Only Allow Access Internal Network (Including Remote Through VPN) on Some Device

Only Allow Access Internal Network (Including Remote Through VPN) on Some Device

Only Allow Access Internal Network (Including Remote Through VPN) on Some Device
Only Allow Access Internal Network (Including Remote Through VPN) on Some Device
2024-10-11 04:57:34 - last edited 2024-10-15 01:23:17
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.2

Hello, I have a setup similar to the diagram above, with the difference being gateway A and B controlled by OC200 in HQ. I'm trying to setup some device to only be able to access internal network.

I followed the guide from https://community.tp-link.com/en/business/forum/topic/696340, and it works well as expected for most of the part, but now the device on HQ cannot connect to the device on Branch Office and vice versa.

How do I create an ACL rule that allow both internal network, and remote network that is connected through VPN?

Thank you,

Nikolas

  0      
  0      
#1
Options
1 Accepted Solution
Re:Only Allow Access Internal Network (Including Remote Through VPN) on Some Device-Solution
2024-10-11 09:28:19 - last edited 2024-10-14 11:01:18

Hi @Nikolassss 

Thanks for posting in our business forum.

Nikolassss wrote

Okay, so here is a simplification of my network. In my case, Device A, B, C, and D can communicate with each other thanks to Wireguard VPN. I want to keep it that way but, I want to block Device D's access to the Internet.

When I create ACL Rule to DENY device D access from LAN->WAN as shown above, Device D's access to internet is blocked successfully. BUT it also blocked Device D to Device A and B. Device D can still access Device C in this case, which is expected from the ACL rule.

Is ACL not the right tool for this?

OK. I have an idea.

If you create this block LAN > WAN. Then create another one to allow Device D to access the WG interface IP address.

That should fix it?

When you block, you use any IP, that might stop the connection to the WG int IP as well. Hope this idea helps.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#8
Options
10 Reply
Re:Only Allow Access Internal Network (Including Remote Through VPN) on Some Device
2024-10-11 06:10:37

Hi @Nikolassss 

Thanks for posting in our business forum.

So is this based on the Wireguard? You've selected the Wireguard, so for the Wireguard, you should specify the network in the allowed IPs. That determines what's accessible or not.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:Only Allow Access Internal Network (Including Remote Through VPN) on Some Device
2024-10-11 07:37:38

Hello @Clive_A, Thank you for your reply.

Correct, The VPN setup is using WireGuard, and it has been working well to allow device from HQ to communicate with device in Branch Office and vice versa. This was set up using the allowed IPs as you mentioned.

My current problem is: I want to have some device to only able to access internal network (a.k.a block access to internet to some device only). BUT, when I set the ACL rule to deny the IP group access to the WAN, it also deny access to other devices on the other site (HQ to Branch and vice versa)

 

The desired output I'm looking for is: The devices that has it's access blocked to the WAN, can still communicate with devices BOTH on local network, and on the remote network that is connected through Wireguard VPN.

Please give me some guidance, and any help would be appreciated.

Thank you,
Nikolas

  0  
  0  
#3
Options
Re:Only Allow Access Internal Network (Including Remote Through VPN) on Some Device
2024-10-11 08:02:25

Hi @Nikolassss 

Thanks for posting in our business forum.

Nikolassss wrote

Hello @Clive_A, Thank you for your reply.

Correct, The VPN setup is using WireGuard, and it has been working well to allow device from HQ to communicate with device in Branch Office and vice versa. This was set up using the allowed IPs as you mentioned.

My current problem is: I want to have some device to only able to access internal network (a.k.a block access to internet to some device only). BUT, when I set the ACL rule to dny the IP group access to the WAN, it also deny access to other devices on the other site (HQ to Branch and vice versa)

 

 

The desired output I'm looking for is: The devices that has it's access blocked to the WAN, can still communicate with devices BOTH on local network, and on the remote network that is connected through Wireguard VPN.

Please give me some guidance, and any help would be appreciated.

Thank you,
Nikolas

Block Internet access, so you are currently using the 0.0.0.0/0 as the allowed IP on one of the sites now, correct?

 

If that's the case, then you are routed to the peer site and use the remote gateway as the default gateway. If you stop accessing the Internet, it might cause a problem with the WG connection.

I think you might wanna try the allowed IP.

 

ACL might not be helpful in this situation because of the following concerns:

1. It might not be effective for the VPN.

2. IP Group or GW ACL in the controller mode is currently limited. You can only specify the CIDR instead of the range like from A to B. (But you can still manually specify these IPs). It might be hard to satisfy what you need to achieve.

As for the WG now, if you set it on the router, it's hard to specify the rules for it. I think it might not be possible to achieve what you asked at this moment.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:Only Allow Access Internal Network (Including Remote Through VPN) on Some Device
2024-10-11 08:20:41

Clive_A wrote

Hi @Nikolassss 

Thanks for posting in our business forum.

Nikolassss wrote

Hello @Clive_A, Thank you for your reply.

Correct, The VPN setup is using WireGuard, and it has been working well to allow device from HQ to communicate with device in Branch Office and vice versa. This was set up using the allowed IPs as you mentioned.

My current problem is: I want to have some device to only able to access internal network (a.k.a block access to internet to some device only). BUT, when I set the ACL rule to dny the IP group access to the WAN, it also deny access to other devices on the other site (HQ to Branch and vice versa)

 

 

The desired output I'm looking for is: The devices that has it's access blocked to the WAN, can still communicate with devices BOTH on local network, and on the remote network that is connected through Wireguard VPN.

Please give me some guidance, and any help would be appreciated.

Thank you,
Nikolas

Block Internet access, so you are currently using the 0.0.0.0/0 as the allowed IP on one of the sites now, correct?

 

If that's the case, then you are routed to the peer site and use the remote gateway as the default gateway. If you stop accessing the Internet, it might cause a problem with the WG connection.

I think you might wanna try the allowed IP.

 

ACL might not be helpful in this situation because of the following concerns:

1. It might not be effective for the VPN.

2. IP Group or GW ACL in the controller mode is currently limited. You can only specify the CIDR instead of the range like from A to B. (But you can still manually specify these IPs). It might be hard to satisfy what you need to achieve.

As for the WG now, if you set it on the router, it's hard to specify the rules for it. I think it might not be possible to achieve what you asked at this moment.

  @Clive_A Not exactly. My WG is setup to only tunnel certain IP using the allowed IP parameter. Which should mean the default gateway is still the one local to the site.

With my logic, if I can deny access using ACL to 0.0.0.0/0 EXCEPT for a certain allowed IP on the remote site, I should be able to achieve what I need. But I am not sure how to do that. Is there any way to do that with ACL?

  0  
  0  
#5
Options
Re:Only Allow Access Internal Network (Including Remote Through VPN) on Some Device
2024-10-11 08:29:16

Hi @Nikolassss 

Thanks for posting in our business forum.

Nikolassss wrote

Clive_A wrote

Hi @Nikolassss 

Thanks for posting in our business forum.

Nikolassss wrote

Hello @Clive_A, Thank you for your reply.

Correct, The VPN setup is using WireGuard, and it has been working well to allow device from HQ to communicate with device in Branch Office and vice versa. This was set up using the allowed IPs as you mentioned.

My current problem is: I want to have some device to only able to access internal network (a.k.a block access to internet to some device only). BUT, when I set the ACL rule to dny the IP group access to the WAN, it also deny access to other devices on the other site (HQ to Branch and vice versa)

 

 

The desired output I'm looking for is: The devices that has it's access blocked to the WAN, can still communicate with devices BOTH on local network, and on the remote network that is connected through Wireguard VPN.

Please give me some guidance, and any help would be appreciated.

Thank you,
Nikolas

Block Internet access, so you are currently using the 0.0.0.0/0 as the allowed IP on one of the sites now, correct?

 

If that's the case, then you are routed to the peer site and use the remote gateway as the default gateway. If you stop accessing the Internet, it might cause a problem with the WG connection.

I think you might wanna try the allowed IP.

 

ACL might not be helpful in this situation because of the following concerns:

1. It might not be effective for the VPN.

2. IP Group or GW ACL in the controller mode is currently limited. You can only specify the CIDR instead of the range like from A to B. (But you can still manually specify these IPs). It might be hard to satisfy what you need to achieve.

As for the WG now, if you set it on the router, it's hard to specify the rules for it. I think it might not be possible to achieve what you asked at this moment.

  @Clive_A Not exactly. My WG is setup to only tunnel certain IP using the allowed IP parameter. Which should mean the default gateway is still the one local to the site.

With my logic, if I can deny access using ACL to 0.0.0.0/0 EXCEPT for a certain allowed IP on the remote site, I should be able to achieve what I need. But I am not sure how to do that. Is there any way to do that with ACL?

I don't think the ACL would be useful in this case.

 

I don't understand the use case then if you say so in the highlighted part. You want to block Internet access for some devices that could access the remote site?

Can you explain with a diagram?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#6
Options
Re:Only Allow Access Internal Network (Including Remote Through VPN) on Some Device
2024-10-11 09:00:21

Okay, so here is a simplification of my network. In my case, Device A, B, C, and D can communicate with each other thanks to Wireguard VPN. I want to keep it that way but, I want to block Device D's access to the Internet.

When I create ACL Rule to DENY device D access from LAN->WAN as shown above, Device D's access to internet is blocked successfully. BUT it also blocked Device D to Device A and B. Device D can still access Device C in this case, which is expected from the ACL rule.

Is ACL not the right tool for this?

  0  
  0  
#7
Options
Re:Only Allow Access Internal Network (Including Remote Through VPN) on Some Device-Solution
2024-10-11 09:28:19 - last edited 2024-10-14 11:01:18

Hi @Nikolassss 

Thanks for posting in our business forum.

Nikolassss wrote

Okay, so here is a simplification of my network. In my case, Device A, B, C, and D can communicate with each other thanks to Wireguard VPN. I want to keep it that way but, I want to block Device D's access to the Internet.

When I create ACL Rule to DENY device D access from LAN->WAN as shown above, Device D's access to internet is blocked successfully. BUT it also blocked Device D to Device A and B. Device D can still access Device C in this case, which is expected from the ACL rule.

Is ACL not the right tool for this?

OK. I have an idea.

If you create this block LAN > WAN. Then create another one to allow Device D to access the WG interface IP address.

That should fix it?

When you block, you use any IP, that might stop the connection to the WG int IP as well. Hope this idea helps.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#8
Options
Re:Only Allow Access Internal Network (Including Remote Through VPN) on Some Device
2024-10-11 11:27:16 - last edited 2024-10-14 11:01:11

  @Clive_A Okay, will give this a try when I got the chance. Out of curiosity, how is the priority set up in ACL rules? Would my allow overule the deny?

  0  
  0  
#9
Options
Re:Only Allow Access Internal Network (Including Remote Through VPN) on Some Device
2024-10-11 17:00:55

  @Nikolassss 

 

acl rules are read from top to bottom in access roule list, 

 

so if you want to allow 192.168.1.10 and deny the rest of the network, you create the rules in this order.

 

 

Alow 192.168.1.10

deny 192.168.1.0/24

 

 

 

  1  
  1  
#10
Options
Re:Only Allow Access Internal Network (Including Remote Through VPN) on Some Device
2024-10-14 11:01:01

Okay This works, Thank you all for the help.

  0  
  0  
#11
Options