Access VLAN to VLAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Access VLAN to VLAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Access VLAN to VLAN
Access VLAN to VLAN
2023-09-21 08:36:31
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.2.3
I use an ER7206 v1.0 in standalone mode. Firmware version: 1.2.3
I need to reach 2 other VLANs from one device (G_VM1).
I can reach the G_AdminLan and I can't reach the G_OfficeLan.

1. Rule in AC: (It works)
Policy: Allow
Service Type: ALL
Direction: ALL
Source: G_VM1 (This is a virtual pc)
Destination: G_AdminLan
Effective time: Any
States: (all states are selected)

2. Rule in AC: (This doesn't work)
Policy: Allow
Service type: ALL
Direction: ALL
Source: G_VM1
Destination: G_OfficeLan
Effective time: Any
States: (All states are selected)

My last rule in Access Control:
Policy: Block
Service type: ALL
Direction: ALL
Source: IPGROUP_LAN
Destination:IPGROUP_LAN
Effect time: ANY
States: (all states are selected)

What do I need to do differently to reach G_OfficeLan?

Regards

Sura

  0      
  0      
#1
Options
5 Reply
Re:Access VLAN to VLAN
2023-09-22 05:53:56

Hello @Surabt,

 

Different VLAN interfaces can communicate with each other by default, if you want G_VM1to have unidirectional access to other VLANs, it is suggested to set 2 Block rules of ACL.

Just like the FAQ mentioned, you may refer to this article.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Access VLAN to VLAN
2023-09-27 06:57:19

  Hello @Hank21 !

 

Thank you for your reply!

Below the link is a setting where one VLAN is disabled and the others are enabled.

I currently have 7 VLANs (a small community building with several smaller organizations), and sometimes this number changes. Usually everyone just wants to access the Internet, but sometimes it is necessary for someone to access another VLAN.

According to the solution below the link, I should write 6 prohibiting rules, which will make the ACL opaque.

 

Maybe my brain works the other way around, but I learned a long time ago that any "gateway" is safe if only what is explicitly allowed can pass through, and everything else is prohibited.

I gave the rules in this order:

1. G_VM1 -> G_ADminLan : Allow

2. G_VM1 -> G_OfficeLan : Allow

3. IPGROUP_ALL -> IPGROUP_ALL : Block

 

The problem is that 1. G_VM1 -> G_ADminLan works, but 2. G_VM1 -> G_OfficeLan does not work.

 

All you need to know is that the Vlan ID of G_AdminLan=1.

 

I would like to ask for help with this.

 

Regards, Sura

  0  
  0  
#3
Options
Re:Access VLAN to VLAN
2023-09-27 09:59:52

  @Surabt 

3 1 2, have you tried this order?

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#4
Options
Re:Access VLAN to VLAN
2023-09-27 12:24:51

  @Tedd404 

 

I think that the 3rd rule applies to traffic between all VLANs, so if I put it in the 1st place, it does not check the rules that follow it.

I think the order 3 1 2 has the same result as if there were only rule number 3.

Maybe the ER7206 works differently?

It's a production system, so I can't try your tip.

 

  0  
  0  
#5
Options
Re:Access VLAN to VLAN
2023-09-28 02:11:51

  @Surabt 

i tried what you said on one of my device in standalone mode. you're on standalone. 

i copied your settings and I don't replicate your issue. it works as expected. i suggest you upgrade your firmware to the 1.3.0 official. 

https://community.tp-link.com/en/business/forum/topic/604258

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#6
Options