Broken InterVlan ACLs
Broken InterVlan ACLs
After upgrade firmware from 1.1.1 to 1.2.0 couple of my ACL rules in firewall started to block more than they should.
I have VLANs for home devices (vlan 20), for smart devices (vlan 30) and for guests (vlan 40).
I'd like to isolate guests and smart devices from other networks and only allow them to access internet. To achive that I created two ACL rules:
1. Policy: Block. ServiceType: All. Direction: LAN->LAN. SourceNetwork: Guest. DestinationNetwork: !Guest. EffectiveTime: Any.
2. Policy: Block. ServiceType: All. Direction: LAN->LAN. SourceNetwork: Smart. DestinationNetwork: !Smart. EffectiveTime: Any.
It not only filters traffic between those nets, but also block DHCP server. Devices can't allocate dynamic IP on those networks anymore.
This was working totally fine on previous firmware version.
Does my setup looks correct?
Update. Just checked with firmware 1.1.1 - it works as expected.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Support confirmed a bug and promised to fix in next firmware version.
- Copy Link
- Report Inappropriate Content
Dear @VitaliyA,
VitaliyA wrote
After upgrade firmware from 1.1.1 to 1.2.0 couple of my ACL rules in firewall started to block more than they should.
I have VLANs for home devices (vlan 20), for smart devices (vlan 30) and for guests (vlan 40).
I'd like to isolate guests and smart devices from other networks and only allow them to access internet. To achive that I created two ACL rules:
1. Policy: Block. ServiceType: All. Direction: LAN->LAN. SourceNetwork: Guest. DestinationNetwork: !Guest. EffectiveTime: Any.
2. Policy: Block. ServiceType: All. Direction: LAN->LAN. SourceNetwork: Smart. DestinationNetwork: !Smart. EffectiveTime: Any.
It not only filters traffic between those nets, but also block DHCP server. Devices can't allocate dynamic IP on those networks anymore.
This was working totally fine on previous firmware version.
To figure out the issue, I'd like to escalate your case to the TP-Link support team for further troubleshooting.
They will reach you via your registered email address shortly, please pay attention to your email box later.
Once the issue is addressed or resolved, I'd encourage you to share it with the community.
Thank you so much for your cooperation and support!
- Copy Link
- Report Inappropriate Content
Support confirmed a bug and promised to fix in next firmware version.
- Copy Link
- Report Inappropriate Content
This was a horror.
Last week I read this right after upgrade one of my ER7206 and saw the same problem occurring.
I tried to fix by myself, and succeeded to make DHCP works again by allowing a new custom service type.
But now the gateway wasn't responding, so I realized it's not just a DHCP problem.
I don't know if it could be completely fixed by do some extra unnecessary trials, but... just rolled back.
Personally I really like TP-Link products and their constant improvements.
However almost every time a new ER7206/ER605 firmware released there seems some "just got broken" parts.
Bugs resurrect and functionalities stop, with newly implemented bugs.
IMO, a "released" firmware must not influence to any existing critical functionalities even if for entry level consumer routers.
But these "Business Routers" firmwares are always seems like sort of "Beta" state.
Of course, upgrading is just an option, and it's not always recommended to upgrade from a working firmware without any problem.
And I never want opinion like this makes the dev team to be conservative.
Just my little wish for more stable, less-fragile release.
- Copy Link
- Report Inappropriate Content
I have the exact same issue.Is there any ETA for the new firmware?
How did you downgrade to 1.1.1?
- Copy Link
- Report Inappropriate Content
@Pisatelj I just downloaded firmware with version 1.1.1 and updated in it in router.
- Copy Link
- Report Inappropriate Content
Thanks for the proposed solution however, for my case I cannot simply downgrade to 1.1.1 as there are features in 1.2.0 that I use.
Was there an ETA on this fix?
- Copy Link
- Report Inappropriate Content
@garbinc Unfortunately, they didn't give any ETA.
- Copy Link
- Report Inappropriate Content
garbinc wrote
Thanks for the proposed solution however, for my case I cannot simply downgrade to 1.1.1 as there are features in 1.2.0 that I use.
Was there an ETA on this fix?
Sorry for this inconvenience. Please refer to the link. It's been confirmed as a "glitch" due to the mechanism changed on 1.2.0.
If you need to use the ACL, please create again on the new firmware. Consider using "IP Groups" instead of "LAN"(Networks) at this time.
The ETA of the release is still unknown. But it's been reported to the R&D and it's under the development.
- Copy Link
- Report Inappropriate Content
If I could have found this thread 2 days ago...
I never intend to jump on updating new firmware immediately, always wait some time to see others' reaction.
It's been a while that v1.2.0 was released and I thought I was careful, unfortunately this forum doesn't offer direct list of feedback related to a new firmware. And just searching "v1.2.0 firmware issue" or similar, didn't take me this thread, for example, as it's title also doesn't say that.
And in this firmware's official thread I haven't found any sign about this very serious issue.
I recommend for the forum admins to rethink their policy. Right now on the latest firmware's announcement thread it's not open to discuss any feedback (I understand why it would cause a mess but should find out a way to show if there is some serious problems, if not immediately withdraw the file until it gets fixed, just like they correctly did with a previous release).
So, yesterday this nightmare happened, I spent 8 hours trying to solve this unexpected issue after upgrading from v1.1.1 to v1.2.0
The router is located in a remote place, 100 minutes by train from my home, so I couldn't just leave it broken there.
I have configured this R605 connected with two easy smart switches with separate vlans on each LAN ports to isolate any intervlan traffic. Posted my config in another thread.
I was happy with the features TP-Link adapted in the previous firmware. Then I thought the new one could fine tune the behavior of load balancing etc.
After doing the upgrade to v1.2.0, the router didn't respond to anything, I couldn't even be sure if it was still rebooting or what else (waited 10 minutes or so), as there is no clear visual signs with the 2 led lights on the device.
Please, developers, consider some solution for that, too. So, we could know when the router is rebooting, when it is freezing, when there is a system failure.
(After playing with the reset botton (short presses, long presses), in one situation it started to operate as an unmanaged switch, LOL, that's a feature!)
Disconnecting the power did not solve it.
After doing a Reset, it rebooted with the new firmware (in a few minutes) but when I tried to load the backed up configuration, it became non-working again. DHCP didn't work. And when I tried to connect my laptop with manually configured IP, the computer said it was connected but when I tried to load the router's config page, it seemed like loading it but the page stayed blank (adblockers are disabled for these pages on my browser), I tried with with different browsers.
Then I resetted it again and tried earlier backup config. Also downgraded to v1.1.1 and back and forth, many attemps. Each taking at least 5-10 minutes.
After many hours I still didn't give up and decided to reconfigure my setup on the resetted v1.2.0 because I thought what if the new firmware contains some new features that are not compatible with the previous backups.
It started to slow down after adding about 35 vlans. (but I think it had happened with v1.1.1, too) I needed almost 50 vlans. At the last ones it already took some seconds to save the new vlan. But this is not the end of the World, I could live with it.
However, when finished the vlans and decided to set the only ACL rule that I needed, it stopped working again.
Explanation: I have created a phantom vlan (vlan99), so I could just create a single ACL rule blocking traffic from every other vlan to every other vlan, this way: from !vlan99 to !vlan99. Instead of creating 2 times 50 rules.
So, here I can see the sad news that DHCP stops working after creating ACL rules in v1.2.0
Nice! You should have informed us on that release page, please!!!
At least, I could go back to v.1.1.1 with my saved config reloaded and it works as it did before. Just wasted a day and lost some hair.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 2650
Replies: 14