ER605 access control for IP Group does not work
Hello,
Access control for IP Group does not work. I have tried all kinds of ways to block 3 specific static IP address from accessing WAN or from WAN to those IP addresses and there is no blocking being done. Specifically what I am trying to do is block three Deco XE75 Pro from being remotely managed or accessing the cloud. I do not want TP-Link to have any connection to Decos, I am already not happy that an account is required to setup the units.
Each of the Decos has a static IP address set in ER605. They are setup as access points. I managed ER605 stand-alone through the web UI. I set the 3 IP addresses under "IP Address" then I made IP Group with that IP Address name. I then created several types of access contro lists trying to block all [WAN] IN or LAN->WAN or ALL. I tried using Decos as Source and Destination with IP_GROUP_ANY and no matter what I do, traffic is still going out from Decos and I can access them using the Deco app when on mobile network.
I have searched the forums and there are many isntances of exact same problem, mainly that access control on ER605 does not work with IP Group.
Is this correct? Is this a bug? If this is true, how can I block Deco XE75 Pros from being remotely managed, and them talking to anything outside of my local network?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@pajtaz everything works.
Iam blocking my tplink ip cameras, because even without entering tplink account they always keep connected to tplink servers
- Copy Link
- Report Inappropriate Content
Hi @pajtaz
Thanks for posting in our business forum.
Without the account, you cannot use Deco. If I recall it correctly.
Deco is supposed to work with the account and how it is designed in the first place as a home product.
Block at your discretion.
All the feedback regarding the ACL not working originates from a misconfiguration. I have not seen a case that is due to the failure/malfunction in the ACL.
- Copy Link
- Report Inappropriate Content
@pajtaz everything works.
Iam blocking my tplink ip cameras, because even without entering tplink account they always keep connected to tplink servers
- Copy Link
- Report Inappropriate Content
@YuriyB Thank you. I set it up exactly like you did just now and ... it works. I don't get it. I may have not set one of those fields under Access Control correctly.
Now Deco app cannot access the Decos from outside my network.
Does this also block Decos from sending data out? It does not seem so. I see on my PiHole log that that the main Deco is still pinging some sites and TP Link cloud server. How do I block this? Repeat same as above but reverse source and destination?
- Copy Link
- Report Inappropriate Content
@pajtaz i think you need set ip group with tons of tplink servers addresses and create rule with deny access. sorry but i think its a bad idea
- Copy Link
- Report Inappropriate Content
Hi @pajtaz
Thanks for posting in our business forum.
Without the account, you cannot use Deco. If I recall it correctly.
Deco is supposed to work with the account and how it is designed in the first place as a home product.
Block at your discretion.
All the feedback regarding the ACL not working originates from a misconfiguration. I have not seen a case that is due to the failure/malfunction in the ACL.
- Copy Link
- Report Inappropriate Content
Hi @pajtaz
pajtaz wrote
@YuriyB Thank you. I set it up exactly like you did just now and ... it works. I don't get it. I may have not set one of those fields under Access Control correctly.
Now Deco app cannot access the Decos from outside my network.
Does this also block Decos from sending data out? It does not seem so. I see on my PiHole log that that the main Deco is still pinging some sites and TP Link cloud server. How do I block this? Repeat same as above but reverse source and destination?
The ping is to maintain an online check, I think. I don't work with the Deco and you can ask this on the Deco page.
I think they would advise not to block any as it would only cause trouble.
If you really don't want any connections or telemetry, consider blocking via DNS or something. Or return the product. Firefox, and Microsoft, they all telemetry, you might not gonna use them at all.
- Copy Link
- Report Inappropriate Content
@Clive_A I cannot return Decos any more, it has been more than 30 days since purchase. When I bought them, I did the research and there were not many options for mesh systems that are not forced to use an account, connect to the cloud, or require PoE power. Therefore now I am stuck with Decos.
Anything that I purchased and I own should be under my control and no company should have any access to it. I block anything I can using PiHole and I will block more with ER605 if I have to. Since Decos and inside my network and their only function is to provide access to local network for wireless devices, they should have no reason to connect to Internet.
In your previous post you stated that any issue with Access Control is due to misconfiguration. Right now I successfully blocked access to Decos from outside (from Internet). However Decos are still pinging sites and pinging the cloud servers. Can you explain how to use Access Control with IP Groups to block devices from reaching Internet?
- Copy Link
- Report Inappropriate Content
Hi @pajtaz
Thanks for posting in our business forum.
pajtaz wrote
@Clive_A I cannot return Decos any more, it has been more than 30 days since purchase. When I bought them, I did the research and there were not many options for mesh systems that are not forced to use an account, connect to the cloud, or require PoE power. Therefore now I am stuck with Decos.
Anything that I purchased and I own should be under my control and no company should have any access to it. I block anything I can using PiHole and I will block more with ER605 if I have to. Since Decos and inside my network and their only function is to provide access to local network for wireless devices, they should have no reason to connect to Internet.
In your previous post you stated that any issue with Access Control is due to misconfiguration. Right now I successfully blocked access to Decos from outside (from Internet). However Decos are still pinging sites and pinging the cloud servers. Can you explain how to use Access Control with IP Groups to block devices from reaching Internet?
You cannot stop it from sending it as it is built into the Deco software.
You use ACL to block the traffic but it does not mean it will stop sending, the behavior.
If what you want is to stop the sending, contact the Deco support. I don't think there is gonna be any concrete result from this request.
ACL guide is generic and self-evident as the text says. You have the source and destination. Identify the direction and create the groups if necessary to block the access.
Try with the User Guide or the cases on the forum.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 72
Replies: 7
Voters 1
