Management Page Block ACL blocks internet access
Hi support,
In continuation of a previous thread (locked) with similar topic:
https://community.tp-link.com/en/business/forum/topic/642230
I created an ACL as per link above, however, internet access will be blocked.
Followed the advice of the thread starter to allow TCP (instead of denying ALL protocol), still able to access the management page from the VLAN.
So any way to block management page from the VLAN without disrupting the internet access?
Thanks
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @BengGaBoy,
If you want to prevent devices on other VLANs from accessing the GUI of the router, you need to set two Gateway ACL Rules as follows:
The first rule:
1. Policy as Allow
2. Services Type as DNS
3. Source as IPGROUP_ANY
4. Destination as IPGROUP_ANY
The second rule:
1. Policy as Deny
2. Services Type as All
3. Source as other VLANs
4. Destination as ME (Standalone Mode)/ Gateway Management Page (Controller Mode)
These steps above are just for your reference.
- Copy Link
- Report Inappropriate Content
Continue to experiment and seems to yield some positive result.
TLDR
- Only 1 deny / LAN-LAN / All protocol / VLAN to Gateway Management Page / ACL rule is needed @ Gateway
- For newly created LAN, do not use DNS=Auto setting
Background info
Secure LAN @ 192.168.0.1 (default network)
DNS: 1.1.1.3 / 1.0.0.3 (Using Cloudflare family DNS)
IPCam LAN @ 192.168.10.1 (VLAN ID @ 10)
DNS: Auto
ACL settings @ Gateway
With the above rule, the notebook will NOT be able to access the router UI page. Likewise, it cannot ping both 192.168.0.1 and 192.168.10.1 as well. However, IPCam LAN will lose internet access.
Observation
I observed that my notebook was issued with a DNS @ 192.168.10.1 which is expected since the VLAN was created with "DNS = Auto" setting. This maybe expected since with the deny ACL rule, the notebook is unable to ping the gateway @ 192.168.10.1. Performed a sainty check and tried pinging 1.1.1.3 and yes, it works.
Possible solution
So I went back to Settings -> Wired Networks -> LAN -> Edit IPCam DNS settings to be similar to Secure using Cloudflare Family DNS @ 1.1.1.3. And viola, internet works and it continue to block the router UI.
However, not too sure the above method will cause any security issues but so far, it's working as intended.
- Copy Link
- Report Inappropriate Content
Hi @BengGaBoy,
If you want to prevent devices on other VLANs from accessing the GUI of the router, you need to set two Gateway ACL Rules as follows:
The first rule:
1. Policy as Allow
2. Services Type as DNS
3. Source as IPGROUP_ANY
4. Destination as IPGROUP_ANY
The second rule:
1. Policy as Deny
2. Services Type as All
3. Source as other VLANs
4. Destination as ME (Standalone Mode)/ Gateway Management Page (Controller Mode)
These steps above are just for your reference.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Thanks for your input.
However, your screen options seems to be different from mine.
Policy #1 - Allow
For direction, should I choose "LAN - LAN"?
And I can't seem to find "Service Type as DNS". Is this referring to protocol? Even so, I did not find any DNS over there.
Policy #2 - Deny
Likewise, "Service type as ALL" is referring to protocol?
See screenshot below, it does have "Management page" @ destination.
- Copy Link
- Report Inappropriate Content
Continue to experiment and seems to yield some positive result.
TLDR
- Only 1 deny / LAN-LAN / All protocol / VLAN to Gateway Management Page / ACL rule is needed @ Gateway
- For newly created LAN, do not use DNS=Auto setting
Background info
Secure LAN @ 192.168.0.1 (default network)
DNS: 1.1.1.3 / 1.0.0.3 (Using Cloudflare family DNS)
IPCam LAN @ 192.168.10.1 (VLAN ID @ 10)
DNS: Auto
ACL settings @ Gateway
With the above rule, the notebook will NOT be able to access the router UI page. Likewise, it cannot ping both 192.168.0.1 and 192.168.10.1 as well. However, IPCam LAN will lose internet access.
Observation
I observed that my notebook was issued with a DNS @ 192.168.10.1 which is expected since the VLAN was created with "DNS = Auto" setting. This maybe expected since with the deny ACL rule, the notebook is unable to ping the gateway @ 192.168.10.1. Performed a sainty check and tried pinging 1.1.1.3 and yes, it works.
Possible solution
So I went back to Settings -> Wired Networks -> LAN -> Edit IPCam DNS settings to be similar to Secure using Cloudflare Family DNS @ 1.1.1.3. And viola, internet works and it continue to block the router UI.
However, not too sure the above method will cause any security issues but so far, it's working as intended.
- Copy Link
- Report Inappropriate Content
Hi @BengGaBoy
Protocols, you can have more than 1. Or all. DNS is included as I recall.
If you set up like this, you of course do not have have any access to the gateway 80 and 443 anymore.
New VLAN interface, what DNS you set, will be assigned to the clients. If Auto, that defaults to the gateway IP and port 53.
- Copy Link
- Report Inappropriate Content
Thanks.
Just to check, which protocol(s) should I exclude to avoid the internet issue but still able to block management web GUI access?
- Copy Link
- Report Inappropriate Content
BengGaBoy wrote
Thanks.
Just to check, which protocol(s) should I exclude to avoid the internet issue but still able to block management web GUI access?
Doesnt the Hank's answer you?? Regardless the protocols, use the destination gateway management page.
- Copy Link
- Report Inappropriate Content
@BengGaBoy Did you find a resolution to this issue?
OC200 v2, ER605 v2, SG2008P v3 - all up to date firmware as of 26-April-2024.
I'm running into the same thing and I'm not sure how to proceed. Fairly basic scenario...
Scenario: "IoT" network should not be able to communicate with "Home" network but "Home" should be able to communicate with "IoT
- Switch ACL does not allow for this scenario because the switch cannot do stateful inspections
- Gateway ACL does allow this function;
- Implement Gateway ACL (1, LAN>LAN: Permit Home to IoT, and 2, LAN>LAN: Deny IoT to Home, both ALL protocols)
- Works as expected
But now the IoT network can still reach the router management page (and ping all VLAN gateway IPs, of which there are 5).
So I created a "Deny IoT to Home" Gateway ACL with the destination being "Gateway Management Page" but that blocks IoT from accessing the internet.
What am I missing?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1111
Replies: 8
Voters 0
No one has voted for it yet.