T2600G-28TS Time Range and ACL
T2600G-28TS Time Range and ACL
Hello all,
I have defined a Time Range in order to inhibit WWW access deep in the night for my kids. System time ist set using ntp with local time zone, time range follows local time.
An ACL with DENY_ALL on all protocols and bound to specific ports works as desired (blocks always).
Now adding the TimeRange to the ACL does not trigger ACL, it seems to be always active. I tested this with my desired time range outside its "active" duty range (the time range is shown properly as "inactive" on the time range definition pane). A cross check with a second "active" time range (replaced in the ACL in question) did not change the behaviour. The ACL acts as if no time range was inserted, i.e. it blocks all the time.
What do I get wrong here?
-Michael
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
R1D2 wrote
The switch seems to add a default Deny rule at the end of the ACL ruleset much like Cisco switches do. @Mitya, can you confirm this?
Yes, in new firmware design it works as white-list as cisco-style, so it has "deny all" by default in the end (unlike old design, where blacklist and "permit all" by default is).
Because of deny all by default, your ACL will block everything anyway and you need to create rule "permit all" with Time-Range binding. I totally agree with R1D2. (or reverse way, which is also described)
The logic in tplink is a bit weird, but yes, it will work, like this.
- Copy Link
- Report Inappropriate Content
Why you do not configure web filter or ACL in your router?
Certainly, you can upload the screenshots about your ACL rules, maybe we can find the reason.
- Copy Link
- Report Inappropriate Content
Also check your system time, if NTP works properly, so switch knows, when it needs to block.
- Copy Link
- Report Inappropriate Content
Hi Mike63,
I would be interested to see a screenshot of your ACL time-range settings, too. I couldn't find those settings in the latest SW emulator for T2600G-28TS. Maybe I overlooked it, but would be interested to learn whether those options have been added in latest firmware for this switch model. Thanks!
- Copy Link
- Report Inappropriate Content
OK, Screenshots
Time Ranges under System-> Time Range (note Status "Inactive" out of defined time span, becomes "active" if within.
This specific time rage is defined as follows:
and used in the ACL under "Rime Range"
see drop-down (time range)
This ACL, if bound to a port, blocks even if the time range in question is inactive.
- Copy Link
- Report Inappropriate Content
This is how it works for me on a T1500G-10PS, which also runs the new firmware:
Time range (your settings leave one hour for your kids to surf at the weekend's Geisterstunde, intentional?):
ACL needs two rules:
First rule to deny access during sleeptime:
Second rule to permit access by default:
The switch seems to add a default Deny rule at the end of the ACL ruleset much like Cisco switches do. @Mitya, can you confirm this?
However, I would reverse the logic to allow for a more readable continguous time range:
– First rule bound to time period (say, Daytime) allows use of the port or VLAN.
– Second rule always denies use of the port or VLAN. Not necessarily needed b/c of the default Deny rule, but IMHO it's good style to explicitly state what you want for better readability and for documentation.
Thus, this should work, too:
ACL rule 1 is bound to the time range, rule 999 is the catch all:
- Copy Link
- Report Inappropriate Content
R1D2 wrote
The switch seems to add a default Deny rule at the end of the ACL ruleset much like Cisco switches do. @Mitya, can you confirm this?
Yes, in new firmware design it works as white-list as cisco-style, so it has "deny all" by default in the end (unlike old design, where blacklist and "permit all" by default is).
Because of deny all by default, your ACL will block everything anyway and you need to create rule "permit all" with Time-Range binding. I totally agree with R1D2. (or reverse way, which is also described)
The logic in tplink is a bit weird, but yes, it will work, like this.
- Copy Link
- Report Inappropriate Content
Thank you @Mitya!
This is much like a default policy in firewalls except that it is hardwired.
I like the new firmware more and more for the new functions such as time range, albeit IMO the new web UI is a big step back regarding useability, which is the reason I didn't update the firmware on my own switches so far.
- Copy Link
- Report Inappropriate Content
If I coverd your discussion correctly so far, then what happens is this
- as long as ACLs are just defined, not bound, nothing happens (expected)
- if I bind an ACL to any port, then implicitly and hidden, a DENY_ALL rule will be added to the beginning of the ACL queue by firmware/default/TP-Link
- therefore, to counter this, I have to define a corresponding explicit ALLOW_ALL rule at the begining of the visible queue (takes second place after the hidden one)
- followed by a time range controlled DENY_ALL to fulfil my initial wish
Correct so far? And why should this be a good practise firmware-wise?
I correct my assumptions: because of the whitelisting-approach, a time ranged PERMIT_ALL in the allowed time frame would be sufficient.
- Copy Link
- Report Inappropriate Content
@R1D2 Yes, "Geisterstunde" at weekends is intentional. Kids like to play over midnight...
- Copy Link
- Report Inappropriate Content
@TPTHZ I want to block Kids only at given "sleeping times", not the whole traffic. Therefore, I am bound to the ports where the Kids hardware ist attached...
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3954
Replies: 12
Voters 0
No one has voted for it yet.