Basic Firewall Rules for ER7206?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Basic Firewall Rules for ER7206?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Basic Firewall Rules for ER7206?
Basic Firewall Rules for ER7206?
2022-10-03 18:48:38
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.2.0 Build 20220117 Rel. 74491

Hi all -- Posting here because it is a 'business router' but it is for my home network.  Please accept my apologies if I should post in a different area.

 

I purchased the ER7206 to try and create a more secure home network as my primary firewall for my home network.  I have AT&T gigabit and want to change the AT&T supplied modem to be passthrough only.  However, I am finding the firewall setup in the ER7206 to be sorely lacking - or a lot of user error on my side.  I feel like I am just missing something major.  I'm NOT using the Omada software to configure my environment but I can if needed.  The reason I am not is I have a Deco Mesh and another smart switch that are not Omada compatible.  Maybe someone can help so I'll just enumerate my questions after a brief description of my environment:

 

I have four networks at home:   my main LAN (trusted devices), IoT (untrusted devices), work from home, and admin.  These are configured as VLANS but since I have a relatively simple setup, I have each LAN port of the ER7206 driving one (and only one) network.  I have a L3 switch that I have partitioned off by ports as well so my wired networks are separate.  I have an EAP 620 that I use to serve the wireless networks for my Admin, Working from Home, and IoT devices.  I have a Deco mesh to serve the wireless for my main LAN.

 

I have watched so many youtube videos for different ACLs on different routers that I am crosseyed.  They all seem to have a lot more configurability than ER7206.  I am not a network admin by any stretch and I am throwing up the white flag.  My questions:

  1. If no rules are configured at all, what is the firewall blocking/allowing by default?  In other words, am I horribly exposed with no configuration or am I protected with only all of the Packet Anomaly Defense enabled on the Attack Defense tab of the Firewall settings?
  2. How do I create an 'allow established and related' rule?  That seems to be the number one rule to start with on all the youtube videos and I do not see any equivalent in the ER7206.
  3. Does anyone have a good list of 'must have' rules to secure a very general network specific to ER7206? 
  4. I have a wired printer on my LAN network (i.e. 192.168.50.50).  What rule do I create to allow traffic from my Work from Home network (i.e. 192.168.100.X) to use that printer (I created an IP group for that printer but no rule I 'write' seems to allow it).  Remember, I have my VLANS also segmented by physical ports.  Should this be a LAN > LAN rule or a LAN > WAN rule given my architecture?
  5. Similar to #4, I want my desktop PC, which is connected to my LAN network (e.g. 192.168.50.100/24), to be able to administer my router and switch on my Admin network (e.g. 192.168.200.1/24 and 192.168.200.2/24).  What rule do I create there?

 

Any help is appreciated.  Best regards and Thanks!

 

  0      
  0      
#1
Options
2 Reply
Re:Basic Firewall Rules for ER7206?
2022-10-03 19:00:24 - last edited 2022-10-03 19:01:32

  @JAinGA 

 

Firewall on the TP LInk ER routers is very configurable, but it doesnt really hold yuour hand.

 

A brief outline - 

 

Firewall rules are, as you say, based on ACL rules.  these rules are a combination of IP addresses (can be WAN or LAN / VLAN) and "Services"

 

Services are defined by port or protocol and are set in the "Preferences > Service Type" section of the GUI.

 

A simple example, you can define a new service type "PPTP" and set it to port 1723 - 1723 protocol TCP.  If you want the computer on 192.168.1.25 to NOT be able to use PPTP VPNs, you would need to add that IP to a new Group "Grp25noPPTP", you would set a new ACL to

 

"Block / Service PPTP / LAN > WAN / Source:Grp25noPPTP / Destination: IPGROUP_ANY"

 

As standard, the "Packet anomoly" and "Attack defense" are pretty much designed to defend agasin random port scanners / "hackers" online who probe your public IP address and launch DDos attacks.  The ACL rules are far more flexible than just that defense

  0  
  0  
#2
Options
Re:Basic Firewall Rules for ER7206?
2022-10-04 18:19:30

  @JAinGA All my research has ended in this: devices does not provide an stateful firewall. frown 

  0  
  0  
#3
Options

Information

Helpful: 0

Views: 3828

Replies: 2

Related Articles