ACL's what an I doing wrong
So, I wanted to create a simple rule to block outgoing port 53 dns traffic from my network.
1. I created a group for DNS requests
2. I then created a Gateway ACL rule to deny access LAN->WAN for all appart from my management network to port 53
So, in my head this would just prevent clients on all networks making external requests to port 53, i.e. Still allow internal DNS requests and all other traffic..
How wrong I was...
This killed my entire network.., every client was basicall disconnected from all network access, even machines on the same subnet could not ping each other via IP.
Fortunatly because I did not apply this rule to my management network I was able to still get to the controller and remove the rule to restore access.
So, can anyone please tell me what I did wrong, and why the entire network went down because of this one rule ?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@Tescophil There is definitely some weirdness with the ACL functions from my tests as well. In your case, you might try only blocking TCP and UDP instead of all protocols. I know some protocols don't use ports (IE: ICMP) and I wonder if that might be causing you issues.
With that said, I don't see a reason why you shouldn't have been able to ping on the same VLAN. I haven't had a chance to test this too much, but it's almost like Omada is considering any routing (IE: VLAN to VLAN) a WAN action. I have cases where when access certain web services on my local LAN (IE: a Caddy Server), it is reported to the service as the WAN Gateway IP address trying to access the service. This makes no sense to me. Not sure if you are seeing something similar, but definitely something weird going on.
- Copy Link
- Report Inappropriate Content
Hi @Tescophil
Could you test that the protocols only include TCP/UDP? Here is a relevant setting from other users: https://community.tp-link.com/en/business/forum/topic/669608
You can test and share the results with us.
- Copy Link
- Report Inappropriate Content
Hello,
Did you have switch acl menu? Try to create on switch instead.
* The protocol option should be tested with only UDP first, then TCP/UDP.
Cheer :)
Zool
- Copy Link
- Report Inappropriate Content
Tried this on my guest network, just TCP and UDP protocols, exactly the same result, total network shutdown. As soon as I enabled the rule, my phone (which was connected to the guest network) said the current WiFi connection has no internet access.
Even after deleting the rule it didn't come back, had to reboot the router.
@zool_ I dont want to create a switch ACL because this rule is a LAN->WAN rule (i.e. gateway), I'm trying to block external DNS requests, not any internal traffic.
- Copy Link
- Report Inappropriate Content
@Tescophil I am betting it wasn't actually the same issue. I bet you bloked all DNS only, which would make your phone think there was no internet.
I am fairly confident that for some unknown reason, the Omada system is considering VLAN routing as WAN. I am pretty sure I am having some of the same issues on my system, and this would explain it.
It would be nice if we could get an official statement on this.
- Copy Link
- Report Inappropriate Content
Hi @Tescophil
May I suggest you check whether the DNS address is an internal address of your network? Are you still able to PING 8.8.8.8?
According to our experience, some of the devices will use built-in tools to test internet connectivity, which can often provide inaccurate results. And due to internal DNS not resolving external addresses, it may be perceived as no Internet connectivity.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 543
Replies: 6
Voters 0
No one has voted for it yet.