Blocking/Allowing public access to server via IP Groups

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Blocking/Allowing public access to server via IP Groups

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Blocking/Allowing public access to server via IP Groups
Blocking/Allowing public access to server via IP Groups
2022-11-20 16:01:10 - last edited 2022-11-20 23:39:02
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.2.1

I'm struggling to do something on an ER7206 (fw 1.2.1) via a self-hosted Omada controller (v5.6.3) that I've done easily on Unifi setups in the past.

 

I have a couple services on different servers at arbitrary ports (ServerA at 5001 & ServerB at 443).

 

What I want to do is open these ports to the corresponding servers, and then create rules that only allow certain IPs access while blocking all others.

 

In Unifi, it basically goes:

-Open port to server

-Create IP/Port Groups for the server and allowed IPs

-Create an allow rule referencing the allowed IPs Group

-Create a drop rule for all IPs

 

The allow rule takes precedent, allowing any IP in the IP group access, while the internet at large gets dropped.

 

I can't seem to figure out how to do this under the Omada controller.  After poking around and tons of googling, I assume that function is the "Gateway ACL", but no matter what rules I put in there, I can't seem to block access to the server.

 

I can see that I can add multiple allowed IPs directly to the port forward rule under (Setting -> Transmission -> NAT -> Port Forwarding), but as I have multiple services to manage, I'd like to use an IP group that I can reuse and apply to multiple rules, saving me from entering the same IPs over and over to each port forward rule.

 

Has anyone done this?

  0      
  0      
#1
Options
2 Accepted Solutions
Re:Blocking/Allowing public access to server via IP Groups-Solution
2022-11-20 18:03:24 - last edited 2022-11-20 23:39:12

  @user0142587 

 

about the same as unifi, but you have to upgrade the router to 1.2.3

Recommended Solution
  1  
  1  
#2
Options
Re:Blocking/Allowing public access to server via IP Groups-Solution
2022-11-20 23:38:55 - last edited 2022-11-20 23:39:02

  @shberge 

 

Update:  I just noticed that with firmware 1.2.3, there is a new "Direction" option available in the Gateway ACLs, and by switching that to "WAN IN", the rules now work as expected.

 

Recommended Solution
  2  
  2  
#4
Options
3 Reply
Re:Blocking/Allowing public access to server via IP Groups-Solution
2022-11-20 18:03:24 - last edited 2022-11-20 23:39:12

  @user0142587 

 

about the same as unifi, but you have to upgrade the router to 1.2.3

Recommended Solution
  1  
  1  
#2
Options
Re:Blocking/Allowing public access to server via IP Groups
2022-11-20 22:19:43

  @shberge 

 

Thanks for replying.  That's what I thought I've done, but I can access the server from any internet IP no matter what.  I also JUST upgraded to 1.2.3 about 30 minutes ago and so far no change.

 

The port forward:

 
The port/IP group for the server:
 


The allowed IPs group:


The permit rule:



The deny rule:

 

Rule order:

 

Am I missing something obvious?

 

Note: I found info online where someone said in Omada the "source" and "destination" are reversed, so I tried swapping the groups but it didn't affect anything.

  0  
  0  
#3
Options
Re:Blocking/Allowing public access to server via IP Groups-Solution
2022-11-20 23:38:55 - last edited 2022-11-20 23:39:02

  @shberge 

 

Update:  I just noticed that with firmware 1.2.3, there is a new "Direction" option available in the Gateway ACLs, and by switching that to "WAN IN", the rules now work as expected.

 

Recommended Solution
  2  
  2  
#4
Options