× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

GSM7248 v2 IP ACL Problems

PermaNulled
Aspirant

GSM7248 v2 IP ACL Problems

I keep trying to set an ACL rule up to deny and drop packets directed towards a specific LAN IP destination and I've tried to no prevail.

I know the submask needs to be inverse, and I believe I've setup all the rules correctly what I'm basically trying to accomplish is allowing this machine to access the internet through the switch.

But not allow it to access the rest of the LAN or allow the LAN to access it essentially locking it out of the LAN entirely.

Attempting to block access to the specific LAN address from the rest of the LAN on any TCP port.

I've tried using the Mask 255.255.255.255 for the destination then I read that things needed to be inverse which is where 0.0.0.0 came in and it doesn't seem to matter how I re-configured the specifications.

The switch never drops/denies the packets going to the specified LAN Address.

The reasoning behind locking this machine out from the rest of the network in the switch it's self rather then software would be the fact that it's a windows 2000 machine and is needed for certain legacy software.

However windows 2000 is no longer supported by Microsoft and in-such makes this machine a vulnerability on the local network and I don't want an intruder to be able to reach this machine simply by being on a machine in the network connected to the switch.

And likewise if this machine were to be compromised I don't want it having access to the rest of the network either.

If I were to use a software firewall on it to block connections to it, it wouldn't be of much use if the system it's self was to be compromised...

Any tips on this?, or any reason why this ACL setup wouldn't work?


(GSM7248V2) >show ip access-lists 100

ACL ID: 100


Rule Number: 1
Action......................................... deny
Match All...................................... FALSE
Protocol....................................... 6(tcp)
Source IP Address.............................. 192.168.0.0
Source IP Mask................................. 0.0.255.255
Destination IP Address......................... 192.168.1.123
Destination IP Mask............................ 0.0.0.0
TCP Flags...................................... FIN (Ignore)
SYN (Ignore)
RST (Ignore)
PSH (Ignore)
ACK (Ignore)
URG (Ignore)
Assign Queue................................... 0
Message 1 of 2
PermaNulled
Aspirant

Re: GSM7248 v2 IP ACL Problems

After realizing that I hadn't binded the ACL rules to a specific port, I got the blocking working...

And now I'm having a separate issue still related to these rules.

Here's the rules I have setup currently and I've got them bound to the interfaces the machines I'm trying to restrict access to are connected to.

CL ID/Name Rules Direction Interface(s)
------------------------------- ----- ---------- -------------------------
100 2 inbound 0/21, 0/37

(GSM7248V2) >show ip access-lists 100

ACL ID: 100
Inbound Interface(s): 0/21, 0/37


Rule Number: 3
Action......................................... deny
Match All...................................... FALSE
Protocol....................................... 6(tcp)
Source IP Address.............................. 192.168.0.0
Source IP Mask................................. 0.0.255.255
Destination IP Address......................... 192.168.1.123
Destination IP Mask............................ 0.0.0.0
TCP Flags...................................... FIN (Ignore)
SYN (Ignore)
RST (Ignore)
PSH (Ignore)
ACK (Ignore)
URG (Ignore)

Rule Number: 4
Action......................................... deny
Match All...................................... FALSE
--More-- or (q)uit
Protocol....................................... 6(tcp)
Source IP Address.............................. 192.168.0.0
Source IP Mask................................. 0.0.255.255
Destination IP Address......................... 192.168.1.19
Destination IP Mask............................ 0.0.0.0
TCP Flags...................................... FIN (Ignore)
SYN (Ignore)
RST (Ignore)
PSH (Ignore)
ACK (Ignore)
URG (Ignore)

(GSM7248V2) >


Now after doing the rules specified above, I've observed that the switch isn't really listening to what I define as my destination or source, reason I say this is because it's also restricting access to the rest of the network from these machines.

I've tried adding an rule where the machine say 192.168.1.123 would have access to 192.168.1.2 and after doing such it seems to have an inverse effect where every machine on the network then has access to both 192.168.1.123 and 192.168.1.2 even though 192.168.1.123 was supplied as the source for the permit and not the destination.

I'm not sure how this could mix things up like this but it's happening and any examples of configurations other people have implemented or assistance in this would be greatly appreciated.

I know someone here has had to have worked with these ACL setups on these switches as a 8 port firewall and restrictions through it just would not cut it when you've got 40+ machines connected to your network.
Message 2 of 2
Discussion stats
  • 1 reply
  • 12308 views
  • 0 kudos
  • 1 in conversation
Announcements