Description

Milesight routers are equipped with a powerful firewall functions, of which access control list configuration in this guide will be explained further into details. ACL is basically 2 policies applied in different scenarios and on different interfaces, with flexible ‘deny’ and ‘accept’ rules, we can control data flow passing over our routers.

The topology graph of this article is as below:


Requirement

Any Milesight Router with latest version of firmware



Configuration 

Navigate to Network -> Firewall -> ACL to set up Access Control List.


Default Filter Policy: Accept/Deny

The packets which are not included in the access control list will be processed by the default filter policy.

Type: extended/standard

Extended means extended ACL command that you can determine the protocol type, and destination IP.

Standard means standard ACL command that only support filter by source IP.

ID: For standard type, the ID range is 1-99. For extended type, the ID range is 100-199.

Action: permit/deny

Protocol: ip/icmp/tcp/udp/1-255

1-255 means you can enter any protocol number that definition in IPv4. For example: 1 is ICMP, 4 is IP, 6 is TCP.

Source IP: Where the data package comes from.

Source Wildcard Mask: Wildcard mask of the source network address. For example, if you want to control all traffic form 192.168.22.0 network segment, you should input 0.0.0.255. You can leave both Source IP and Source Wildcard Mask blank to means all IP.

Destination IP: Where the data package goes.

Destination Wildcard Mask: Wildcard mask of destination address. You can leave both Destination IP and Destination Wildcard Mask blank to means all IP.

ICMP Type and ICMP Code: If you select ICMP protocol, you can enter the ICMP type and ICMP code. Different type and code defined different ICMP packet, for example: type 0 and code 0 means ping echo reply, type 3 and code 1 means host unreachable.

Source Port Type and Destination Port Type: If you select TCP or UDP protocol, you can determine the exactly port you want to control. For example, you can select destination port equal to 22 to control ssh access.

Interface: Select an interface to apply ALC.

In ACL: ACL that control traffic goes into router.

Out ACL: ACL that control traffic goes from router.

Click save and apply


Example

Scenario 1: Accept all but PC 176.16.1.100

Default policy: Accept

ACL rule:

Interface List:

Any traffic from 176.16.1.100 will be deny when leaving the router.


 

Scenario 2: Deny PC access ssh of 192.168.22.105

Default policy: Accept

ACL rule:

Interface List:

The traffic from 176.16.1.100 can access anything but ssh of 192.168.22.105.


 Scenario 3: Deny ping echo to PC 176.16.1.100

Default policy: Accept

ACL rule:

Interface List:


176.16.1.100 can access anything, but can’t receive any ICMP ping echo.