× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

TCP Port ACL rules M4300 Help

Mikeemikew
Tutor

TCP Port ACL rules M4300 Help

Hi all, I am looking for some assistance.
I have a m4300 52-port managed switch, which I have configured to utilise multiple VLANs. In addition, I have set up an ACL to prevent undesired communication between VLANs using Advanced - IP Extended Rules. I have included specific rules in the ACL to allow the Internet gateway IP for each VLAN, incorporating both IP and host-based rules.
Now, I have a Unify U6 Pro Access Point that offers a hotspot service for guest Wi-Fi. To enable the guest portal functionality, I must permit all VLANs to access a particular host IP on specific TCP port(s). For instance, I must allow access to 192.168.50.203 only on ports 8880 and 8883. Despite my attempts, I haven't been successful so far. I only managed to make it work by allowing all VLANs access to the host IP using a host rule.
I wonder if anyone could advise me on how to get it working using TCP port rules.

TCP Port rules - not working 
ACL TCP PORT Rules.png
Working using IP Host rule

ACL IP HOST Rule.png

Message 1 of 6

Accepted Solutions
MikeD1234
NETGEAR Expert

Re: TCP Port ACL rules M4300 Help

Hi @Mikeemikew,

I am not sure how the ACL is bound, but there are several ways of doing it. I think, the easiest is to bind it against a VLAN, so that it applies to all devices.

I have tested this here in my lab for you, and can confirm, that the following table works:

 

access-list 101 permit tcp host 192.168.50.203 192.168.200.0 0.0.0.255 eq 8843
access-list 101 permit tcp host 192.168.50.203 192.168.200.0 0.0.0.255 eq 8880
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 101 permit ip any any
ip access-group 101 vlan 50 in 1

 

In the GUI, this would be as followed:

 

MikeD1234_0-1689434396284.png

MikeD1234_1-1689434426464.png

Then, you have to bind it against the vlan, as followed:

MikeD1234_2-1689434457039.png

 

As example, my testing:

MikeD1234_3-1689434614414.png

 

Give that a try, and it should work just fine 👌.

Once it works, if you can accept this as a solution.

If it doesn't work, can you share your Tech Support file, happy to have a look at it.

You can retrieve your TS as followed:

MikeD1234_0-1689434847373.png

 

Mike

View solution in original post

Message 4 of 6

All Replies
schumaku
Guru

Re: TCP Port ACL rules M4300 Help


@Mikeemikew wrote:

For instance, I must allow access to 192.168.50.203 only on ports 8880 and 8883.

Well possible, I'm missing the bigger picture here flying over the screenshots in a few seconds while having a quick Espresso. These look much more like source ACE for these IP addresses and ports, not destination ACEs to me.

Message 2 of 6
Mikeemikew
Tutor

Re: TCP Port ACL rules M4300 Help

Hello schumaku, I appreciate your time and input. I want to make it clear that I am a beginner when it comes to managing switches. Just to clarify, the rules I mentioned earlier refer to inbound traffic rules within the ACLs.

I followed a specific guide to set up the VLANs and ACLs. https://kb.netgear.com/30818/How-to-configure-routing-VLANs-on-a-NETGEAR-managed-switch-with-shared-...

The overall goal I'm trying to achieve is to have multiple VLANs without any inter-VLAN communication, except for certain exceptions such as the internet gateway, access points, and specific TCP ports for various services.

So far, I believe I have completed all the necessary tasks except for allowing exceptions for TCP ports through the ACLs.
If my approach is incorrect, I would greatly appreciate any advice you can provide.
Thanks in advance.
Message 3 of 6
MikeD1234
NETGEAR Expert

Re: TCP Port ACL rules M4300 Help

Hi @Mikeemikew,

I am not sure how the ACL is bound, but there are several ways of doing it. I think, the easiest is to bind it against a VLAN, so that it applies to all devices.

I have tested this here in my lab for you, and can confirm, that the following table works:

 

access-list 101 permit tcp host 192.168.50.203 192.168.200.0 0.0.0.255 eq 8843
access-list 101 permit tcp host 192.168.50.203 192.168.200.0 0.0.0.255 eq 8880
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 101 permit ip any any
ip access-group 101 vlan 50 in 1

 

In the GUI, this would be as followed:

 

MikeD1234_0-1689434396284.png

MikeD1234_1-1689434426464.png

Then, you have to bind it against the vlan, as followed:

MikeD1234_2-1689434457039.png

 

As example, my testing:

MikeD1234_3-1689434614414.png

 

Give that a try, and it should work just fine 👌.

Once it works, if you can accept this as a solution.

If it doesn't work, can you share your Tech Support file, happy to have a look at it.

You can retrieve your TS as followed:

MikeD1234_0-1689434847373.png

 

Mike

Message 4 of 6
Mikeemikew
Tutor

Re: TCP Port ACL rules M4300 Help

MikeD1234, that worked perfectly! I want to express my gratitude for the time you dedicated to investigating and assisting me. I truly appreciate it!

Message 5 of 6
MikeD1234
NETGEAR Expert

Re: TCP Port ACL rules M4300 Help

Hi @Mikeemikew,

Happy to help.

Great it's working.

Have a good weekend!

Mike

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 620 views
  • 2 kudos
  • 3 in conversation
Announcements