Business Community > Routers > ER7212PC does NOT block WAN traffic by default when NO-NAT is enabled on WAN port
< Routers

ER7212PC does NOT block WAN traffic by default when NO-NAT is enabled on WAN port

ER7212PC does NOT block WAN traffic by default when NO-NAT is enabled on WAN port

ER7212PC does NOT block WAN traffic by default when NO-NAT is enabled on WAN port
ER7212PC does NOT block WAN traffic by default when NO-NAT is enabled on WAN port
a week ago - last edited Wednesday
Tags: #NAT #ACL
Model: ER7212PC  
Hardware Version: V1
Firmware Version: 1.3.1

Hi,

 

I was under the impression that the ER7212PC (like all routers) blocks inbound traffic on the WAN port by default, and that only ports opened via Port Forwarding would be accessible externally.

 

However, I recently discovered that my entire network was exposed to the public Internet, which led to numerous viruses, trojans, and eventually continuous DDoS attacks.

 

After investigating, I found that when my PC was connected to the same subnet as the ER7212PC’s WAN port, I could not only access the router’s management console but also reach all servers across all VLANs defined on the ER7212PC gateway/switch.

 

This was a serious and alarming discovery. I’m unsure if this is a bug in firmware version 1.3.1, or if it is by design behavior when NAT is disabled on the WAN port for all VLANs.

 

As a workaround, I created a firewall ACL rule to block all inbound traffic on the WAN interface and then added specific rules to allow only the necessary Port Forwarding traffic.

 

My question is:

• Is it really necessary to manually create a “deny all” ACL rule on the WAN when NAT is disabled?

• Shouldn’t the router automatically block inbound WAN traffic by default, even without NAT?

• Or is this a known bug in firmware 1.3.1?

 

Would appreciate any clarification or advice, and whether such behaviour is documented in ER7212PC manual or not

 

Thanks!

  0      
 
  0      
 
#1
Options
2 Accepted Solutions
Re:ER7212PC does NOT block WAN traffic by default when NO-NAT is enabled on WAN port-Solution
a week ago - last edited Wednesday

  @demir-deniz 

 

 

try something like tis ACL

 

 

 

Recommended Solution
  1  
  1  
#4
Options
Re:ER7212PC does NOT block WAN traffic by default when NO-NAT is enabled on WAN port-Solution
a week ago - last edited Wednesday

Hi @demir-deniz 

Thanks for posting in our business forum.
The router management page is not protected anyway. Even though it was behind the NAT. It was accessible for the LAN.

If it is exposed to the public Internet and you have the proper ports open, it can be accessed as well.

 

There is no default ACL to block(protect) the router page anyway.

 

With the NAT, it does not become a security problem. When you stop the NAT, it is exposed to the Internet, which will become a problem.

The router is not doing anything unless you configure it. Especially when it comes to the ACL stuff.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#5
Options
4 Reply
Re:ER7212PC does NOT block WAN traffic by default when NO-NAT is enabled on WAN port
a week ago

  @demir-deniz 

If you disable NAT, you don't have NAT protecting your network, then you really only have a router so you must have ACLs without me having tested this myself but that's the most logical thing. So it's probably not a bug, you've removed NAT as protection so you have to use other ways to block traffic

 

 

  0  
  0  
#2
Options
Re:ER7212PC does NOT block WAN traffic by default when NO-NAT is enabled on WAN port
a week ago

MR.S wrote

  @demir-deniz 

If you disable NAT, you don't have NAT protecting your network, then you really only have a router so you must have ACLs without me having tested this myself but that's the most logical thing. So it's probably not a bug, you've removed NAT as protection so you have to use other ways to block traffic

 

 

  @MR.S  Thank you for your input!

 

I agree that disabling NAT removes the “automatic” protection provided by stateful NAT, and in that case ACLs become critical.

 

However, I believe that inbound traffic (including access to the router’s own management ports) should still be protected by default — regardless of whether NAT is enabled or disabled. Management access (HTTP/HTTPS/SSH/etc.) typically needs to be explicitly allowed from the WAN via a setting, and should never be exposed by default.

 

In my case, I did not find any option to control or restrict management access and SSH access from the WAN port — is there such settings on the ER7212PC?

If not, then it seems this behavior could pose a significant security risk.

 

I’m hoping to get a more solid confirmation from TP-Link on whether this is expected behavior or a bug in the 1.3.1 firmware.

  0  
  0  
#3
Options
Re:ER7212PC does NOT block WAN traffic by default when NO-NAT is enabled on WAN port-Solution
a week ago - last edited Wednesday

  @demir-deniz 

 

 

try something like tis ACL

 

 

 

Recommended Solution
  1  
  1  
#4
Options
Re:ER7212PC does NOT block WAN traffic by default when NO-NAT is enabled on WAN port-Solution
a week ago - last edited Wednesday

Hi @demir-deniz 

Thanks for posting in our business forum.
The router management page is not protected anyway. Even though it was behind the NAT. It was accessible for the LAN.

If it is exposed to the public Internet and you have the proper ports open, it can be accessed as well.

 

There is no default ACL to block(protect) the router page anyway.

 

With the NAT, it does not become a security problem. When you stop the NAT, it is exposed to the Internet, which will become a problem.

The router is not doing anything unless you configure it. Especially when it comes to the ACL stuff.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#5
Options

Information

Helpful: 0

Views: 68

Replies: 4

Tags

NAT ACL
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.