limit specific IP to access to internal server

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

limit specific IP to access to internal server

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
18 Reply
Re:limit specific IP to access to internal server
2024-05-23 09:36:22

  @Clive_A 

 

the source IP can i put in the range as 203.xx.xx.144 - 230.xx.xx.144 rather than 203.xx.xx.144/30?

  0  
  0  
#13
Options
Re:limit specific IP to access to internal server
2024-05-23 09:38:26

Clive_A wrote

Hi @locn 

Thanks for posting in our business forum.

locn wrote

Clive_A wrote

Hi @locn 

Thanks for posting in our business forum.

locn wrote

Clive_A wrote

Hi @locn 

Thanks for posting in our business forum.

locn wrote

thanks. the description is confusing. none the less I think i've set it up as per the instructions but i can still access the server behind the firewall from a different IP. i'm using SFTP to backup some websites onto a nas so port 22 is open and i've restricted it to the website IP but i can still SFTP into the nas from the different external IP.

Be sure you reply to my post instead of replying to yourself. I may miss your post if you did not mention me.

 

So you are certain that every single step be followed as the guide writes? The block SRC is any IP address? And the direction is correct as the guide?

Behind the firewall from a different IP? Do you mean a different router with a different public IP address?

  @Clive_A 

 

no i'm not behind the firewall. i'm logging in from a different public IP to test and it's allowing me to connect using SFTP

What about the service you created and the DST IP group?

  @Clive_A 

 

service is SFTP    TCP    Source Port = 22-22; Destination Port = 22-22

DST IP group is local ip address of NAS 192.168.13.0/24

Should be /32

And the IP should be 192.168.13.X/32.

  @Clive_A 

 

i changed the ip to 192.168.13.0/32 but didn't make any difference. I can still SFTP into it from a different external IP.

  0  
  0  
#14
Options
Re:limit specific IP to access to internal server
2024-05-24 01:53:26

Hi @locn 

Thanks for posting in our business forum.

locn wrote

Clive_A wrote

Hi @locn 

Thanks for posting in our business forum.

locn wrote

Clive_A wrote

Hi @locn 

Thanks for posting in our business forum.

locn wrote

Clive_A wrote

Hi @locn 

Thanks for posting in our business forum.

locn wrote

thanks. the description is confusing. none the less I think i've set it up as per the instructions but i can still access the server behind the firewall from a different IP. i'm using SFTP to backup some websites onto a nas so port 22 is open and i've restricted it to the website IP but i can still SFTP into the nas from the different external IP.

Be sure you reply to my post instead of replying to yourself. I may miss your post if you did not mention me.

 

So you are certain that every single step be followed as the guide writes? The block SRC is any IP address? And the direction is correct as the guide?

Behind the firewall from a different IP? Do you mean a different router with a different public IP address?

  @Clive_A 

 

no i'm not behind the firewall. i'm logging in from a different public IP to test and it's allowing me to connect using SFTP

What about the service you created and the DST IP group?

  @Clive_A 

 

service is SFTP    TCP    Source Port = 22-22; Destination Port = 22-22

DST IP group is local ip address of NAS 192.168.13.0/24

Should be /32

And the IP should be 192.168.13.X/32.

  @Clive_A 

 

i changed the ip to 192.168.13.0/32 but didn't make any difference. I can still SFTP into it from a different external IP.

No.

X stands for the number of your device, its IP. If you are not familiar with the CIDR configuration, please kindly Google this part.

If it is a range of IP addresses, you should use the IP range instead of CIDR.

 

BTW, your firmware is not up-to-date. You should update its firmware at least.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#15
Options
Re:limit specific IP to access to internal server
2024-05-24 02:03:06

Clive_A wrote

Hi @locn 

Thanks for posting in our business forum.

locn wrote

Clive_A wrote

Hi @locn 

Thanks for posting in our business forum.

locn wrote

Clive_A wrote

Hi @locn 

Thanks for posting in our business forum.

locn wrote

Clive_A wrote

Hi @locn 

Thanks for posting in our business forum.

locn wrote

thanks. the description is confusing. none the less I think i've set it up as per the instructions but i can still access the server behind the firewall from a different IP. i'm using SFTP to backup some websites onto a nas so port 22 is open and i've restricted it to the website IP but i can still SFTP into the nas from the different external IP.

Be sure you reply to my post instead of replying to yourself. I may miss your post if you did not mention me.

 

So you are certain that every single step be followed as the guide writes? The block SRC is any IP address? And the direction is correct as the guide?

Behind the firewall from a different IP? Do you mean a different router with a different public IP address?

  @Clive_A 

 

no i'm not behind the firewall. i'm logging in from a different public IP to test and it's allowing me to connect using SFTP

What about the service you created and the DST IP group?

  @Clive_A 

 

service is SFTP    TCP    Source Port = 22-22; Destination Port = 22-22

DST IP group is local ip address of NAS 192.168.13.0/24

Should be /32

And the IP should be 192.168.13.X/32.

  @Clive_A 

 

i changed the ip to 192.168.13.0/32 but didn't make any difference. I can still SFTP into it from a different external IP.

No.

X stands for the number of your device, its IP. If you are not familiar with the CIDR configuration, please kindly Google this part.

If it is a range of IP addresses, you should use the IP range instead of CIDR.

 

BTW, your firmware is not up-to-date. You should update its firmware at least.

  @Clive_A 

 

that is the latest firmware from my country.

 

https://www.tp-link.com/au/support/download/er706w-4g/#Firmware

  0  
  0  
#16
Options
Re:limit specific IP to access to internal server
2024-05-24 02:21:23

  @Clive_A 

 

I appreciate your time trying to help :-)

 

i figured i would start again from scratch to rule out any issues.

 

Service - SFTP port 22 - 22

IP Address - SFTP_Server    IP Address/Mask    192.168.13.251/32    192.168.13.251/32

IP Group - Website_Allow    SFTP_Server

 

then in Firewall

1    Allow    Block    SFTP    [WAN2] IN    IPGROUP_ANY    Website_Allow    Any

 

this techinically should block all incoming sftp / ssh?

 

but i can still log into SFTP into the server.

 

Oh i haven't been able to reboot the router yet. Will this make any difference?

  0  
  0  
#17
Options
Re:limit specific IP to access to internal server
2024-05-24 02:46:26

Hi @locn 

Thanks for posting in our business forum.

locn wrote

  @Clive_A 

 

I appreciate your time trying to help :-)

 

i figured i would start again from scratch to rule out any issues.

 

Service - SFTP port 22 - 22

IP Address - SFTP_Server    IP Address/Mask    192.168.13.251/32    192.168.13.251/32

IP Group - Website_Allow    SFTP_Server

 

then in Firewall

1    Allow    Block    SFTP    [WAN2] IN    IPGROUP_ANY    Website_Allow    Any

 

this techinically should block all incoming sftp / ssh?

 

but i can still log into SFTP into the server.

 

Oh i haven't been able to reboot the router yet. Will this make any difference?

The latest firmware can be found on my signature. For your wireless products, make sure you check the country code before the upgrade.

 

Shouldn't it be the Block - WAN IN - ANY IP? Then allow a certain IP address to access?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#18
Options
Re:limit specific IP to access to internal server
2024-05-24 07:05:39

  @Clive_A 
 

The latest firmware can be found on my signature. For your wireless products, make sure you check the country code before the upgrade.

 

Shouldn't it be the Block - WAN IN - ANY IP? Then allow a certain IP address to access?

Ok thanks i will try to upgrade to the newer Stable release tonight once everyone is gone. I can see there are a lot of upgrades in the newer beta but since it's in production i'll wait until it's stable.

 

as for the block i'm trying to open the port then via objects block everything.

 

Sorry for the confusion but the Allow at the front is just the Name. the settings are from Block onwards.

 

So essentiall the firewall settings are:

 

Block    SFTP    [WAN2] IN    IPGROUP_ANY    Website_Allow    Any

 

This in theory should block everything to this service on port 22?

 

But i can still manually SFTP in.

  0  
  0  
#19
Options
Re:limit specific IP to access to internal server
2024-05-24 09:27:20

Hi @locn 

Thanks for posting in our business forum.

locn wrote

  @Clive_A 
 

The latest firmware can be found on my signature. For your wireless products, make sure you check the country code before the upgrade.

 

Shouldn't it be the Block - WAN IN - ANY IP? Then allow a certain IP address to access?

Ok thanks i will try to upgrade to the newer Stable release tonight once everyone is gone. I can see there are a lot of upgrades in the newer beta but since it's in production i'll wait until it's stable.

 

as for the block i'm trying to open the port then via objects block everything.

 

Sorry for the confusion but the Allow at the front is just the Name. the settings are from Block onwards.

 

So essentiall the firewall settings are:

 

Block    SFTP    [WAN2] IN    IPGROUP_ANY    Website_Allow    Any

 

This in theory should block everything to this service on port 22?

 

But i can still manually SFTP in.

You might compile everything in the same reply instead of separating them in the replies. I so far got information one piece at a time.

If you have followed the guide strictly, it should work.

Please get a reply with two rules listed for me, IP Group, and the Service you created. And what's the allowed IP address?

Your test IP address and screenshots that you are logged in. 

 

Please mosaic your sensitive information. Here is a list of information considered sensitive:

1. Public IP address on your WAN if your WAN is.

2. Real MAC address of your device.

3. Your personal information including address, domain name, and credentials.

For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.

 

You did not pay attention to the firmware release post which has official firmware releases as well. Might take a look at the global website where you have newer firmware. This is the latest one.

https://www.tp-link.com/en/support/download/er706w-4g/#Firmware

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#20
Options