Business Community > Routers > Can I DENY one VLAN to VLAN but also PERMIT to One IP/Port?
< Routers

Can I DENY one VLAN to VLAN but also PERMIT to One IP/Port?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Can I DENY one VLAN to VLAN but also PERMIT to One IP/Port?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Can I DENY one VLAN to VLAN but also PERMIT to One IP/Port?
Can I DENY one VLAN to VLAN but also PERMIT to One IP/Port?
2023-01-05 04:55:52
Tags: #VLAN & Multi-Networks #Gateway ACL
Model: ER7206 (TL-ER7206)  
Hardware Version:
Firmware Version:

I have a camera on a "CAM" Vlan (vlan 20) and my NAS on my "LAN" vlan (vlan 1)

 

I have a stateful DENY GATEWAY ACL blocking CAM talking to LAN

 

I am not trying to open up access to ONE port on ONE ip address in the LAN VLAN .... 

I tried creating a LAN-WAN ACL with a permit from LAN (Cam) to IP

 

 

I moved the permit rule above the deny rule but unfortunately the port access is still blocked. Is what I am trying to do possible?

 

 

  0      
 
  0      
 
#1
Options
5 Reply
Re:Can I DENY one VLAN to VLAN but also PERMIT to One IP/Port?
2023-01-06 05:54:52

  @Dropbear 

 

It can only be done by a switch ACL.

  2  
  2  
#2
Options
Re:Can I DENY one VLAN to VLAN but also PERMIT to One IP/Port?
2023-01-06 06:00:36
Do the deny and permit rules both need to be switch ACLs?
  0  
  0  
#3
Options
Re:Can I DENY one VLAN to VLAN but also PERMIT to One IP/Port?
2023-01-06 06:35:13 - last edited 2023-01-06 06:35:44

  @Dropbear 

 

Yes, add the Permit rule first, then the Deny rule. BTW you need an Omda switch to make the switch ACL work.

  0  
  0  
#4
Options
Re:Can I DENY one VLAN to VLAN but also PERMIT to One IP/Port?
2023-01-08 23:59:18

  @Somnus Im really confused now .... it appears that the GATEWAY ACLs are the only ACLs that support stateful rules..

 

I block CAM Vlan from talking to my LAN vlan... however my LAN vlan can talk to my CAM vlan and the CAM vlan can reply (as Im using a stateful ACL rule via GATEWAY ACLs).

 

So you're saying I need to give this up just to support my poking a new hole for a single instance where I need the CAM to be able to instigate a connection to a single port on a single IP on a LAN vlan?

 

 

  0  
  0  
#5
Options
Re:Can I DENY one VLAN to VLAN but also PERMIT to One IP/Port?
2023-01-09 04:10:15

  @Dropbear 

 

You are right.. I thought the switch also can do stateful ACL but when I check the controller page only the gateway can do that...

 

But on the switch, you can still do the ACL. So Permit rule first, to allow the specified device communicate with main LAN; Then Deny rule, to block all other traffic. See the example:

 

Here the "IP Group TEST" contains the specified device's IP(in your IOT network); "Network Guest" can be seen as your IOT network.

 

These rules mean the switch will allow "IP Group TEST" communicate with main LAN, however block other data traffic between these two network.

 

  0  
  0  
#6
Options

Information

Helpful: 0

Views: 810

Replies: 5

Tags

VLAN & Multi-Networks Gateway ACL
Related Articles
Assign "one" IP/VLAN to port on ER7206
1959 1
cant configure to permit vlan on tcp port 1514 for logging
376 0
Communicate only with one IP of a VLAN
71 0
Inter-VLAN Access
873 0
 ER605 - whitelist on one vlan and blacklist/no list on other vlan
740 0
 Access VLAN to VLAN
582 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.