LAN access without WAN access
Hello guys,
Im sorry, english is not my native language but I try do my better.
Since last 3 days i search over all Internet and trying too many ACLs rules but nothing works.
What I have? I have 4 Vlans. 1- Admin 2- Main 3- IoT 4- Guest
What I need?
I need this config on some IoT vlan devices: Block WAN access to specific ip/device but keep connect to LAN/VLAN network.
Why? Some devices work with cloud and others not need cloud, I want block their untrusted comunications with ouside of my LAN network but I need rule to permit comunicate que with vlan "Admin" where is my home server.
I have some ACL rules work but I cant make their work together.
Gateway ACL
At this moment I able deny all WAN access to a specific Vlan ( rule number 2). Rule number 1(is a permit specific ip can connect to Internet) i cant make it work.
Switch ACL
2 top ACL rules are work but I cant Block WAN access.
Any recomendation ?
Thanks
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @LinkX92
Thanks for posting in our business forum.
LinkX92 wrote
Hello,
Yes, i have no problem with share my configs to others. Sometimes we need help and sometimes we can help others :)
But my problem still persists
Picture number two:
Second rule its ok, no internet on IOT VLAN.
But i need device A53 (only this device) has access to the internet/WAN on IOT VLAN (this Vlan has no internet) and make the rule number 1 - Permit WAN in and out at IOT vlan on A53 device. (picure number 2 on GW ACL)
My problem is that rule number 1 dont work, i cant have internet access in A53 device with this ACL rule.
What i do wrong ?
Thanks all again
Use GW ACL. GW ACL is your primary choice.
DO something like this. Only allow one IP(create yourself) in the SRC > IP Group. Then it can access the Internet.
- Copy Link
- Report Inappropriate Content
Hi @LinkX92
Thanks for posting in our business forum.
LinkX92 wrote
What I need?
I need this config on some IoT vlan devices: Block WAN access to specific ip/device but keep connect to LAN/VLAN network.
Why? Some devices work with cloud and others not need cloud, I want block their untrusted comunications with ouside of my LAN network but I need rule to permit comunicate que with vlan "Admin" where is my home server.
1. GW ACL to block WAN access to specific devices.
However, you should be clear about what you need. Is this gonna be an ingress or egress?
Literal meaning here in the Direction.
If you are talking about the incoming traffic, set up the WAN IN ACL.
If outgoing, you should set up LAN > WAN ACL.
Source(SRC) and Destination(DST) should be based on your plan. I cannot point out how to configure ACL in every thread on the forum. But show you how to do it.
I do hope people can study the ACL guide which is a rather hard if you are new to this. There are examples in the User Guide of the router and switch in standalone mode User Guide.
2. I understand you want to stop the IoT devices from talking to the servers. Why? Some devices work with cloud and others not need cloud, I want block their untrusted comunications with ouside of my LAN
Basically, you should set up the LAN > WAN ACL for them. Since WAN cannot access the LAN, you should simply stop the IoT VLAN from getting Internet. Then this stops them from connecting to the IoT server.
You don't have to worry about the WAN IN as for the NAT.
(Note if you are gonna specify every traffic based on your discretion, then it's gonna be a large amount of work. If there are any issues, you should at least run multiple times self-check.)
3. but I need rule to permit comunicate que with vlan "Admin" where is my home server. By default, the VLAN interfaces you created can talk to each other. You can try to ping it yourself.
If you are talking about cross-VLAN discovery, set up the mDNS then.
If you want to only allow one IP from Admin VLAN to talk to the IoT VLAN, you can achieve this by 1 deny Admin - IoT and 1 allow IoT(All) - Admin(one IP). Deny should has higher priority. This works.
- Copy Link
- Report Inappropriate Content
Hello, thanks for you reply.
In geral i know apply ACL rules, i make various tests and do it with sucess but at this moment i have only problem to apply one of them.
1- Omada translate, to my language, not very correct on WAN IN option, now i change to english and see if exist WAN IN and "WAN OUT", thats good.
First step i want block comunicate from internet or to internet, i think for my case no matter, the objective is block comunications to their servers or possible hiden comunications to their servers.
2- This point i made sucessfully. I can block my IOT Vlan ACL GW rule (see in pic below)
3- This rules are ok too, no problem with that. I described wat i need to help when someone try help me.
Picture number one:
Deny IOT vlan comunicate with others but, i need 1 device to comunicate with other vlan, rule 1. This ACL are tested and work.
Picture number two:
Second rule its ok, no internet on IOT VLAN. But i need device A53 (only this device) has access to the internet on IOT VLAN and make the rule number 1. My problem is that rule number one dont work, i cant have internet access in A53 device
Note: IPgroup have A43 name but is my mistake, is A53 device IP.
1
2
Thanks for help
- Copy Link
- Report Inappropriate Content
Hi @LinkX92
Thanks for posting in our business forum.
So this is a sharing config post to help anyone if they are interested in a config like yours?
I thought there was an issue.
I can tag your thread if this is a misunderstanding. Love to see people share their config and plan with others.
- Copy Link
- Report Inappropriate Content
Hello,
Yes, i have no problem with share my configs to others. Sometimes we need help and sometimes we can help others :)
But my problem still persists
Picture number two:
Second rule its ok, no internet on IOT VLAN.
But i need device A53 (only this device) has access to the internet/WAN on IOT VLAN (this Vlan has no internet) and make the rule number 1 - Permit WAN in and out at IOT vlan on A53 device. (picure number 2 on GW ACL)
My problem is that rule number 1 dont work, i cant have internet access in A53 device with this ACL rule.
What i do wrong ?
Thanks all again
- Copy Link
- Report Inappropriate Content
Hi @LinkX92
Thanks for posting in our business forum.
LinkX92 wrote
Hello,
Yes, i have no problem with share my configs to others. Sometimes we need help and sometimes we can help others :)
But my problem still persists
Picture number two:
Second rule its ok, no internet on IOT VLAN.
But i need device A53 (only this device) has access to the internet/WAN on IOT VLAN (this Vlan has no internet) and make the rule number 1 - Permit WAN in and out at IOT vlan on A53 device. (picure number 2 on GW ACL)
My problem is that rule number 1 dont work, i cant have internet access in A53 device with this ACL rule.
What i do wrong ?
Thanks all again
Use GW ACL. GW ACL is your primary choice.
DO something like this. Only allow one IP(create yourself) in the SRC > IP Group. Then it can access the Internet.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 666
Replies: 6
Voters 0
No one has voted for it yet.