An alternative to Gateway Stateful ACL using Switch ACL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

An alternative to Gateway Stateful ACL using Switch ACL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
An alternative to Gateway Stateful ACL using Switch ACL
An alternative to Gateway Stateful ACL using Switch ACL
2024-02-22 00:44:35 - last edited 2024-04-02 07:06:04

Hey All,

The configuration below is to show an alternative to Stateful Gateway ACL that you can use in your Layer 3 Switching environment (i.e. using Switch for InterVLAN routing). 

 

Edit note: There are two versions of the configuration. If you have the VLANs defined specifically for Layer 3 Switching, use the Layer 3 Switching configuration, if you are using the traditional Gateway VLAN interface for VLANs, use the Gateway version. The logic is the same.

 

A brief background about Gateway ACL

Gateway ACL works by always allowing Source VLAN (i.e. Home) to trigger two-way communication to Destination VLAN (i.e. IoT).
That is well and great, however, IoT can NEVER initiate the communication, the trigger must always be "Home". So in certain use cases, for example, if an IoT device needs to use a PiHole Server that is in Home VLAN, it will not work because IoT devices can't iniatiate the communication.

 

An alternative is Switch ACL, however, it is not Stateful so many implementations use "bi-directional" but bi-directional opens up two-way communication which defeats the purpose of blocking in the first place.

 

I posted a "solution" to it a long time ago here, but it probably didn't show up in search, or if it did, the title isn't very clear.
That post also covered many other use-cases so for this post, I am just focusing on two uses cases; hopefully, it will make Switch ACLs more useful for many use-cases.

 

Set Up:
192.168.1.x - VLAN 1 - Admin/Management 
192.168.10.x - VLAN 10 - Home
192.168.20.x - VLAN 20 - Guest
192.168.30.x - VLAN 30 - Camera
192.168.90.x - VLAN 90 - IoT

 

For simplicity of this post, I am only covering use cases that affects Home and IoT. 

 

Assumption (Home and IoT VLANs):

  • All VLANs have Internet Access

 

Use Cases:

  1. Use Case 1
    Home VLAN can "ssh" to IoT VLAN but not the other way around.
  2. Use Case 2:
    IoT VLAN can "vnc" to Home VLAN but not the other way around
    IoT is denied access to all other VLANs

 

These 2 Use Cases will NOT be possible if Gateway ACL is used because Use Case 1, the Source is Home VLAN and on Use Case 2, the Source is the IoT VLAN.

 

Tip:

  • Replace "ssh", and/or "vnc" with any protocol(s) needed in your environment i.e. FTP(Port 21) DNS(Port 53); HTPPS(Port 443) or refer to this

 

General Notes:

  • Gateway ACL operates on the "Gateway" level and Switch ACL operates on the "Switch" level and EAP works on the EAP level. They work independent of each other.
  • ACL works to the closest device first i.e. if you have Gateway <> Switch <> AP <> Client connection, if you have a "Deny" on AP, then no permit on Switch or Gateway will override that AP ACL. Similarly, if you have a Permit at Switch, but the traffic has to go thru the Gateway and Gateway has Deny, then it will not work. Visualize each device as a checkpoint and how you have them interconnected in your network.
  • The ACLs work from top to bottom.
  • "Permit ALL" is the default Policy.
  • For Granular ACLs, think of it as Whitelisting

 

Set Up:

  • 192.168.1.x - VLAN 1 - Admin/Management 
  • 192.168.10.x - VLAN 10 - Home
  • 192.168.20.x - VLAN 20 - Guest
  • 192.168.30.x - VLAN 30 - Camera
  • 192.168.90.x - VLAN 90 - IoT

 

Layer 3 Switch Configuration (see below for Gateway version of the configuration, both versions use Switch ACL)

Switch ACLs:

  1. Permit Home devices to SSH to IoT devices
    Switch ACLs (Layer 3 Switching Version):
    Permit Home SSH to IoT
    Policy: Permit
    Protocols: TCP (or All)
    Source > IP Port Group > (Subnet 192.168.90.0/24, Port: 22)
    Destination > IP Group > (Subnet 192.168.10.0/24)
  2. Permit IoT devices to VNC to Home devices
    Permit IoT VNC to Home
    Policy: Permit
    Protocols: TCP (or All)
    Source > IP Group > (Subnet 192.168.90.0/24)
    Destination > IP Port Group > (Subnet 192.168.10.0/24, Ports: 5800, 5900)
  3. Deny IoT To All VLANs
    Deny IoT to All
    Policy: Deny
    Protocols: All
    Source > IP Group > (Subnet 192.168.90.0/24)
    Destination > IP Group > (Subnet 192.168.1.0/24)
    Destination > IP Group > (Subnet 192.168.10.0/24)
    Destination > IP Group > (Subnet 192.168.20.0/24)
    Destination > IP Group > (Subnet 192.168.30.0/24)

 

Gateway Version Configuration (see above for Layer 3 Switching version of the configuration, both versions use Switch ACL)

Switch ACLs:

  1. Permit Home devices to SSH to IoT devices
    Permit Home SSH to IoT
    Policy: Permit
    Protocols: TCP (or All)
    Source > IP Port Group > (Subnet 192.168.90.0/24, Port: 22)
    Destination > Network > Home

  2. Permit IoT devices to VNC to Home devices
    Permit IoT VNC to Home
    Policy: Permit
    Protocols: TCP (or All)
    Source > Network > IoT
    Destination > IP Port Group > (Subnet 192.168.10.0/24, Ports: 5800, 5900)

  3. Deny IoT To All VLANs
    Deny IoT to All
    Policy: Deny
    Protocols: All
    Source > Network > IoT
    Destination > Network > Admin
    Destination > Network > Home
    Destination > Network > Guest
    Destination > Network > Camera

 

If you would like to see this in action, I have a Layer 3 Switch video that covers this. You do not need to watch the whole thing, but this part is covered at this 24:16 time stamp. 

If you are not aware how to do Layer 3 Switching, you may refer to my old post here

If you are interested to see the whole Layer 3 Switch diagram as well as full ACL configuration, you can watch this video and refer to the diagram below:

  5      
  5      
#1
Options
6 Reply
Re:An alternative to Gateway Stateful ACL using Switch ACL
2024-02-22 02:50:55 - last edited 2024-02-26 01:11:28

Hi @Death_Metal 
Another great post! Awesome, man!

I have a question, is this going to be a great post in the switch section? I think it might be helpful to switch as well?

Can you copy this one and post it on the switch? I'll make it highlighted.
 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:An alternative to Gateway Stateful ACL using Switch ACL
2024-02-24 14:50:35 - last edited 2024-02-26 01:11:28

  @Death_Metal 

Thanks Clive. I added a Gateway Version of the Configuration so that it will fit either section :)...but I agree, I think this should be in the Switch section. Is it possible you can move this thread to that section? If not, let me know and I will repost.

 

Thanks!

  0  
  0  
#3
Options
Re:An alternative to Gateway Stateful ACL using Switch ACL
2024-03-05 00:05:09 - last edited 2024-03-05 00:12:34

  @Death_Metal 

hey thanks for your work! I created an L3 switch configuration from this post:
This works 100%! The network traffic goes through the switch and only the internet goes through the gateway smiley heart

I have problems with the Switch-ACL:

Test-System:
ER605 v1 Gateway

SG2210P v5 Switch

Interface:
LAN (Default)
192.168.0.1/24
HOME
VLAN 100
SERVER
VLAN 200

Switch L3 Config:
HOME Vlan 100 = 192.168.100.1/24
SERVER VLAN 200 = 192.168.200.1/24

I have 2 clients:
Port 1 (Home) = Laptop with 192.168.100.100
Port 2 (Server) = RasperryPi with 192.168.200.100
I have 100% access to Pi via SSH and everything works!
now I want to access from home to server but server doesn't have access to home. This with your instructions here

I create your ACL rules with SSH:

Switch ACLs:

  1. Permit Home devices to SSH to Server devices
    Switch ACLs (Layer 3 Switching Version):
    Permit Home SSH to Server
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.100.0/24, Port: 22)
    Destination > IP Group > (Subnet 192.168.200.0/24)
  2. Deny Server To Home
    Policy: Deny
    Protocols: All
    Source > IP Group > (Subnet 192.168.200.0/24)
    Destination > IP Group > (Subnet 192.168.100.0/24)

 

Now with this rule, Home no longer has access to Server sad
In my example:

Port 1 (Home) = Laptop with 192.168.100.100
can no longer access
Port 2 (Server) = RasperryPi with 192.168.200.100
 

why doesn't this work for me?
I'll show you a few more pictures:

Interfaces:

 

L3 Switch config (example "Home", also Server only with 192.168.200.1):

 

ACL Rule:

HOME_SSH = IP-Port: 192.168.100.0/24 Port:22
HOME_ALL = IP: 192.168.100.0/24
SERVER_ALL = IP: 192.168.200.0/24

In my tests it's like this when the rule "Deny Server to ALL" is created then everything stops working.
Home can no longer reach Server and Server cannot reach Home. even if a rule is created with "Permit".
a "Deny" rule prevents all communication.. like "Bi-directional"
(Yes, i use Putty and the Pi SSH Port is default "22")


I hope you can help me, I'm desperate

  0  
  0  
#4
Options
Re:An alternative to Gateway Stateful ACL using Switch ACL
2024-03-05 03:33:03

EliteAustria wrote

  @Death_Metal 

hey thanks for your work! I created an L3 switch configuration from this post:
This works 100%! The network traffic goes through the switch and only the internet goes through the gateway smiley heart

I have problems with the Switch-ACL:

Test-System:
ER605 v1 Gateway

SG2210P v5 Switch

Interface:
LAN (Default)
192.168.0.1/24
HOME
VLAN 100
SERVER
VLAN 200

Switch L3 Config:
HOME Vlan 100 = 192.168.100.1/24
SERVER VLAN 200 = 192.168.200.1/24

I have 2 clients:
Port 1 (Home) = Laptop with 192.168.100.100
Port 2 (Server) = RasperryPi with 192.168.200.100
I have 100% access to Pi via SSH and everything works!
now I want to access from home to server but server doesn't have access to home. This with your instructions here

I create your ACL rules with SSH:

Switch ACLs:

  1. Permit Home devices to SSH to Server devices
    Switch ACLs (Layer 3 Switching Version):
    Permit Home SSH to Server
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.100.0/24, Port: 22)
    Destination > IP Group > (Subnet 192.168.200.0/24)
  2. Deny Server To Home
    Policy: Deny
    Protocols: All
    Source > IP Group > (Subnet 192.168.200.0/24)
    Destination > IP Group > (Subnet 192.168.100.0/24)

 

Now with this rule, Home no longer has access to Server sad
In my example:

Port 1 (Home) = Laptop with 192.168.100.100
can no longer access
Port 2 (Server) = RasperryPi with 192.168.200.100
 

why doesn't this work for me?
I'll show you a few more pictures:

Interfaces:

 

L3 Switch config (example "Home", also Server only with 192.168.200.1):

 

ACL Rule:

HOME_SSH = IP-Port: 192.168.100.0/24 Port:22
HOME_ALL = IP: 192.168.100.0/24
SERVER_ALL = IP: 192.168.200.0/24

In my tests it's like this when the rule "Deny Server to ALL" is created then everything stops working.
Home can no longer reach Server and Server cannot reach Home. even if a rule is created with "Permit".
a "Deny" rule prevents all communication.. like "Bi-directional"
(Yes, i use Putty and the Pi SSH Port is default "22")


I hope you can help me, I'm desperate

@EliteAustria

Glad to do a cross-match. Let's hear a different voice.

@Death_Metal 

To his issue, I concluded it is a stateful/stateless issue and explained it in a different post. What about your opinion on this?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#5
Options
Re:An alternative to Gateway Stateful ACL using Switch ACL
2024-03-13 18:45:48 - last edited 2024-03-14 19:23:20

Hello   @Clive_A  and @EliteAustria

 

There are two ways to go about this. I agree with Clive that if you want a non-granular (IP  Port Group-based) ACL, then you have to use Gateway ACL.If you go the Gatewat ACL route, you can never have Granular (IP Port-Group-based) ACL meaning, your Source from one ACL Rule can NEVER be a Destination with another ACL Rule. You can request a feature to support IP Port Group for Gateway ACL if you need to.

 

The second way is, just go fuill Switch ACL and follow my posted guide. In your ACL, in your question why it works that way, it is because it's supposed to work that way. If you want Server to have "granular" access to home, I edited your posted ACLs, and inserted ACL Line 2 and edited ACL Line 3 (your old ACL 2) to demonstrate this. it will allow your Home to SSH to Server devices, BUT also allowing Server devices to FTP to Home devices (assuming there's an FTP server/service running in Home VLAN 100) . This can never be done with Gateway ACLs (maybe in the future it will).

 

Switch ACLs:

  1. Permit Home devices to SSH to Server devices
    Permit Home SSH to Server
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.100.0/24, Port: 22)
    Destination > IP Group > (Subnet 192.168.200.0/24)
  2. Permit Server devices to FTP to Home devices
    Permit Server FTP to Home
    Policy: Permit
    Protocols: All
    Source > IP Group > (Subnet 192.168.100.0/24)
    Destination > IP Port Group > (Subnet 192.168.200.0/24, Port: 21)
  3. Deny Home devices to access Server resources
    Deny Home to Server
    Policy: Deny
    Protocols: All
    Source > IP Group > (Subnet 192.168.100.0/24)
    Destination > IP Group > (Subnet 192.168.200.0/24)

 

Remember this tip, which I covered in my past ACL videos: Default is Permit All, You allow what you Deny, and Whitelisting (Deny some/Permit Some).

 

Look at all "Sources" in those 3 ACLs and you will see what is "common". ALL the Permit's Source is the Deny's Source aka Home (in my example IoT)! In your original ACL, you Denied "Server to Home" (VLAN 200) and then "Permitted Home to Server" (VL:AN 100) but there is no need to Permit Home because (remember the tip) the default is Permit All and the only Permit you need to do is IP Port Group (remember the tip Whitelisting). Because if you Permit everything anyway, there is no need for ACL (remember the tip: you allow what you Deny).

 

Now another tip using the ACLs above, I used SSH and FTP, but you can use any protocols, known or custom one. If you would like to "observe" the functionalities of the ACLs, change ACL #2 from Port 21/FTP to Port 22/ssh. For testing, always have ACL 3 as ON. Now play around with ACL 1 and 2, turning them On/Off, Off/On, On/On, Off/Off or however you want. Each time you turn On or Off an ACL, do an SSH From Home to Server, then from Server to Home. Observe how they work. Work slowly, and be patient because ACLs can sometimes take time. So start with just ACL 3 On, then wait a bit: ssh (on either). Then Turn On ACL x, then wait a bit: ssh (on either). Rinse/repeat. Hopefully this will get you more familiarized with how the ACLs are structured and how they work.

 

I hope I don't get you confused even more. I know this is a confusing subject, I have been covering Omada ACLs for 3-4 years now and I think some of my viewers did get it but for the most part, I still don't know how to properly explain it :) :) :). I came up with it because there was no Stateful ACL for the longest time and so many users complained they can't do stuff but I keep telling showing how to do stuff but I keep failing to explain properly haha :)

 

Check this video and maybe it can also shed some light. Sorry for late reply, and Good hunting!

  2  
  2  
#6
Options
Re:An alternative to Gateway Stateful ACL using Switch ACL
2024-05-01 18:41:59

Hi  @EliteAustria ,

 

I didn't track Clive's reply in another post and the OP's reply doesn't seem to conform to your use case (deny server to home)...

Here's how I look at it.

 

Your deny switch ACC for your use case is correct.

  1. ...
  2. Deny Server To Home
    Policy: Deny
    Protocols: All
    Source > IP Group > (Subnet 192.168.200.0/24)
    Destination > IP Group > (Subnet 192.168.100.0/24)

 

But because Switch ACLs are stateless, a better description of what's going on is that all traffic from Server to Home is blocked.

That includes traffic initiated from Server towards Home BUT ALSO reply traffic from Server to Home (in response to requests initiated from Home).

 

When you SSH from a client in Home to your RPi in Server, the requests go through (allowed by default) but the replies from the RPi are blocked.

Your first ACL is

  1. Permit Home devices to SSH to Server devices
    Switch ACLs (Layer 3 Switching Version):
    Permit Home SSH to Server
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.100.0/24, Port: 22)
    Destination > IP Group > (Subnet 192.168.200.0/24)

It's incorrect because your SSH server (listening on port 22 and replying through that connection) is in the 200 subnet.

The correct ACL is:

  1. Permit Home devices to SSH to Server devices (Reverse / Replies)
    Switch ACLs (Layer 3 Switching Version):
    Permit Home SSH to Server
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.200.0/24, Port: 22)
    Destination > IP Group > (Subnet 192.168.100.0/24)

In other words, you specifically allow reply traffic from allow all standard SSH servers/hosts in Server back to any clients in Home, which is otherwise blocked by ACL2.

I'll admit that the first time I saw such ACL, I thought it was a mistake... A server associated port in a source didn't make sense to me at first.

 

This said, if this are the only rules you have, you are better off with a simpler GW ACL (LAN->LAN Server to Home).

Such ACL is stateful and only blocks traffic initiated from Server to Home (doesn't affect replies).

One ACL and you're done.

 

HTH

  0  
  0  
#7
Options