Business Community > Routers > SD-WAN ACL
< Routers

SD-WAN ACL

SD-WAN ACL

SD-WAN ACL
SD-WAN ACL
Yesterday - last edited Yesterday
Tags: #VPN #ACL #WireGuard #OpenVPN
Model: ER8411  
Hardware Version: V1
Firmware Version: 1.3.0 EA

 

 

Now I have tested SD-WAN, it works quite well I must say. BUT, it works almost too well, both Wireguard and OpenVPN have full access to the entire SD-WAN, I am unable to create any ACL to block remote networks in the SD-WAN network. Previously I used switch ACL to block local networks but it does not work since none of the SD-WAN network goes through any switch, does anyone have any tips for doing this?

 

so briefly explained, Router ACL works for SD-WAN itself but not for Wireguard and OpenVPN and thus has full access to the entire SD-WAN network.

 

 

EDIT: after some more testing I can block remote SD-WAN networks for OpenVPN clients with router ACL

  0      
 
  0      
 
#1
Options
10 Reply
Re:SD-WAN ACL
Yesterday

Hi @MR.S 

Thanks for posting in our business forum.

That is to say, that the ACL effectively work in the SD-WAN with VPN scenario?

That'd be great if you could post some screenshots for other references. And I can mark that as a solution for highlighting.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced. ● I don't provide ETA for any products/features. No comment.
  0  
  0  
#2
Options
Re:SD-WAN ACL
Yesterday

  @Clive_A 

 

I'm not sure if I understood the question, ACL doesn't work with Wireguard but I can use ACL with OpenVPN and in the SD-WAN itself, for example, block a remote network in site-a from site-b, so what screenshots should I take?

 

 

  0  
  0  
#3
Options
Re:SD-WAN ACL
Yesterday

Hi @MR.S 

Thanks for posting in our business forum.

MR.S wrote

  @Clive_A 

 

I'm not sure if I understood the question, ACL doesn't work with Wireguard but I can use ACL with OpenVPN and in the SD-WAN itself, for example, block a remote network in site-a from site-b, so what screenshots should I take?

 

 

WireGuard relies on the ACL in the script.

Peer on the router is not affected by the router. I think this part has not been changed.

OVPN can be filtered with the ACL now. Based on what you described.

 

You can share the settings with others. I recall OVPN works with the ACL as I previously tested this. That would be helpful for other readers.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced. ● I don't provide ETA for any products/features. No comment.
  0  
  0  
#4
Options
Re:SD-WAN ACL
Yesterday

  @Clive_A 

ok,
Since OpenVPN and Wireguard provide access to the entire SD-WAN network by default, I want to block this access, this currently does not work with Wireguard but it can be done with OpenVPN.

To block OpenVPN from reaching the remote network, create a WAN/IN ACL rule like this on OpenVPN Server

 

DIRECTION = WAN/IN (OpenVPN connect to WAN/IN)

POLICY = Deny

SOURCE IP Group = OPEN VPN IP Pool

DESTINATION IP GROUP = Remote network you want to deny.

 

 

 

 

Since all sites have access to all networks, I also want to block access to, for example, my camera network. This network should only be accessed by one PC in one site, so I create an ACL rule on the router like this

 

DIRECTION = LAN/WAN 

POLICY = Deny

SOURCE IP Group = IPGroup_Any

DESTINATION IP GROUP = Remote Kamera Network ip/network

 

 

 

Here we can also use the WAN/IN router ACL on the site that the camera network is configured to block remote sites.

 

 

 

 

 

 

  0  
  0  
#5
Options
Re:SD-WAN ACL
6 hours ago

  @MR.S

 

Ah, i asked about this in the SD-WAN guide thread,

So WAN-IN deny rules still work across the entire SD-WAN group to allow granular access at each point?

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x1, ES205G x2, EAP650 x6 Remotes: ER605 v2 x3, SG2008P x2, EAP650 x2 VPN Server: ER7206 v2 Controller: OC300
  0  
  0  
#6
Options
Re:SD-WAN ACL
6 hours ago - last edited 6 hours ago

  @GRL 

 

Yep, both wan/in and lan/wan work. I have used up my IP groups on the Hub router so I am doing filtering on spoke routers now, I need to clean up my IP groups, but with only 16 IP groups it is difficult, IP groups are also used for policy routing so 16 is far too few.

 

  1  
  1  
#7
Options
Re:SD-WAN ACL
5 hours ago

  @MR.S 

 

Thanks.

 

I have been considering setting this up for 2 of my 3 remotes, but in the grand scheme of things it just seems like a pretty front end for background VPNs anyway so what i already have works, not sure if there is any benefit.

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x1, ES205G x2, EAP650 x6 Remotes: ER605 v2 x3, SG2008P x2, EAP650 x2 VPN Server: ER7206 v2 Controller: OC300
  0  
  0  
#8
Options
Re:SD-WAN ACL
5 hours ago

  @GRL 

 

No, what you have is just as good, it is as you say a fancier way to create a VPN, if you have adopted routers in VPN then I also think it may be difficult to use SD-WAN

 

 

  1  
  1  
#9
Options
Re:SD-WAN ACL
4 hours ago - last edited 4 hours ago

  @MR.S 

 

Looking at the guide, it also seems to be limited to adding Networks, not IP groups to SD-WAN access?

 

Im not sure it will be useful for me, i have a number of devices (like modems) that have a WAN IP upstream of the host VPN server but not a LAN IP that i can happily add to a normal VPN as IP addresses rather than using networks

 

EG

 

 

These two are upstream of this gateway WAN port hosting the VPN, but because the gateway is LAN side of those devices it can access their GUI.  I can add them to my VPN without issue, enabling me to access the modem GUI remotely.  .....if that makes sense

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x1, ES205G x2, EAP650 x6 Remotes: ER605 v2 x3, SG2008P x2, EAP650 x2 VPN Server: ER7206 v2 Controller: OC300
  1  
  1  
#10
Options
Re:SD-WAN ACL
4 hours ago - last edited 4 hours ago

  @GRL 

 

The biggest advantage of SD-WAN as I see it is that it is easier to build large networks,

I don't know what limitations there are but if you want a full mesh then there are 9 spokes that can connect to ER605v2 and on ER706W 49 spokes can talk to each other, you are also not dependent on a  public IP on the spoke (only if the spokes are going to talk to each other), only on the hub need public ip. You can use dynamic IP on the hub without having to have DDNS like with ipsec s2s vpn,

so there are a number of advantages. advantage and disadvantage, Wireguard has access to the entire SD-WAN no matter which router you connect to, it is also not possible with ACL

Same with OpenVPN, full access to SD-WAN but with OpenVPN you can use ACLs in the same way you know

 

And if you don't want to use mesh between spokes, all networks can still talk to each other, but then all traffic goes through the hub.

 

 

  0  
  0  
#11
Options

Information

Helpful: 0

Views: 117

Replies: 10

Tags

VPN ACL WireGuard OpenVPN
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.