ACL's what an I doing wrong

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACL's what an I doing wrong

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ACL's what an I doing wrong
ACL's what an I doing wrong
2024-05-28 13:23:11 - last edited 2024-05-28 13:55:54

So, I wanted to create a simple rule to block outgoing port 53 dns traffic from my network.

 

1. I created a group for DNS requests

 

2. I then created a Gateway ACL rule to deny access LAN->WAN for all appart from my management network to port 53

 

 

So, in my head this would just prevent clients on all networks making external requests to port 53, i.e. Still allow internal DNS requests and all other traffic..

 

How wrong I was...

 

This killed my entire network.., every client was basicall disconnected from all network access, even machines on the same subnet could not ping each other via IP.

 

Fortunatly because I did not apply this rule to my management network I was able to still get to the controller and remove the rule to restore access.

 

So, can anyone please tell me what I did wrong, and why the entire network went down because of this one rule ?

  0      
  0      
#1
Options
6 Reply
Re:ACL's what an I doing wrong
2024-05-29 05:00:38

  @Tescophil There is definitely some weirdness with the ACL functions from my tests as well.  In your case, you might try only blocking TCP and UDP instead of all protocols.  I know some protocols don't use ports (IE: ICMP) and I wonder if that might be causing you issues.

 

With that said, I don't see a reason why you shouldn't have been able to ping on the same VLAN.  I haven't had a chance to test this too much, but it's almost like Omada is considering any routing (IE: VLAN to VLAN) a WAN action.  I have cases where when access certain web services on my local LAN (IE: a Caddy Server), it is reported to the service as the WAN Gateway IP address trying to access the service.  This makes no sense to me.  Not sure if you are seeing something similar, but definitely something weird going on.

  0  
  0  
#2
Options
Re:ACL's what an I doing wrong
2024-05-29 07:34:24

Hi @Tescophil 

Could you test that the protocols only include TCP/UDP? Here is a relevant setting from other users: https://community.tp-link.com/en/business/forum/topic/669608

You can test and share the results with us.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#3
Options
Re:ACL's what an I doing wrong
2024-05-29 10:33:09

  @Tescophil 

 

Hello,

Did you have switch acl menu? Try to create on switch instead.


* The protocol option should be tested with only UDP first, then TCP/UDP.

 

Cheer :)

 

Zool

  0  
  0  
#4
Options
Re:ACL's what an I doing wrong
2024-05-29 14:18:14 - last edited 2024-05-29 14:21:37

Tried this on my guest network, just TCP and UDP protocols, exactly the same result, total network shutdown. As soon as I enabled the rule, my phone (which was connected to the guest network) said the current WiFi connection has no internet access.

 

Even after deleting the rule it didn't come back, had to reboot the router.

 

@zool_ I dont want to create a switch ACL because this rule is a LAN->WAN rule (i.e. gateway), I'm trying to block external DNS requests, not any internal traffic.

  0  
  0  
#5
Options
Re:ACL's what an I doing wrong
2024-05-29 23:21:44

  @Tescophil I am betting it wasn't actually the same issue.  I bet you bloked all DNS only, which would make your phone think there was no internet.

 

I am fairly confident that for some unknown reason, the Omada system is considering VLAN routing as WAN.  I am pretty sure I am having some of the same issues on my system, and this would explain it.  

 

It would be nice if we could get an official statement on this.

  0  
  0  
#6
Options
Re:ACL's what an I doing wrong
2024-05-30 02:58:04

Hi @Tescophil 

May I suggest you check whether the DNS address is an internal address of your network? Are you still able to PING 8.8.8.8? 
According to our experience, some of the devices will use built-in tools to test internet connectivity, which can often provide inaccurate results. And due to internal DNS not resolving external addresses, it may be perceived as no Internet connectivity.
 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#7
Options