Omada Firewall Gateway ACL setup

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Omada Firewall Gateway ACL setup

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Omada Firewall Gateway ACL setup
Omada Firewall Gateway ACL setup
2023-07-01 19:24:07
Tags: #ACL
Model: ER605 (TL-R605) Ā 
Hardware Version: V2
Firmware Version: 2.1.2

Hi!

Configuring my first Omada (and TP-Link) router/firewall.

 

Wanted to double check that I understand this correctly. If I create this rule (screenshot below),

Denying [WAN] IN, TCP&UDP from IPGroup_Any to IPGroup_Any:

... Then leaving State Type at Auto (Match State New / Established / Related)

 

Then everything that's Established, Related are allow back in, right?

 

(Maybe someone has a link to some nice example of best practice rules for a SOHO setup? I kinda got lost in reading the wrong PDFs for standalone config and such.) šŸ˜…

Most of my experience with firewalling is on Linux and router operating systems using pretty much the same logic.

I would feel more confident here if I could get a dump somehow (command line or something) of active ruleset ...

Ā  0 Ā  Ā  Ā 
Ā  0 Ā  Ā  Ā 
#1
Options
7 Reply
Re:Omada Firewall Gateway ACL setup
2023-07-01 19:49:54

  @flips01 

 

this rule is not really necessary, it is set by default.
but, it will also block the remote site if you have site to site vpn, it also blocks if you have port forward (NAT IN)

I use it to block some remote site LAN that goes on VPN, but then only RFC1918 net

 

 

Ā  0 Ā 
Ā  0 Ā 
#2
Options
Re:Omada Firewall Gateway ACL setup
2023-07-01 20:11:57

  @MR.S Oh, thanks. I read somewhere* that the ACL by default were just allow all, I guess that's not so, then.

 

*) or maybe someone said so in a YouTube video about Omada setup ... cheeky

Ā  0 Ā 
Ā  0 Ā 
#3
Options
Re:Omada Firewall Gateway ACL setup
2023-07-01 20:17:02

  @flips01 

 

By default LAN to WAN allow all, WAN to LAN Block all. except Remote site in VPN, then you can do portforward and this port is automatic opened to device you forward to.

Ā  0 Ā 
Ā  0 Ā 
#4
Options
Re:Omada Firewall Gateway ACL setup
2023-07-01 22:11:03

  @MR.S 

Thanks, that's sensible defaults!

And [WAN] IN by default accepts/responds to ICMP (at least some)?

But blocks access to the router itself (Management interface HTTP/SSH/Telnet/SNMP etc.)?

 

BTW: Are useful info like this listed in any docs/guides? cool

Ā  0 Ā 
Ā  0 Ā 
#5
Options
Re:Omada Firewall Gateway ACL setup
2023-07-01 22:34:14 - last edited 2023-07-01 22:53:04

flips01 wrote

  @MR.S 

Thanks, that's sensible defaults!

And [WAN] IN by default accepts/responds to ICMP (at least some)?

But blocks access to the router itself (Management interface HTTP/SSH/Telnet/SNMP etc.)?

 

BTW: Are useful info like this listed in any docs/guides? cool

  @flips01 

 

Wan respont to ICMP only if you have enabled ping from wan in firewall settings under Attach defence, and router management interface  itself is not possible to reach from wan, I don't think it is possible either when the router is controller managed. 

but if you try to reach wan interface from lan you will se a login page, but this is not posible from any device from wan.

 

If you are going to test do not test from LAN, there are many things that respond from the LAN, you must test from the WAN, if you ping the WAN IP from the LAN, it will respond to the ping, but if you do the same from the WAN, it will it does not respond. same thing with management on router itself. or SSH

 

you can test from your phone on the mobile network, turn off WiFI :-)

 

docs :-) yaea there is a omada documentation but how good this is? i dont know.

You can try this

https://static.tp-link.com/upload/manual/2023/202306/20230609/1910013343_Omada%20SDN%20Controller_User%20Guide_REV5.9.0.pdf

 

Ā  0 Ā 
Ā  0 Ā 
#6
Options
Re:Omada Firewall Gateway ACL setup
2023-07-03 02:51:20

  @flips01 

there is no tailored config. you have the authority to design your network. 

from your config, you want to block ICMP, that's not necessary because security > firewall has already blocked "ping from WAN". your router does not respond to WAN ping. 

in protocols, you can further specify what kind of protocols you want to block.

when you deny all public IP in, you are probably limited to no internet access. you can only make/establish a connection.

what do you want to achieve eventually with the ACL?

ScReW yOu gUyS. I aM GOinG hoMe. ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€”ā€” For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
Ā  0 Ā 
Ā  0 Ā 
#7
Options
Re:Omada Firewall Gateway ACL setup
2023-07-03 08:19:45

@MR.S 

Thanks. smiley Yes, I've been reading that guide. It doesn't really go into details.

It would be nice if there was a reference (wiki or whatever) where some default were visible.

(Details as in what you just described that default policy for WAN is Drop and what's opened by default when you add VPN etc.)

 

  @Tedd404 

Deny public WAN IN didn't block established, related, so most stuff works, as described by MR.S above. smiley

I know an am able to design a pretty good firewall, when I understand the defaults (and user friendly behind the scenes logic).

The reason I was asking for examples, was because I like studying some examples (especially when I know it's made by people who know the hardware and software well). I usually pick up useful hints and understanding that's not obvious when you start from scratch.

 

(If the TP-link firmware is built on Linux (nf_tables/iptables) or BSD (pf or similar), it would be very helpful if one could get a command line dump of the active rules or similar. Not sure it's possible though.)

 

Ā  0 Ā 
Ā  0 Ā 
#8
Options

Information

Helpful: 0

Views: 7598

Replies: 7

Tags

Related Articles