ER605 HW V1 + FW 1.3 + Software Controller 5.9.31 - Gateway LAN->WAN ACL with Internal IP issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER605 HW V1 + FW 1.3 + Software Controller 5.9.31 - Gateway LAN->WAN ACL with Internal IP issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER605 HW V1 + FW 1.3 + Software Controller 5.9.31 - Gateway LAN->WAN ACL with Internal IP issue
ER605 HW V1 + FW 1.3 + Software Controller 5.9.31 - Gateway LAN->WAN ACL with Internal IP issue
2023-05-19 01:29:07
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.3

I have setup a number of VLANs and used ACL DENY rules to block traffic between them.

I want to open a path from one VLAN to a specific IP+PORT on another VLAN. 

Based on my testing ACL on Gateway for LAN->WAN cannot be used to manage traffic to an internal (i.e., non WAN) IP. 

Is this the expected behaviour?

 

Under the previous firmware I could make this work when I wasn't using a controller.

  0      
  0      
#1
Options
4 Reply
Re:ER605 HW V1 + FW 1.3 + Software Controller 5.9.31 - Gateway LAN->WAN ACL with Internal IP issue
2023-05-19 09:07:35

  @mia7979 @Fae 

 

yes, I'm wondering the same thing, it's good that we can lock down the whole building, but I could imagine opening some doors.
I don't quite know what is intended here, it should be possible to open some ports for printing. e.g. without and open to the entire network

 

  0  
  0  
#2
Options
Re:ER605 HW V1 + FW 1.3 + Software Controller 5.9.31 - Gateway LAN->WAN ACL with Internal IP issue
2023-05-19 09:23:23

  @mia7979 

Thank you for reaching out and sharing your experience with VLANs and ACL DENY rules. It seems like you have encountered a specific challenge regarding traffic management between VLANs and an internal IP address.

Based on your description, it appears that you have been unable to achieve the desired outcome using the ACL on the Gateway for LAN->WAN configuration. This behavior might differ from your previous experience when you were not using a controller.

To provide you with accurate assistance, could you please provide us with additional details such as the specific equipment or software you are using? This will help us better understand the context and provide you with a more tailored solution.

In the meantime, it is worth mentioning that ACLs are typically used to control traffic flow between different networks, including electric VLANs. However, if you are encountering limitations when trying to manage traffic to an internal IP within a VLAN, it is essential to review your current setup and configuration.

  0  
  0  
#3
Options
Re:ER605 HW V1 + FW 1.3 + Software Controller 5.9.31 - Gateway LAN->WAN ACL with Internal IP issue
2023-05-19 10:57:59

  @Benjaminpaul 

 

Hello,

 

I believe all the relevant equipment is in the description. I think the key problem is that you cannot use LAN->WAN ACL rules to influence traffic. I tried removing all ACL rules and created two new IP GROUPS

 

ipClients = 192.168.108.1/24

ipServers = 192.168.107.1/24

 

When I create a LAN->WAN ACL rule that denies ipClients -> ipServers I can still access all servers, on all ports, from all clients.

 

It feels like there needs to be the option to use IP groups and IP port groups in the LAN->LAN ACL rules.

 

Or am I missing something?

  0  
  0  
#4
Options
Re:ER605 HW V1 + FW 1.3 + Software Controller 5.9.31 - Gateway LAN->WAN ACL with Internal IP issue
2023-05-19 17:41:26

  @mia7979 

thats correct, we need to use IP groups and IP port groups in the LAN->LAN ACL rules. LAN->WAN is for LAN to WAN ACL.

I hope this is a bug and that it will be fixed soon. 

  0  
  0  
#5
Options