如何在商用路由器的獨立模式下設定存取控制

Knowledgebase

Configuration Guide

Bookmarks Feedback

06-13-2024

使用者場景 Ⅰ:在獨立模式下僅允許存取內部網路

一間公司分別在不同大樓裡管理不同部門，每棟大樓的機房內各有一台SMB路由器，且每層樓皆有放一台交換器。

我可以怎麼做?

例如要限制位於大樓2的3樓研發部門特定使用者，必須確保這些研發人員只能存取內部網路，但對於同部門的其它成員則無此限制。

以下步驟在大樓2的SMB路由器上設定ACL規則，這邊以ER8411為範例：

1. 前往 Preferences> IP Group> IP Address，點擊+Add 新增新的IP位址項目。

指定研發部門特定使用者的IP位址範圍192.168.0.32-192.168.0.63，然後點擊OK。.

接著指定所有內部網路的IP位址範圍。

2. 在IP Group內為相對應的設定IP群組，預設會有一個“IPGROUP_ANY”項目，此項目涵蓋所有IP且無法編輯。

3. 前往 Firewall>Access Control，點擊 +Add按照以下規則設定。

路由器依序處理每個封包的規則，在存取列表中，ID較小的規則具有較高的優先級。由於路由器從最高優先級的規則開始評估，請確保 Allow 規則的ID號碼小於 Block 規則的ID號碼。

4. 驗證

完成設定後，研發部門的使用者在任何時間都無法存取外部IP。

使用者場景Ⅱ：在獨立模式下，僅允許HTTP服務，並阻擋所有其他服務。

這篇文章說明如何限制員工在任何時間僅透過HTTP存取網際網路上的網站。

我可以做什麼?

按照下列步驟設定，這裡以ER8411為例：

1. 前往> Access Control，設定下列三個項目。

1) 允許所有來源和目的地的HTTP service。

2) 允許 DNS service因為DNS服務是與HTTP服務一起工作。

3) 預設所有服務在存取規則中都是允許的。為了阻擋其他服務，block All Services放在最後。

路由器依次處理每個封包的規則。在存取控制列表中，ID較小號碼排序有較高的優先權。由於路由器從最高優先級開始評估規則，確保允許規則的ID號碼比阻擋規則的ID號碼小。.

2. 驗證

設定後，員工無法透過HTTPS存取網路。

使用者場景Ⅲ:獨立模式下的單向 VLAN 存取

公司有兩個部門:研發以及行銷部門，兩個部門分別屬於不同網段。研發部門可以存取所有VLAN中的電腦進行資料備份，而行銷部門的電腦則限制存取研發部門VLAN，以增強資料安全性。

我可以怎麼做?

按照下列步驟設定，這裡以ER8411為例：

1. 前往Network > LAN ，點選+Add新增新的網路，並依照網路需求填寫設定。設定IP位址/子網路遮罩為192.168.10.1/255.255.255.0，模式為Normal，為網路分配VLAN 10，並啟用DHCP伺服器。

儲存後，路由器上的網路設定如下：

2. 前往Network > VLAN 變更VLAN設定

一般而言，建立新網路後，路由器的所有LAN埠都會保持預設網路中的UNTAG狀態，並自動新增至新網路的TAG VLAN。

根據拓樸:使用無網管交換器延伸更多乙太網路孔，將行銷LAN埠（Port4）更改為UNTAG VLAN 10並設定PVID為VLAN 10，研發LAN Port5更改為UNTAG VLAN 30並設定PVID分別連接到VLAN 30。

3. 前往Firewall > Access Control，點擊+Add 建立規則，請注意"LAN -> LAN"介面表示網路間流量ACL項目。該規則阻止行銷部門存取研發部門

注意：我們建議將states type保留為預設設定。如果您手動選擇，請參考下圖。

New:符合初始狀態的連線。例如，SYN 封包到達 TCP 連接，或路由器僅接收一個方向的流量。

Established: 防火牆已觀察到此連接的雙向通訊。

Invalid: 將不符合預期的連接進行匹配。

Related: 匹配主連接的相關子連接，例如與 FTP 數據通道的連接。

4. 驗證

完成設定後，在VLAN 10的裝置無法通pingVLAN 30的裝置，而 VLAN 30 內的裝置則能夠 ping 通 VLAN 10 內的裝置。

192.168.10.100 in VLAN10 cannot ping 192.169.30.100 in VLAN30 after setting ACL.

192.168.30.100 in VLAN30 still able to access 192.168.10.100 in VLAN10.

User’s Application Scenario Ⅳ：Bi-Directional VLAN access in Standalone

A company prohibits employees in the R&D department and the Marketing department from accessing each other’s resources, but an administrator in R&D department can access Marketing department.

How can I do that?

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Create multiple networks on the router

1) Go to Network > LAN on the web interface of the router, click +Add to create a new network, and fill in the configuration according to the network requirement. Set the IP address/subnet mask as 192.168.10.1/255.255.255.0, mode as Normal assign VLAN 10 to the network, and enable the DHCP server.

After saving, the network settings on the router as below.

2) Go to Network > VLAN to confirm the settings on each port.

Normally, after creating a new network, all LAN ports of the router will remain UNTAG in the default network and will be automatically added to the TAG VLAN of the new network.

Since a managed switch connects to the router, keep the default setting for each port.

2. Create VLAN on the switch

1) Go to L2 Features > VLAN > 802.1Q VLAN > VLAN Config on the web interface of managed switch, create VLAN 10 and VLAN 30; add Untagged port 3-5 and Tagged uplink port 1 to VLAN 10; add Untagged port 6-8 and Tagged uplink port 1 to VLAN 30.

2) Go to L2 Features > VLAN > 802.1Q VLAN > Port Config on the switch, set the PVID value as 10 for port 3-5, 30 for port 6-8 respectively. After that, please click on the top-right web page to save the configuration.

3. Configure ACL on the router

1) Go to Preferences > IP Group > IP address on the router. Click +Add to add a new IP address entry for the administrator in R&D department.

Specify the IP subnet as 192.168.30.100/32. IP subnet represents the range of IP addresses. In this example, 192.168.30.100 means the IP address and /32 means the number of bits in the mask. Click OK.

By default, there is an entry “IP_LAN” covering all IPs on the router, and it is not editable.

2) Set IP Group for corresponding IP address on IP Group.

3) Go to Firewall > Access Control on the router, and click +Add button to create rule as below.

Direction ALL includes WAN in, LAN->WAN, LAN->LAN. Note Direction ALL requires the router to upgrade to the latest firmware.

Then create block rule between VLAN10 and VLAN30.

The router processes rules sequentially for each packet. In the Access Control List, the rule with a smaller ID has higher priority. Since the router evaluates rules starting from the highest priority, ensure that the Allow rule have the smaller ID number than the Block rule. All rules should as below:

4. Verification

After the above configuration, VLAN10 and VLAN30 cannot access each other while the admin with 192.168.30.100 is able to access VLAN10.

192.168.10.100 in VLAN10 cannot ping 192.168.30.100 in VLAN30

The admin with 192.168.30.100 is able to access 192.168.10.100 in VLAN10.

User’s Application Scenario Ⅸ: Only allow access the Internet in Standalone

To enhance security, a company has implemented measures to prevent visitors in the guest room from accessing both the office and the server room.

How can I do that?

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Create multiple networks on the router

After saving, the network settings on the router as below.

2) Go to Network > VLAN to confirm the settings on each port.

Normally, after creating a new network, all LAN ports of the router will remain UNTAG in the default network and will be automatically added to the TAG VLAN of the new network.

Since an easy smart switch connects to the router, keep the default setting for each port.

2. Create VLAN on the switch

1) Go to the VLAN > 802.1Q VLAN to load the following page on the easy smart switch. Enable 802.1Q VLAN function. Add uplink port 1 as Tagged port and port 10-16 to VLAN 10, then click Apply.

Note: Only after enabling the 802.1Q VLAN feature, VLANs can be added or modified.

2) Go to VLAN > 802.1Q VLAN PVID Setting to load the following page. By default, PVID of all the ports are 1. Specify the PVID of port 10-16 as 10 and click Apply.

3. Configure ACL on the router

1) Go to Firewall > Access Control on the router, and click +Add button to create rule as below. Note that the "LAN -> LAN" interface signifies an inter-network traffic ACL entry.

“!vlan10” means all network interface except VLAN10. When a network is created, the system automatically generates a network name by adding an exclamation mark (“!”) at the beginning. This exclamation mark signifies that the network includes all interfaces except the one specified.