Hi @pajtaz

pajtaz wrote

  @YuriyB Thank you. I set it up exactly like you did just now and ... it works. I don't get it. I may have not set one of those fields under Access Control correctly.

 

Now Deco app cannot access the Decos from outside my network.

 

Does this also block Decos from sending data out? It does not seem so. I see on my PiHole log that that the main Deco is still pinging some sites and TP Link cloud server. How do I block this? Repeat same as above but reverse source and destination?

The ping is to maintain an online check, I think. I don't work with the Deco and you can ask this on the Deco page.

I think they would advise not to block any as it would only cause trouble.

If you really don't want any connections or telemetry, consider blocking via DNS or something. Or return the product. Firefox, and Microsoft, they all telemetry, you might not gonna use them at all.

Hi @pajtaz 
Thanks for posting in our business forum.

pajtaz wrote

  @Clive_A I cannot return Decos any more, it has been more than 30 days since purchase. When I bought them, I did the research and there were not many options for mesh systems that are not forced to use an account, connect to the cloud, or require PoE power. Therefore now I am stuck with Decos.

 

Anything that I purchased and I own should be under my control and no company should have any access to it. I block anything I can using PiHole and I will block more with ER605 if I have to. Since Decos and inside my network and their only function is to provide access to local network for wireless devices, they should have no reason to connect to Internet.

 

In your previous post you stated that any issue with Access Control is due to misconfiguration. Right now I successfully blocked access to Decos from outside (from Internet). However Decos are still pinging sites and pinging the cloud servers. Can you explain how to use Access Control with IP Groups to block devices from reaching Internet?

You cannot stop it from sending it as it is built into the Deco software.

You use ACL to block the traffic but it does not mean it will stop sending, the behavior.

If what you want is to stop the sending, contact the Deco support. I don't think there is gonna be any concrete result from this request.

ACL guide is generic and self-evident as the text says. You have the source and destination. Identify the direction and create the groups if necessary to block the access.

Try with the User Guide or the cases on the forum.

Hi @pajtaz 

Thanks for posting in our business forum.

pajtaz wrote

  @Clive_A ACL does actually work - I believe the issue is that I was using PiHole to check whether specific IP address is being blocked. However PiHole is before ER605 so PiHole is not a correct indicator of what is happening at ER605. I was trying to find a way to test the blocking of specific IPv4 addresses. Only way I could to it is to assign the same static IP address to my laptop as one of the Decos that is currently not being used. Voila - IPv4 blocking works! PiHole was responding but that did not mean the pinging was going outside of the network.

 

However ... how do I block IPv6 also? I am not familiar with IPv6, I cannot figure out which unit has which IPv6 address. How do I find out which IPv6 addresses are assigned to Decos, for example? Or any other unit in the local network? I see there is not a list a of IPv6 clients on ER605. In Deco app there is no mention of IPv6 addresses of each of the Decos.

 

What I would like to do is use the same kind of blocking over IPv6 - block only specific 3 units from accessing the internet. Is there a guide to find out IPv6 addresses of units and block them?

 

 

If a device has an IPv6 address, you will notice it in the IP settings. For example, in the adapter, or phone, you see the IPv6 address along with the v4.

How do you block v6, that's a generic question. Based on the given rules in the ACL, you block v6. There is no concrete information for me to give an example. But follow the steps in the ACL you should be able to do it with the v6 knowledge.

As v6 is a series of IP addresses, like v4, you might need to block a series of addresses. If you need to only allow 3 to use IPv6 for Internet, you should configure one deny, and several allow these individual units(their v6 addresses) to access the v6 network. Same concept for configuring v4.