Gateway ACL's not working (can ping denied interfaces)
Hardware in use:
Gateway (router) : Er707 M2
Core Switch: SG3428
PoE switch: SG2210MP
WAP: EA615
Switch: ES205G
Controller : OC200
Hello:
I have configured my network as per this guide. But using only a single management vlan.
ie: gateway is 10.10.10.2 and devices are on 10.10.50.1/24 (also note devices have after readoption been asigned a static ip)
Is there any reason why gateway ACL's would not work with this config?
Whether or not i connect a device to a gateway Lan port (with a Vlan configured as interface on gateway & PVID set correctly) or a switch port .
Note: 2 separate vlan interfaces are being used here 10.10.100.1/24 & 10.10.110.1/24
ACL's with a deny in either direction simply do not function.
I am able to ping in both directions always.
Is there any reason why this would be?
Is it because...of
--> Mangement Vlan configured on switch?
-->
--> Easy managed switch has been intergrated into network?
or....
note:
*switch ACL's work as intended but all are off for testing gateway ACL)
and as per guide...
*static route on switch is 0.0.0.0/0 --> 10.10.10.2 (static gateway ip)
*Static transmission route set as 10.10.50.0/24 next hop --> 10.10.10.1
I do require some stateful ACL's in my network.
Please advise.
Thanykou in advance.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Defty
Thanks for posting in our business forum.
Defty wrote
Hi @Clive_A
As I require the use of statefull ACL's I did indeed set the DHCP host on the Gateway interface.
I'm aware that stateful ACL's can only be configured on the gateway.
So, with all protocols selected:
Network Interface (A) 10.10.100.1/24 ---> deny--->10.10.200.1/24 (B)
Is it expected behaviour that I can ping the gateway of interface of B when connected to a Lan port assigned with A?
Thanks for you time.
Yes. Gateway is always pingable regardless of the VLAN or ACL. If you block the A to B, the gateway, you will lose the whole access to either of them.
And you can access the http/https on other VLANs even though you have ACL set to block A to B or B to A. It is normal. Just another rule to block the IP-Port or Gateway Management Page to stop the page access.
- Copy Link
- Report Inappropriate Content
It sounds like you've set up your network correctly, but the gateway ACLs aren't working as expected. Here are a few things to check:
-
ACL Placement – Ensure that the ACLs are applied to the correct interfaces (LAN or VLAN) and are processed in the right order. Some gateways apply ACLs differently depending on inbound/outbound traffic.
-
Management VLAN – If your switches and gateway are using the same VLAN for management, it’s possible that traffic is bypassing the ACLs. Try moving management to a separate VLAN and see if that helps.
-
Easy Managed Switch – Some smart switches handle VLANs differently. If the ES205G is not fully VLAN-aware, it might be forwarding traffic in a way that bypasses ACLs.
-
Firewall/NAT Rules – Check if there are existing firewall or NAT rules on the ER707-M2 that could be overriding your ACLs. Sometimes, default rules allow all traffic unless explicitly blocked.
-
Testing Approach – Since switch ACLs work but gateway ACLs do not, try enabling logging on the ACLs (if available) to see if they are even being hit. Also, testing with different VLANs might help identify if the issue is VLAN-related.
Since you need stateful ACLs, you may need to look into the router’s firewall settings instead of just ACLs. Let me know if any of this helps!
- Copy Link
- Report Inappropriate Content
Thanks for the reply.
1. yes checked and triple checked
2.Management vlan is on a separate vlan (10.10.10.50 ) are you suggesting to palce MGMt vlan separate from devices? I dont see how this would function.
3.No vlans intended for stateful ACL are on easy managed switch. I have also dissconnect the switch to elimate this but in controller i still have the check box ticked that says im using easy manged switches.
4. Will look into this. As im new, is there anything in particular i should be looking for?
5. having difficulty with the logging procedure on controller, but will look further. have extensivly tested with different vlans with no success.
Please do have a wee look at the guide i used from Tp link for initial config.
thanks for posting :)
- Copy Link
- Report Inappropriate Content
Hi @Defty
Who is the DHCP server, or who hosts the DHCP, it should be set up with the ACL.
If you are using a VLAN interface, you set up the Gateway ACL. You use Switch as the DHCP, you set up the Switch ACL.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A
As I require the use of statefull ACL's I did indeed set the DHCP host on the Gateway interface.
I'm aware that stateful ACL's can only be configured on the gateway.
So, with all protocols selected:
Network Interface (A) 10.10.100.1/24 ---> deny--->10.10.200.1/24 (B)
Is it expected behaviour that I can ping the gateway of interface of B when connected to a Lan port assigned with A?
Thanks for you time.
- Copy Link
- Report Inappropriate Content
Hi @Defty
Thanks for posting in our business forum.
Defty wrote
Hi @Clive_A
As I require the use of statefull ACL's I did indeed set the DHCP host on the Gateway interface.
I'm aware that stateful ACL's can only be configured on the gateway.
So, with all protocols selected:
Network Interface (A) 10.10.100.1/24 ---> deny--->10.10.200.1/24 (B)
Is it expected behaviour that I can ping the gateway of interface of B when connected to a Lan port assigned with A?
Thanks for you time.
Yes. Gateway is always pingable regardless of the VLAN or ACL. If you block the A to B, the gateway, you will lose the whole access to either of them.
And you can access the http/https on other VLANs even though you have ACL set to block A to B or B to A. It is normal. Just another rule to block the IP-Port or Gateway Management Page to stop the page access.
- Copy Link
- Report Inappropriate Content
Great, simple and effective explaination thankyou @Clive_A
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 109
Replies: 6
Voters 0
No one has voted for it yet.