XI. LAN

Restricting Access to Router Management with LAN Access Control

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
ACL
LAN Management
VLAN
access control
Show all

Restricting Access to Router Management Interfaces with LAN Access Control

DrayTek Vigor routers with Multi Subnet facilities, from the Vigor 2760 and upwards, have the capability to control which router management interrfaces are available to these additional Subnets / VLANs.

This can be used to stop users from attempting to access the router's Web interface login prompt, or to disable access to specified interfaces such as Telnet or FTP.

This guide gives some examples of how to configure LAN Access Control for different scenarios.

When configured, the router can be managed from the LAN1 subnet. The other LAN Subnets (VLANs) / LANs / DMZ / IP Routed Subnet can be limited to block access to the router's management interfaces.

Additionally, the router can be configured to allow specified management types only, such as encrypted HTTPS or SSH instead of unencrypted HTTP and Telnet. It's recommended to disable unencrypted management types.


The LAN Access Control settings can be found in the router's web interface in the [System Maintenance] > [Management] menu, either in the location highlighted or on a separate tab alongside the IPv4/IPv6 Management Setup tabs.

The "Allow Management from LAN" setting controls access to the router's management interfaces for all LAN subnets, with the exception of LAN1, which cannot be locked out from accessing the router's management services (HTTP, HTTPS, FTP, Telnet and SSH).

If "Allow Management from LAN" is ticked under LAN Access Control, the router will allow access to only the LAN Subnets that are ticked under the "Apply To Subnet" section.

If it is un-ticked, only devices in the LAN1 subnet will be able to manage the router.

Allow Management Access for all LAN Subnets

In this example, which is the router's default state, all of the router's additional LAN Subnets, the DMZ and the IP Routed Subnet are able to utilise any of the router's management interfaces.


Disable Management Access for Specified LAN Subnets

In this example, the router's Management interfaces are enabled but only LAN2 and LAN3 are ticked in the Apply To Subnet section.

This means that only LAN1, LAN2 and LAN3 Subnets can access the router's management interfaces.

The LAN Subnets not selected for management access will still have access to the Internet and network resources but attempting to access the router's management interfaces from these LAN Subnets will receive no response from the router.


Block Access to Telnet, HTTP and FTP Router Management

In this example, the FTP Server, HTTP Server and Telnet Server Management Interfaces are not enabled. This means that all of the LAN Subnets selected in the Apply To Subnet section will be able to manage the router through encrypted HTTPS and SSH only.

The LAN1 Subnet retains access to all of the router's management interfaces. Access to the LAN1 Subnet can then be controlled through the [LAN] > [VLAN] configuration.


Limit Router Management to LAN Subnet LAN1 Only

In this example, "Allow management from LAN" is unticked. The result is that only the LAN1 interface can access the router's management interfaces.

Attempts to access the router's management interface from any subnet other than LAN1 will receive no response from the router.


How do you rate this article?

1 1 1 1 1 1 1 1 1 1