Re: Configuring ACLs on a 140AC access point

chrzimmer · ‎12-19-2021

Hello,

i cant get a simple ACL working when configuring through the graphical client of my 140AC.

My goal is to deny access to my internal network. So i apply a rule that denys all traffic from 0.0.0.0/255.255.255.0 to 192.168.100.0/255.255.255.0 This works fine so far.

But i want to have one exception. I applied another rule to permit all traffic from 0.0.0.0/255.255.255.0 to 192.168.100.2/255.255.255.255. But this does not work. There is still no access to 192.168.100.2

If i look at the rules the first rule i entered appears on the top of the list. The second, more specific rule appears underneath the more global rule. I recognized that i can move the rules by drag and drop to change the order, but unfortunately, after hitting the "Update" button the old order appears again.

So, what am i doing wrong ? Is it a matter of order in the rules list ? Can i change the order after entering the rules ?

Little side question would be: what does this "Policy ACL" switch do ? I read the manual, but i dont understand the meaning of the button (probably cause my poor language skills)

I very much appreciate any kind of help. Thanks in advance. BR Chris

Flavio Miranda · ‎12-19-2021

Hi,

According to the ACL universal rule, you actually dont need the first rule. You can just permit the traffic:

permit all traffic from 0.0.0.0/0.0.0.0 to 192.168.100.2/255.255.255.255

All the rest will be denied by default due the invisible deny any any at the bottom of the ACL.

chrzimmer · ‎12-19-2021

Dear Flavio, many thanks for your quick reaction. I tried it wiht only one rule but unfortunately i cannot make it work

And to be honest, my requirement is little more komplex then described above.

To be not bybassed by IPv6 i applied a rule like deny any protocol any s/d-port source-ip 2a02:xxxx:xxxx:xxxx::/64 destination-ip 2a02:xxxx:xxxx:xxxx::/64 where 2a02:xxxx:xxxx:xxxx::/64 is the IPv6 network at my office. This works.

My IPv4 rules should look like this:
1. permit TCP (any source port) (any source-ip) (destination-ip 192.168.100.2) (port DNS)
2. permit TCP (any source port) (any source-ip) (destination-ip 192.168.100.2) (port DHCP)

3. permit UDP (any source port) (any source-ip) (destination-ip 192.168.100.2) (port DNS)
4. permit UDP (any source port) (any source-ip) (destination-ip 192.168.100.2) (port DHCP)

5. deny (any protocol) (any source port) (any source-ip) (destination-ip 192.168.100.0/255.255.255.0) (any destination port)

6. permit (any protocol) (any source port) (any source-ip) (any destination-ip) (any destination port)

What do i try to achieve ? I want that a wireless client gets an IP address via DHCP from 192.168.100.2 and can place DHCP requests to 192.168.100.2. The wireless client should connect to the world (internet) but not to any of the internal (192.168.100.0/255.255.255.0) addresses (except DNS/DHCP to 192.168.100.2).

If i place my rules like described above, i can not make it working. But as said: i already struggle with the single rule like in Flavios answer.

Appreciate any help.

Flavio Miranda · ‎12-19-2021

Would be great if you could share a simple topology and indicate where you are applying the ACL and how. A CLI output would be realy helpfull;

chrzimmer · ‎12-19-2021

my topology is fairly easy. I have a single network 192.168.100.0/24. My router at 192.168.100.1 connects to the internet, provides IP addresses via DHCP and cares for DNS requests. To this network i have connected an 140AC access point. I want to configure the ACL inside the access point as pointed out above (wireless clients have internet access but no access to other network ressources). I do the ACL configuration inside the graphical UI, therefore i have no CLI output.