management page is with TCP protocol does it work.

If other protocols are used the internet access is disconnected.

Here is a thread where this person figured out a solution and may help others as well:

 

Management Page Block ACL blocks internet access

https://community.tp-link.com/en/business/forum/topic/642230

 

Thank you so much.

I double-confirmed this with the test team that even if you select protocols = all, you will still have Internet access. It does not affect the Internet connection which also fits what I remembered about this ACL.

 

Are you able to confirm your statement? Certain about this result? On your model and firmware, can you reproduce it?

Would love to hear from you. If necessary, we might need a backup of your config.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#4
Options
Re:Inter VLAN Routing and Gateway Management Page
2024-05-08 01:39:50

  @Clive_A 

Did you check the post I linked to earlier? Why is there not response there it that solution is incorrect?

I just tested it again? If I turn on All protocols, the device cannot connect. If I select only TCP then the internet works.

I am using the er707-m2 hardware version 1 with firmware version 1.2.2

thank you for your assistance.

the vlan is connected to an access point which is connected to a poe switch that's connected with a trunk port to the er707-m2 router.

  0  
  0  
#5
Options
Re:Inter VLAN Routing and Gateway Management Page
2024-05-08 01:46:50 - last edited 2024-05-08 01:48:19

Hi @FlameOtter 

Thanks for posting in our business forum.

FlameOtter wrote

  @Clive_A 

Did you check the post I linked to earlier? Why is there not response there it that solution is incorrect?

I just tested it again? If I turn on All protocols, the device cannot connect. If I select only TCP then the internet works.

I am using the er707-m2 hardware version 1 with firmware version 1.2.2

thank you for your assistance.

the vlan is connected to an access point which is connected to a poe switch that's connected with a trunk port to the er707-m2 router.

I know what you wrote. I just need to confirm this because what you said is not what we expect and intend for the Gateway Management Page ACL.

Since you can confirm this, I will take this case to the test team and see if we can get the same result as yours.

That latest controller? Windows or Omada Hardware controller? Do let me know this as we need to test this out.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#6
Options
Re:Inter VLAN Routing and Gateway Management Page
2024-05-08 14:24:38

  @Clive_A 

Thank you so much. This is using the Omada Controller OC200 withv5.13.30.20

  0  
  0  
#7
Options
Re:Inter VLAN Routing and Gateway Management Page-Solution
2024-05-09 00:48:43 - last edited 2024-05-09 00:49:10

Hi @FlameOtter 

Thanks for posting in our business forum.

FlameOtter wrote

  @Clive_A 

Thank you so much. This is using the Omada Controller OC200 withv5.13.30.20

Confirmed with the dev that this was a bug and will be fixed in future firmware updates. I have notified them about this matter and its importance.

This was mainly because UDP was selected in the protocols which blocks the DNS query(UDP) and leads to the Internet not being accessible.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#8
Options