How to set up access rules for TP-Link SMB router?
TL-R600VPN( V4 ) , TL-ER6120 , TL-ER6020 , TL-ER5120 , TL-R480T+ , TL-R470T+ , TL-ER604W
Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device and check either the Datasheet or the firmware section for the latest improvements added to your product.
In some cases we would like to set up a blacklist or whitelist to limit the Internet access. For example, sometimes we don’t want the LAN users to use IPsec VPN, and we may want to provide http website access only. In this article, we would guide you how to set up these scenarios by setting up Access Rules.
If you want to block some specified websites, please refer to FAQ 188 (for new GUI) or FAQ827 (for old GUI).
Part 1. Blacklist: Block IPsec VPN
Step 1. Login to web GUI. Go to Preferences--->Service Type. Add UDP port 500 and name it as IPsec or any other words as you like.
And add UDP port 4500, name it as IPsec2 or any other words as you like.
Now we can see these two entries shown in the Service list.
Step 2. Go to Firewall--->Access Control. Set up the rules as shown below.
The Interface shows where the packets from. If LAN is selected, this rule will take effect for the packets from LAN to WAN. While the Source and Destination mean the traffic direction. We block the IPSec service from LAN IP to Any IP.
If you want to limit some special IPs, you will need to go to IP Group to set it at the first.
After adding these two rules, the IPSec will be block now.
Part 2. Whitelist (LAN): Allow HTTP only and block all other services
Login to the Web GUI. Go to Firewall--->Access Control. Set up the following three entries as shown.
Step 1. We should allow DNS service because DNS service always works together with HTTP service.
Step 2. We should also allow HTTP service for all the Source and Destination.
Step 3. By default, all services are allowed in the Access Rules. In order to block other services, we need to block All Services in the last.
The router will try to match all the rules one by one for each packet. And the ID of the entry means the priority, ID 1 stand for the highest priority. So when we set up whitelist, this block-all rules must be added in the last.
We can see these three entries in the List of Rules. Now all services have been blocked except HTTP and DNS.
Part 3. Whitelist (WAN): Allow special IP from public internet to access the FTP Server in LAN.
If you have a FTP server in you LAN, but for the security considering, you only want one special public IP can access it. You will need the below setting.
Step 1. Add the special IP you allowed into the IP Group. Turn to Preferences---->IP Group---->IP address.
Here we take 10.10.10.9 as an example.
Then setting an IP Group for this IP address. We call it FTPAllowed.
Step 2. Open the port 21 to allow FTP connection. Turn to Transmission---->NAT---->Virtual Servers.
Here, the FTP server is 192.168.20.191 as an example
Step 3. Turn to Firewall---->Access Control. Set up the rules as shown below.
After that, only the 10.10.10.9 can access your FTP Server from WAN.
Looking for More
Is this faq useful?
Your feedback helps improve this site.
What’s your concern with this article?
- Dissatisfied with product
- Too Complicated
- Confusing Title
- Does not apply to me
- Too Vague
- Other
We'd love to get your feedback, please let us know how we can improve this content.
Thank you
We appreciate your feedback.
Click here to contact TP-Link technical support.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again
Basic Cookies
These cookies are necessary for the website to function and cannot be deactivated in your systems.
TP-Link
accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType
Livechat
__livechat, __lc2_cid, __lc2_cst, __lc_cid, __lc_cst, CASID
Youtube
id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ
Analysis and Marketing Cookies
Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.
The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.
Google Analytics & Google Tag Manager
_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>
Google Ads & DoubleClick
test_cookie, _gcl_au
Meta Pixel
_fbp
Crazy Egg
cebsp_, _ce.s, _ce.clock_data, _ce.clock_event, cebs
Hotjar
OptanonConsent, _sctr, _cs_s, _hjFirstSeen, _hjAbsoluteSessionInProgress, _hjSessionUser_14, _fbp, ajs_anonymous_id, _hjSessionUser_<hotjar-id>, _uetsid, _schn, _uetvid, NEXT_LOCALE, _hjSession_14, _hjid, _cs_c, _scid, _hjAbsoluteSessionInProgress, _cs_id, _gcl_au, _ga, _gid, _hjIncludedInPageviewSample, _hjSession_<hotjar-id>, _hjIncludedInSessionSample_<hotjar-id>
lidc, AnalyticsSyncHistory, UserMatchHistory, bcookie, li_sugr, ln_or