Business Community > Routers > ER605 - Custom Port Access
< Routers

ER605 - Custom Port Access

ER605 - Custom Port Access

ER605 - Custom Port Access
ER605 - Custom Port Access
2024-08-28 14:59:44
Tags: #NAT #Firewall
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.6 Build 20240718 Rel.82712

Hello,

 

Goal: I want to allow only specific host addresses to be able to access specific ports opened up by NAT.  My device is in stand-alone mode, and I have some ports that are setup under NAT->Virtual Server.

 

Attempted: I've already done the following, but it doesn't appear to be working as of yet.so i might be missing something.  My thought is working like a normal FW where its top down processing, but maybe not in this case?  To test this, I omitted an IP address that I am at within the subnets, so theorhetically, it should block me because my list was not part of the 'external_allowed'.  But I'm finding that if I omit the IP address from the group, it doesn't matter.

 

  • Setup Preferences->IP Group->IP address.  Multiple subnets that I want to allow.
  • Setup Preferences->IP Group. Aggregated the above addresses into a group.
  • Firewall->Access Control. Setup a rule as follows.

48b82699256e4431919c7404fe81ae8e

This configuration blocks traffic regardless, so I'm not clear if this is processing in a order like a normal FW or if it is merging the table.  The only way I can get this to work is by removing the ID 2 line, but then the 1st rule is irrelevant.

 

Am I missing something here?

 

Thanks.

 

  0      
 
  0      
 
#1
Options
7 Reply
Re:ER605 - Custom Port Access
2024-08-30 06:37:36

Hi @ocbroadband 

Thanks for posting in our business forum.

Virtual Services(Port Forwarding) on the Router Doesn't Take Effect

 

I tested a similar setup and the steps to achieve the goal are correct. The results on my end were successful.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:ER605 - Custom Port Access
2024-08-30 15:27:33 - last edited 2024-08-30 15:29:45

  @Clive_A Anyway you can give your scenario and some screenshots?   Clearly, something is different from what I have that you have then.

 

Probably would be good to have a clarification in the documentation on doing this properly as I would think this would be a fairly common task to pinhole things, but only allow access from specific sources/times/etc.

  0  
  0  
#3
Options
Re:ER605 - Custom Port Access
2024-08-30 15:54:42

  @ocbroadband 

 

I don't have a stand alone router, but this is how you do it with a controller.

 

 

 

RDP IP-Portgroup is only 3389

Allow-RDP have ip which should have access

 

permit roule have to be over deny roule.

 

  1  
  1  
#5
Options
Re:ER605 - Custom Port Access
2024-08-30 19:36:33 - last edited 2024-08-30 19:37:44

  @MR.S Yea, its pretty much the same, as I've locked it down to a list of Source IP's to allow access to it.  The problem is, when I have it enabled, it still allows addresses outside the allow list to access the port.

  0  
  0  
#6
Options
Re:ER605 - Custom Port Access
2024-08-31 06:24:08 - last edited 2024-08-31 06:29:46

  @ocbroadband 

 

you can't use ipgrup_lan as destination, WAN intefacet doesn't know anything about LAN you have to use IP Port grupe as destinatatioon not your LAN. WAN in doesn't work like that, LAN->WAN YES but not WAN in

 

Crete a IP-Port group like that, use only port

 

 

  0  
  0  
#7
Options
Re:ER605 - Custom Port Access
2024-08-31 19:21:29

  @MR.S This device clearly doesn't follow standards in terms of how a firewall works then.

  0  
  0  
#8
Options
Re:ER605 - Custom Port Access
2024-08-31 19:50:41

  @ocbroadband 

you can try ipgroup_any on destinton, if you don't want to use port, I don't think ipgroup_lan will work

 

  0  
  0  
#9
Options

Information

Helpful: 0

Views: 327

Replies: 7

Tags

NAT Firewall
Related Articles
Port Forwarding ER605
1541 0
ER605 managed by OC200: port forwarding not working
694 1
ER605 Port Forwarding to an ip on vlan
371 0
ER605 port forwarding for remote access on pc
2382 0
Custom DDNS not working consistently for ER605
2372 0
 Port forwarding on ER605 v2
274 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.