Blocking/Allowing public access to server via IP Groups
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
I'm struggling to do something on an ER7206 (fw 1.2.1) via a self-hosted Omada controller (v5.6.3) that I've done easily on Unifi setups in the past.
I have a couple services on different servers at arbitrary ports (ServerA at 5001 & ServerB at 443).
What I want to do is open these ports to the corresponding servers, and then create rules that only allow certain IPs access while blocking all others.
In Unifi, it basically goes:
-Open port to server
-Create IP/Port Groups for the server and allowed IPs
-Create an allow rule referencing the allowed IPs Group
-Create a drop rule for all IPs
The allow rule takes precedent, allowing any IP in the IP group access, while the internet at large gets dropped.
I can't seem to figure out how to do this under the Omada controller. After poking around and tons of googling, I assume that function is the "Gateway ACL", but no matter what rules I put in there, I can't seem to block access to the server.
I can see that I can add multiple allowed IPs directly to the port forward rule under (Setting -> Transmission -> NAT -> Port Forwarding), but as I have multiple services to manage, I'd like to use an IP group that I can reuse and apply to multiple rules, saving me from entering the same IPs over and over to each port forward rule.
Has anyone done this?
Thanks for replying. That's what I thought I've done, but I can access the server from any internet IP no matter what. I also JUST upgraded to 1.2.3 about 30 minutes ago and so far no change.
The port forward:
The port/IP group for the server:
The allowed IPs group:
The permit rule:
The deny rule:
Rule order:
Am I missing something obvious?
Note: I found info online where someone said in Omada the "source" and "destination" are reversed, so I tried swapping the groups but it didn't affect anything.