ACL with Source IP and Port to Destination IP and Port between VLANs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACL with Source IP and Port to Destination IP and Port between VLANs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ACL with Source IP and Port to Destination IP and Port between VLANs
ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-19 13:18:27 - last edited 2023-10-31 09:20:27
Tags: #ACL
Model: TL-SG3428MP  
Hardware Version: V4
Firmware Version: 4.0.8

Hi,

 

I am trying to limit the access to specific devices and ports from a specific vlan.

 

VLAN1 (all devices) ---- allow ----- > Port 80 on device A in VLAN2

 

So what I know from other Firewalls that I config the Policy by selecting:

  • Source IP / Subnet
  • Source Protocoll
  • Source Port
  • Destination IP / Subnet
  • Destination Protocoll
  • Destination Port

 

I tried to achive it in that way:

I created two IP-Port Groups

 

First IP-Port Group:

Ports 0-65535

Subnet 10.100.0.0/24

 

Second IP-Port Group:

Port 80

Subnet 10.200.0.1/32 (10.200.0.0/24 also tested)

 

and then an ACL by permitting TCP Protocoll from one IP-Port-Group to the other -> does not work.

A tcp network (vlan1) to network (vlan2) acl is working.

 

Do I misunterstood something?

 

Thank you

 

 

 

 

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:ACL with Source IP and Port to Destination IP and Port between VLANs-Solution
2023-09-28 07:53:23 - last edited 2023-10-31 09:20:27

Hi @bsz 

Thanks for posting in our business forum.

Since I don't have this switch model, I used a TL-SG2210MP to replicate this issue.

This switch is not capable of creating that many entries, so I tried a different way to emulate what you reported.

 

 

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#9
Options
9 Reply
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-20 08:35:47

  @bsz 

 

Did you put the permit rule in the first rule and put the deny-all rule in the last?

How do you test "an ACL by permitting TCP Protocoll from one IP-Port-Group to the other -> does not work"?

Try rebooting the switch to force assign the settings to it.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-20 10:25:28

  @Virgo 

Yes, it is the first rule.

It seems that it has no hit. When I put the permit LAN-to-LAN rule behind it, it starts working.

 

How do I know it is not working?

I am loosing access to the website the device is hosting. With the LAN-to-LAN rule I have access.

 

If my logic behind the IP-Port-Group Rule is right, could it be a bug?

An LAN-to-IP-Port-Group rule is also not working.

  0  
  0  
#3
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-21 03:53:09

  @bsz 

 

Did you also set a gateway acl or EAP acl?

What is your network layout like? What are the specific ACL settings on the controller? Can you share a screenshot?

Just striving to develop myself while helping others.
  0  
  0  
#4
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-21 09:27:15

@Virgo 

 

Overview 

Overview

 

Switch ACL

Switch ACL

 

EAP ACL

EAP ACL

 

Switch and EAP ACL 1

Switch ACL1EAP ACL 1

 

IP-Port Group

IP-Port-Group Webserver

10.20.25.0/24 is also not working

 

IP-Port-Group-LAN

 

As soon as I enable ACL 2 (Network: LAN to WA-IoT) it starts working.

 

 

  0  
  0  
#5
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-27 04:49:43

Can someone see a mistake done by me or could it be related to a bug?

  0  
  0  
#6
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-28 02:27:31

  @bsz 

 

Have you tested only set the switch ACL? Do not set the EAP ACL.

Just striving to develop myself while helping others.
  0  
  0  
#7
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-28 05:33:53
yes, same result
  0  
  0  
#8
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs-Solution
2023-09-28 07:53:23 - last edited 2023-10-31 09:20:27

Hi @bsz 

Thanks for posting in our business forum.

Since I don't have this switch model, I used a TL-SG2210MP to replicate this issue.

This switch is not capable of creating that many entries, so I tried a different way to emulate what you reported.

 

 

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#9
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-28 12:40:57

  @Clive_A 

Many thanks for your testing.

 

Network to IP-Port Group

and

IP Group to IP-Port Group 

 

seems to work for that example.

 

So it seems that IP-Port Group to IP-Port Group is not working which is not so tragic in that particular case but in general it should work.

 

 

 

  0  
  0  
#10
Options