Remote monitoring of router connectivity
Remote monitoring of router connectivity
I'd like to monitor my router connectivity so I get alerted if the home internet connection goes down/offline for some reason. Have an ER605, 2 switches and 3 EAPs. All fully adopted and maanged by a locally installed OC200.
Ideally would like to use something like UptimeRobot
I want to only enable certain public IP addresses to Ping my WAN IP and get a response, anything else should get get dropped (as though pings are ignored).
However, even when I disable the "block Ping from WAN" and add a couple of Gateway ACL entries to only permit certain hosts for UptimeRobot for ICMP and then a following rule to Deny all others, I seem to receive Pings from other addresses as well (testing via the Central Ops website)
Any suggestions from anybody who has got this to work?
So we're clear, I want to achieve:
1. A perfect stealth report from the ShieldsUP test at www.grc.com
2. Allow PINGS to come from specified IP addresses only.
Has anybody been able to make this work running their ER605 under an Omada controller (rather than amending firewall settings on an unadopted unit via it's local web GUI)?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thanks for posting in our business forum.
TakeshiKovacs wrote
Thanks, please let me know what their feedback is and whether a ticket can be logged for this.
OK.
Two rules, the same as before. But the destination is slightly different.
#1 Deny, WAN IN, SRC ANY IP, DST GW management page.
#2 Allow, WAN IN, SRC desired one, DST GW management page.
- Copy Link
- Report Inappropriate Content
@Clive_A
So the good news is using the Gateway Management as the DST works. The way to do it is as follows:
First comes the PERMIT rule which is the highly selective one based on source of the monitoring websites I'm enabling.
Then comes the DENY which then blocks anything that the preceding rule didn't match with/allow.
This then works as expected. I now have my connection externally monitored and pings from random other addresses are ignored so for example I still get a perfect result from the ShieldsUP tests at GRC dot com.
Highly recommend you update your customer knowledgebase articles to document this properly.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
1. Has been possible for many versions ago.
2. How did you set up your ACL?
It should be WAN IN ACL and block ANY IP and allow your desired ip/32.
Note that you have to be specific about the desired IP address. It should be a static IP preferably.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
I currently have the following:
Network Security -> Attack Defense -> Packet Anomaly Defense
Block PING from WAN is unchecked (as my understanding is that it would take precedence over the Gateway ACL).
Then in Gateway ACL, I have the following as the first rule:
Status: Enable
Direction: [WAN] IN, [WAN/LAN1] IN
Policy: Permit
Protocols: ICMP
Source Type: IP Group
IP Group "UptimeRobot"
-> PERMIT
IP Group
IPGatewayGrp
IPGroup_Any
Advanced Settings -> States -> Auto
IP Group UptimeRobot currently looks like this:
Which is based on their list of monitoring locations.
Then immediately after this rule I have another Gateway ACL rule set for Deny on ICMP from any source to the same destination group as above.
Am I missing something?
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
TakeshiKovacs wrote
I currently have the following:
Network Security -> Attack Defense -> Packet Anomaly Defense
Block PING from WAN is unchecked (as my understanding is that it would take precedence over the Gateway ACL).
Then in Gateway ACL, I have the following as the first rule:
Status: Enable
Direction: [WAN] IN, [WAN/LAN1] IN
Policy: Permit
Protocols: ICMP
Source Type: IP Group
IP Group "UptimeRobot"
-> PERMIT
IP Group
IPGatewayGrp
IPGroup_Any
Advanced Settings -> States -> Auto
IP Group UptimeRobot currently looks like this:
Which is based on their list of monitoring locations.
Then immediately after this rule I have another Gateway ACL rule set for Deny on ICMP from any source to the same destination group as above.
Am I missing something?
Block ALL first, allow comes in second.
It should work with two rules created like the above.
How to limit specific IP to access to internal server by TP-LINK SMB router?
- Copy Link
- Report Inappropriate Content
I tried it with the Block ALL first and then the allow second. Didn't make any difference, I can still ping the unit from any public IP address.
Suggested next steps?? Is there anyway to configure additional logging for when a Gateway ACL rule is matched? Perhaps with remote syslog in place?
Also, why should the Block ALL come first? The documentation accessible in the controller states:
The system filters traffic against the rules in the list sequentially. The first match determines whether the packet is accepted or dropped, and other rules are not checked after the first match.
So if I read that correctly, a PING from a non authorised address shouldn't match the PERMIT rule, in which case why does that have to come after the DENY ?? Surely in that case the inbound PING would match the DENY rule, get dropped and then no further rules evaluated??
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
TakeshiKovacs wrote
I tried it with the Block ALL first and then the allow second. Didn't make any difference, I can still ping the unit from any public IP address.
Suggested next steps??
So, the idea is to deny any IP to ping you and allow a specific CIDR or IP to ping you.
The DST in the permit is supposed your router WAN IP. Have you tried this?
1. SRC ANY DST ANY
2. SRC IP/CIDR DST GW IP
- Copy Link
- Report Inappropriate Content
@Clive_A Sorry, not getting you.
Would you be kind enough to show an example in terms of the rule that you're suggesting and how it would look on the Omada Gateway ACL page?
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
TakeshiKovacs wrote
@Clive_A Sorry, not getting you.
Would you be kind enough to show an example in terms of the rule that you're suggesting and how it would look on the Omada Gateway ACL page?
Something like this.
https://community.tp-link.com/en/business/forum/topic/669908?replyId=1368088
- Copy Link
- Report Inappropriate Content
@Clive_A So to check if the Deny works first, I set up the following rule.
Using that other post as a guide.
First I'm testing the ability to block. With that rule at the top of the list, it should ignore/block any inbound PINGs, right?
It doesn't work.
So what are the next steps for trouble shooting this?
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
TakeshiKovacs wrote
@Clive_A So to check if the Deny works first, I set up the following rule.
Using that other post as a guide.
First I'm testing the ability to block. With that rule at the top of the list, it should ignore/block any inbound PINGs, right?
It doesn't work.
So what are the next steps for trouble shooting this?
This way is supposed to work commonly like SSH, TCP or UDP access.
But it does not work for the ICMP as of now. Indeed.
I need to consult this with the test team and see if we can work around this.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 866
Replies: 14
Voters 0
No one has voted for it yet.