Geolocation ACL is not working
Hello,
I have an OMADA ER7206 V1 1.4.1
i am constantly receiving WAN PING ATTACKS from China.
I have put in an ACL that blocks all protocols from location "china" WAN IN, "Ipgroup-all" and yet I am still receiving the alerts.
The IP is a fixed line ISP in China, so any networking provider that gives you geo-data on IPs should have it accurate.
Why would that be? Please let me know how to fix this.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I have had success blocking these with location groups, but using this as the acl
WAN IN [location group] > Gateway Management Page
This seems to function as a pre-nat blocker in some way and seems to internally refer to not just the management page, but the entire front internet-facing side of the router.
this seems to block wan in much more thoroughly than,as Mr S said, the wan in > ipgoup/network as in that case the destination is behind NAT
- Copy Link
- Report Inappropriate Content
There is something missing on the router ACL, wan/in does not work on the wan interface itself but from wan to lan, port NAT and things like that will be blocked from country. If I compare with e.g. unifi, there is acl for internet local, translated to tp-link, wan local that we need to make this work. For now, there is no way to block access to wan directly, that is, there are some settings under Attack Defense that can block ping. There are still some ACLs missing on the router, strange that it is not prioritized.
- Copy Link
- Report Inappropriate Content
@MR.S
That's bad that you cannot customize the ACL on the wan interface itself. Also, it can potentially have negative impacts on the router and attempt DOS which currently I have no way to stop if it was impacting the router.
To reduce the noise I can only disable the notification "gateway detected attack" but that category includes other attacks I want to watch out for if it's occurring in bulk. Unless there is something else I can do. This is not good.
- Copy Link
- Report Inappropriate Content
basically everything should be blocked on the wan interface so it shouldn't be necessary to block anything, but i use wan local or internet local as it's called on unifi quite a lot to open up for ping ssh or web management to the router from the administration network i have. but location acl with wan/in works pretty well i think. i have blocked the whole world with wan/in and opened up only for my home country,
to avoid the warning you can disable this, the router does what it's supposed to and then blocks :-)
- Copy Link
- Report Inappropriate Content
@MR.S
Well its two different things, as you are aware the router is receiving the traffic from China, determing it as a WAN ping attack and then dropping it. I should be able to make an ACL which denies all the traffic from China without the router receiving it and reading the traffic. It puts more work on the router to do it the way it is now, hence why I said it can impact performance. I should be able to place an ACL which completely overrides this and requires no need for the router to determine if its a WAN ping attack on WAN interface as you mentioned and simply deny the traffic and not see any alerts.
I appreciate your response but it's not much of a solution to disable all "Gateway Detected Attack" notifications. Surely, there should be some other way to make it work better.
Can anybody from TPLink advise?
- Copy Link
- Report Inappropriate Content
I have had success blocking these with location groups, but using this as the acl
WAN IN [location group] > Gateway Management Page
This seems to function as a pre-nat blocker in some way and seems to internally refer to not just the management page, but the entire front internet-facing side of the router.
this seems to block wan in much more thoroughly than,as Mr S said, the wan in > ipgoup/network as in that case the destination is behind NAT
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 58
Replies: 5
Voters 0
No one has voted for it yet.