ACL not working

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACL not working

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ACL not working
ACL not working
2023-03-29 08:17:04 - last edited 2023-03-29 08:19:32
Model: TL-SG2428P  
Hardware Version: V1
Firmware Version: 1.1.7 Build 20221130 Rel.42340

Well, I have some concern to make again a post on this forum, because I'm totally discouraged of from how Omada products are supported. In past I have done several posts and after horrible experience I decided to quit the community to save my mental health. My most famous post is this mDns Service and we are still waiting, but there are others where TP-Link didn't do nothing.

 

I give it another chance, but...

 

My setup is: TL-R605 (router) / TL-SG2428P (Switch) / 5 EAPs / OC200

 

After having moved to pfSense with a wonderful experience I decided for some unhappy reason to try to go back to the horrible TL-R605, but anyway the point of this post is not this.

 

Today I tried a simple Switch ACL:

 

Scope: Have the TVCC NVR only accessible from selected devices.

 

Here is the testing setup:

- I have the TVCC NVR connected to a switch port in it's own VLAN named TVCC. The NVR has aswell a fixed IP address.

- I have 2 computers both connected to their own VLAN named PC. Both computers with a fixed IP address.

- Wanted to have only computer 1 (PC1) to have access and any other device have it.

 

What I have done in principle is:

 

Switch ACL in order:

1) IP-address_PC1 -> permit -> TVCC_IP-address

2) IPGroup_Any -> deny -> TVCC_IP-address

 

This blocks everything; when I disable rule 2) I have communication again but of course not blocking anything

 

then I tried all kind of combination replacing individual IP addresses with VLAN like:

 

1) IP-address_PC1 -> permit -> TVCC_Network

2) IPGroup_Any -> deny -> TVCC_IP-address

 

1) IP-address_PC1 -> permit -> TVCC_Network

2) IPGroup_Any -> deny -> TVCC_Network

 

1) PC-Network -> permit -> TVCC_Network          <- even if in this case I allowing not just the PC1 but all PC, but ok just for try

2) IPGroup_Any -> deny -> TVCC_Network

 

Also tried with all the combination of MAC addresses like, here below just 1 as example as i don't want to get long and long:

1) Mac_PC1 -> permit -> Mac_TVCC

2) IPGroup_Any -> deny -> TVCC_IP-address

 

Nothing!

 

I was thinking into a but of the predefined IPGroup_Any, so I created a group called IP-ALL defined as 0.0.0.1/1 and replaced IPGroup_Any with it, the result in this case is that nothing is blocked from rule 2) IP-ALL -> deny -> TVCC-IP-address (or TVCC_Network).

 

So what to say ? What a nightmare AGAIN and AGAIN....

 

Overall during this experience I noted UI bugs that after creating the rules and moving up and down they were not moving accordingly and if you press edit on a rule it open another and the only fix is to reload the page.

  0      
  0      
#1
Options
1 Reply
Re:ACL not working
2023-03-30 07:32:27

Hello @Xstreem

 

Thanks for reporting this issue to the TP-Link community.

 

May I know the firmware version of your switch, router, and controller?

 

Xstreem wrote

Here is the testing setup:

- I have the TVCC NVR connected to a switch port in it's own VLAN named TVCC. The NVR has aswell a fixed IP address.

- I have 2 computers both connected to their own VLAN named PC. Both computers with a fixed IP address.

- Wanted to have only computer 1 (PC1) to have access and any other device have it.

 

Do you mean you wanna the PC1 can access the TV, but the TV can not access the PC1?

After you set the ACL, do you reboot the devices, maybe just need some time to assign the setting files.

Could you please share some screenshots to show your ACL settings?

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options