Access Control List - Can't select direction LAN->WAN/LAN1
Access Control List - Can't select direction LAN->WAN/LAN1
Hello!
I have the router with a backup link in the second WAN (namely WAN/LAN1), in the access control list I want to block all traffic to the second WAN except for one PC.
In the direction it allows only to select LAN->WAN, but not LAN->WAN/LAN1 (the second WAN port).
How can I achieve this?
Thank you!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Andres123
Thanks for posting in our business forum.
Direction means the out-flow traffic from LAN to WAN. It does not mean a specific port. After you pick up this, then you select the WAN port in the settings below.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @Andres123
What's your goal? The sole goal is to force all traffic on other computers to flow through WAN1. Just a single one uses WAN2. Do you need load balance functioning and do you need a link backup for all other computers?
I can point another way, just use the Policy Routing. Route all traffic from other computers to WAN1. And a single IP for this PC to WAN2.
No load balance is available for all of them. That'll be Priority or Only mode.
Priority for the only PC which allows the PC to enjoy the backup link on WAN1.
Only mode for all other computers. Never switch to the WAN2.
Does this fit your expectation?
- Copy Link
- Report Inappropriate Content
@Clive_A Thanks for taking your time to reply!
I need to use only the WAN2 when the WAN1 fails, and through WAN2 will only pass packets from device x.x.x.x and outgoing ports x and y.
With a proper Access Control List it would be very simple, but it seems that it can't be done with this TP-Link router.
Using Routing Policy I can force all devices except x.x.x.x to go through WAN1, although it's a pain to maintain a list of devices and adding them manually to the routing table, but this solves the first part of the problem.
Part 2 of the problem, how do I block all ports except for 2 (x and y) that go through WAN2?
WAN2 connection is VERY expensive and its for critical communications.
Thanks a lot for your help!
- Copy Link
- Report Inappropriate Content
Hi @Andres123
What you can route is layer 3. Routing happens to layer 3 alone. So, we cannot route the ports.
This is more like to be ACL. But can you take a look at the Policy Routing? It should be the one you asked for.
If you just wanna force ports x and y to flow through WAN2, then your mode has to be Only. This PC will only allow ports x and y to flow through WAN2. Other devices don't take up WAN2.
If you just need it to enjoy the backup link and still force x and y to be accessible, on WAN2, if this is port forwarding, you don't create a port forward rule on WAN1. Then it's not open. Problem solved.
- Copy Link
- Report Inappropriate Content
@Clive_A Thanks!
I don't have it very clear, when the WAN1 is down all ports have to be blocked except for X and Y that should go through WAN2. When WAN1 is up no port is blocked and all packets flow through WAN1 (including ports X and Y).
Is this possible?
Thanks
- Copy Link
- Report Inappropriate Content
Hi @Andres123
It's been several back and forth replies. This is making it too complicated.
I think I need to conclude what you request here:
1. You require failover on WAN1 and WAN2. WAN2 is up when WAN1 is down.
2. On WAN2, just a device x.x.x.x will have access to the public IPs, and ports x and y (The ports are destination ports, right? Not gonna be port forwarding)
And several parts I gotta explain clearly:
You don't need to maintain a list of devices because you can set an IP group to include and exclude IP addresses.
You don't have to add them to the routing table. Unless you are doing something else.
Order:
Rule 1
WAN=WAN1
No failover.
Rule 2
WAN=WAN1
X & Y IP-Port Group is specified as the port X and Y only. The subnet can be optional or 1.0.0.0/1
- Copy Link
- Report Inappropriate Content
@Clive_A Hi, thanks a lot!
I was going to do that very happy until I realized I can't specify ports :(
Is there something else to do?
Thanks
- Copy Link
- Report Inappropriate Content
Hi @Andres123
Thanks for posting in our business forum.
Are you able to use the software controller which enables you to do like what I do? As you can see that I can implement that in Controller mode.
Before you integrate this into the controller, make sure you back it up. Controller adoption will reset the deviec first.
- Copy Link
- Report Inappropriate Content
Thanks for the warning, as far as I know the controller needs to run 24/7 so I will need to setup a new server to run the controller there, right?
If that is the case I will have to do it, and it will take some time (I'm waiting for new racks to arrive), meanwhile there is not something else I could do?
Thanks a lot for your help!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1651
Replies: 16
Voters 0
No one has voted for it yet.