Blocking a VLAN from access over only 1 WAN connection

Blocking a VLAN from access over only 1 WAN connection

Blocking a VLAN from access over only 1 WAN connection
Blocking a VLAN from access over only 1 WAN connection
2024-09-23 04:34:31 - last edited 2024-10-18 06:34:00
Model: ER8411  
Hardware Version: V1
Firmware Version: 1.2.1

Is there a way to block a VLAN or IP Group from one but not all WAN connections?

 

I have a network with three WAN connections. One is metered, two are unmetered. I have roughly 500 users with about 700 client devices at any given time while on the unmetered connections and the network is opened up. There are times when the metered connection is the only connection I have available, at which point the network is setup to use local user accounts and/or vouchers for the things people need to do.

 

Even when we have the unmetered connections available (50% of the time), there are still some applications that I'd really like to use the dedicated bandwidth from the metered connection. Things like telcon medical appointments, remote court cases, ect.

 

I already have four VLANs: One is for management (1), one for the open unmetered connections (10), one for when I only have the metered connection available (30), and one that is called "special use" and is currently only used while on the metered connection (40). The VLANs for the metered network (30 and 40) use portals with either local user or vouchers as noted above. They also obviously all have their own DHCP IP subnets.

 

I see in the ACL rule creation that for "direction" is lets you choose "LAN > WAN" or "[WAN/LANX] IN". However, setting up an ACL for WAN/LAN4 IN to deny from IPGroup_Any to IPGroup_Any doesn't stop connection over WAN/LAN4. Only when I include LAN > WAN as well will it stop internet connectivity. And if I remove WAN/LAN4 from the deny Any to Any rule, it still blocks all traffic, which I would expect.

 

What does the WAN/LAN4 direction in the ACL rule actually do? Does it just stop connections from outside IP addresses from establishing, but allow internal addresses to establish connections to the WAN? I feel like it should allow traffic out, so the DNS request would go out, but should block the response. Similarly, it should allow a request to go out to an IP address, but then deny the return information, thus preventing the page from loading. Obviously my feeling about how it should work is wrong, so I'm wondering how it does work.

 

Is there another way to block a certain VLAN from accessing a specific WAN connection without affecting connectivity to all of the WANs?

  0      
  0      
#1
Options
1 Accepted Solution
Re:Blocking a VLAN from access over only 1 WAN connection-Solution
2024-09-24 05:50:59 - last edited 2024-10-18 06:34:00

Hi @BHJohnson 

Thanks for posting in our business forum.

BHJohnson wrote

  @Clive_A 

 

And those posts don't have anything related to what I'm currently trying to do.

 

I have three separate internet connections over three separate Starlink terminals. Two are on an unmetered plan, one is on a metered plan. I want to block IP group 192.168.128.0/17 (VLAN 10) from accessing the internet over WAN/LAN 4, but still allow access over WAN/LAN 5 and 6, and allow 10.0.8.0/22 (VLAN 30) access to the internet over all WAN/LAN 4, 5, and 6. Those examples all use the ACL rule of LAN > WAN being denied. That blocks the IP Group from any internet traffic, not just traffic on a specific port on the router.

 

Is there a way to configure the WAN ports on the ER8411 to only allow traffic from specific IP Groups or VLANs? I don't think there is one, but I'm just making sure I'm not missing something.

 

I did consider using switch ACLs, but I still come back to the fact I don't know how to assign VLANs to the WAN ports on the ER8411. I could theoretically use separate ports assigned to the VLANs going from the switch to the ER8411 LAN ports, but then they still get merged up and load balanced in the router, so that doesn't actually isolate any network from any particular WAN port.

Policy Routing. Two rules, route all to the other two WANs. And route the specific IPs/VLANs to the one WAN which you want to limit it.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#6
Options
6 Reply
Re:Blocking a VLAN from access over only 1 WAN connection
2024-09-23 06:57:27

Hi @BHJohnson 

Thanks for posting in our business forum.

Can you try out the guide here? Use the tag and label, ACL and Configuration Guide. You can find some guides about the ACL. Knowledge Base also has some fan-made guides as well.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:Blocking a VLAN from access over only 1 WAN connection
2024-09-23 08:39:25

  @Clive_A 

 

I'd already read through those as part of my initial learning for getting the network setup to this point. None of those cover my use case. All of those examples involve isolating a VLAN from all internet. I specifically want to isolate a VLAN from a single internet connection while maintaining the other two internet connections available.

  0  
  0  
#3
Options
Re:Blocking a VLAN from access over only 1 WAN connection
2024-09-24 01:21:35

Hi @BHJohnson 

Thanks for posting in our business forum.

BHJohnson wrote

  @Clive_A 

 

I'd already read through those as part of my initial learning for getting the network setup to this point. None of those cover my use case. All of those examples involve isolating a VLAN from all internet. I specifically want to isolate a VLAN from a single internet connection while maintaining the other two internet connections available.

A single internet connection is not a clear concept.

You can consider the IP Group based on your reply. The guides provide a concept of how to do and arrange the rule priorities when you want to achieve something similar.

ACL is a versatile configuration and there is no guide covering for each application scenario.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#4
Options
Re:Blocking a VLAN from access over only 1 WAN connection
2024-09-24 03:44:09

  @Clive_A 

 

And those posts don't have anything related to what I'm currently trying to do.

 

I have three separate internet connections over three separate Starlink terminals. Two are on an unmetered plan, one is on a metered plan. I want to block IP group 192.168.128.0/17 (VLAN 10) from accessing the internet over WAN/LAN 4, but still allow access over WAN/LAN 5 and 6, and allow 10.0.8.0/22 (VLAN 30) access to the internet over all WAN/LAN 4, 5, and 6. Those examples all use the ACL rule of LAN > WAN being denied. That blocks the IP Group from any internet traffic, not just traffic on a specific port on the router.

 

Is there a way to configure the WAN ports on the ER8411 to only allow traffic from specific IP Groups or VLANs? I don't think there is one, but I'm just making sure I'm not missing something.

 

I did consider using switch ACLs, but I still come back to the fact I don't know how to assign VLANs to the WAN ports on the ER8411. I could theoretically use separate ports assigned to the VLANs going from the switch to the ER8411 LAN ports, but then they still get merged up and load balanced in the router, so that doesn't actually isolate any network from any particular WAN port.

  0  
  0  
#5
Options
Re:Blocking a VLAN from access over only 1 WAN connection-Solution
2024-09-24 05:50:59 - last edited 2024-10-18 06:34:00

Hi @BHJohnson 

Thanks for posting in our business forum.

BHJohnson wrote

  @Clive_A 

 

And those posts don't have anything related to what I'm currently trying to do.

 

I have three separate internet connections over three separate Starlink terminals. Two are on an unmetered plan, one is on a metered plan. I want to block IP group 192.168.128.0/17 (VLAN 10) from accessing the internet over WAN/LAN 4, but still allow access over WAN/LAN 5 and 6, and allow 10.0.8.0/22 (VLAN 30) access to the internet over all WAN/LAN 4, 5, and 6. Those examples all use the ACL rule of LAN > WAN being denied. That blocks the IP Group from any internet traffic, not just traffic on a specific port on the router.

 

Is there a way to configure the WAN ports on the ER8411 to only allow traffic from specific IP Groups or VLANs? I don't think there is one, but I'm just making sure I'm not missing something.

 

I did consider using switch ACLs, but I still come back to the fact I don't know how to assign VLANs to the WAN ports on the ER8411. I could theoretically use separate ports assigned to the VLANs going from the switch to the ER8411 LAN ports, but then they still get merged up and load balanced in the router, so that doesn't actually isolate any network from any particular WAN port.

Policy Routing. Two rules, route all to the other two WANs. And route the specific IPs/VLANs to the one WAN which you want to limit it.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#6
Options
Re:Blocking a VLAN from access over only 1 WAN connection
2024-10-18 06:34:54

  @Clive_A 

 

Sorry I didn't follow up sooner, but this did in fact work. Thanks for the pointer!

 

The FAQ page, for anyone looking for the topic in the future: https://community.tp-link.com/en/business/kb/detail/412704

  1  
  1  
#7
Options