ER7206 : need to "disconnect" a WAN port at operator discretion.(security constraint).

ER7206 : need to "disconnect" a WAN port at operator discretion.(security constraint).

ER7206 : need to "disconnect" a WAN port at operator discretion.(security constraint).
ER7206 : need to "disconnect" a WAN port at operator discretion.(security constraint).
2024-07-01 08:15:55 - last edited 2024-07-01 08:22:20
Model: ER7206 (TL-ER7206)  
Hardware Version: V2
Firmware Version:

Hello,

 

Due to severe security constraints, i need to be able to "disconnect" a WAN port and to reconnect it manually in a few seconds when desired without altering the router configuration. Exactly like the usual UNIX "ifconfig itf down/up" commands do. The hardware configuration is 1 LAN port, 3 WAN ports, other ports are "spares".

 

How do you do that with your own ER7206 configuration ?

 

I checked : 

  • port up / down GUI command : none.
  • port output attached either to an "operational VLAN" or to a "parking VLAN" : not found. I was able to change VLAN on WAN on the "outside" of the port, but not the  "inside" of the port. And when i do that external communication monitoring on the network attached to the WAN port detects it and "freeze" all communications due to misbehavior detection.
  • ACL : add a WAN IN drop ALL rule with priority 1. It seems to be working. But it is not exactly what is required.

 

Any other idea, other that destroying WAN port configuration and recreating it ?

 

Regards,

Eric.

Note : plugging/unplugging the relevant cable is not a option. The ER7206 is subject to a no access security policy

  0      
  0      
#1
Options
4 Reply
Re:ER7206 : need to "disconnect" a WAN port at operator discretion.(security constraint).
2024-07-02 05:53:22

Hi  @Eric_Le_Grompf 

 

On the WAN settings page there is a Disconnect button. It won't change your WAN settings but will only disconnect the connection. Is it the thing you are looking for?

  • port up / down GUI command : none.
  • port output attached either to an "operational VLAN" or to a "parking VLAN" : not found. I was able to change VLAN on WAN on the "outside" of the port, but not the  "inside" of the port. And when i do that external communication monitoring on the network attached to the WAN port detects it and "freeze" all communications due to misbehavior detection.
>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:ER7206 : need to "disconnect" a WAN port at operator discretion.(security constraint).
2024-07-02 07:06:05

Hi  @Eric_Le_Grompf 

There's no such an option. What do you know about other vendors having anything similar to what you want?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#3
Options
Re:ER7206 : need to "disconnect" a WAN port at operator discretion.(security constraint).
2024-07-02 09:24:56 - last edited 2024-07-02 10:22:37

Hello @Fae ,

 

I met this option too : it is meant to release and renew the DHCP link for a dynamic IP configuration. It can be used in this unique case. Only one external link can be an direct external access to the internet for the maintenance team : it works well as you suggested it.

 

My problem is that this does not exist for "Static IP/static routing" configuration. Some external links i use do not provide DHCP services.

 

This is for an small industrial device having multiple external connections with multiple system operators.

 

As regard some of these links, I cannot use multiple "Dynamic IP" as i cannot manage the metric of it. And because I cannot configure the ER7602 to allow potential "routing leaks" between WAN links when using several dynamic IP configurations..

 

Regards, Eric.

  0  
  0  
#4
Options
Re:ER7206 : need to "disconnect" a WAN port at operator discretion.(security constraint).
2024-07-02 09:47:00 - last edited 2024-07-02 11:57:51

Hello, @Clive_A

 

We did some research among different brands and models : a very few did pass the selection some because of obsolescence, CVE, budget and most importantly the ease of access and management by the targeted local operator/maintenance team.For you too notice : the device fits exactly all operational needs except this tiny "itch" which is missing a "direct feature/solution".

 

One good example of one perfect "fail" (this one fits the port off/on need) was the Cisco RV340(tm) which is  End of Life, no more supported, No successors, affected by CVEs, limited WAN ports,etc. This brand has also the drawback of keeping intricate configuration even if the RV340 was at its time a great progress.

 

One the opposite, If we get a totally structured configuration through the ER7206 installation by settling an entire wiring to the existing managed switch from LAN to WAN ports. And by getting all external WAN links to the switch too, we're good : port management is part of the switching layer. But it just costs a lot more plus the local operator/maintenance team training. And in the meantime, it seems that there's a switching feature inside the ER7206.

 

Regards, Eric.

  0  
  0  
#5
Options