Huawei ACL parameter meaning

ahm012 · October 7, 2024, 5:32pm

Hi Guys how are you?
I have been testing ACL setup on a Huawei HG8247W5, trying to understand how each TR parameter modification reflects on the WEB GUI. And I have some of them that I can’t figure them out.
I am specifically talking about the “Precise Device Access Control” WEB GUI Menu and how the parameters via ACS modifies WEB GUI fields.

These one appears to be like a “shortcut” and directly enable/disable most commont applications, whithout having to create a ACL Rule and without specifying which LAN/WAN interface, Priority or LAN Ports affected. I don’t find such “global” configuration on the WEB GUI.

InternetGatewayDevice.X_HW_Security.AclServices.HTTPLanEnable
InternetGatewayDevice.X_HW_Security.AclServices.HTTPWanEnable
InternetGatewayDevice.X_HW_Security.AclServices.FTPLanEnable
InternetGatewayDevice.X_HW_Security.AclServices.FTPWanEnable
InternetGatewayDevice.X_HW_Security.AclServices.TELNETLanEnable
InternetGatewayDevice.X_HW_Security.AclServices.TELNETWanEnable
InternetGatewayDevice.X_HW_Security.AclServices.SSHLanEnable
InternetGatewayDevice.X_HW_Security.AclServices.SSHWanEnable
InternetGatewayDevice.X_HW_Security.AclServices.SamBaLanEnable
InternetGatewayDevice.X_HW_Security.AclServices.SamBaWanEnable

This parameter:
InternetGatewayDevice.X_HW_Security.AclServices.WanAccess.
is related to these subnodes, and I don’t know if they are just a different way to setup an ACL:
InternetGatewayDevice.X_HW_Security.AclServices.WanAccess.x.Enable = 1
InternetGatewayDevice.X_HW_Security.AclServices.WanAccess.x.Protocol = HTTP,SSH
InternetGatewayDevice.X_HW_Security.AclServices.WanAccess.x.WanName = wan1.1.ip1

These two also don’t know what they are for:
InternetGatewayDevice.X_HW_Security.WANSrcWhiteList.WANSrcWhiteListEnable = 1
InternetGatewayDevice.X_HW_Security.WANSrcWhiteList.List.x.SrcIPPrefix = (Network to be used)

Then I have these two that I don’t know what they actually do on an ACL Rule:
InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.x.DynamicWanServiceType
InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.x.SrcMac

Any feedback will be very valuable !!!
Thanks !!!

Shev84 · October 14, 2024, 5:27pm

‘Precise Device Access Control’ from GUI is represented in this:
InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.

Available options are determined by ONT software that u have.

Please specify what u want to achieve, so maybe I can help.
More accurate place to ask this question would be Huawei support.

ahm012 · October 27, 2024, 10:16pm

Sorry for the delay response.
I have no Contact inside Huawei to get this support.
I am just testing back and forth.
I could figure out these parameters (there are some spanish on it, lazy to translate, sorry :o) ):

InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.AccessControlListEnable 1 --------------------------------------------------------------------------- InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.AccessControlListNumberOfEntries 0 --------------------------------------------------------------------------- InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List. 1

Nro de entradas de ACL que quiero. Ej. aca: 1 entrada. Creo que es similar al de anterior.

InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.1.SrcPortType 1

0
0 = LAN
1 = SSID
2 = WAN

InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.1.SrcPortName 1

ALL

Si el SrcPortType es 2 (WAN) entonces ScrPortName es la conexión WAN sobre la que se quiere aplicar la regla.
ALL significa todas las WAN
Si queremos alguno especifico:

InternetGatewayDevice.WANDevice.1.WANConnectionDevice.x.WANIPConnection.1 (x es el ID de la conexión WAN, después de la x depende si es “WANIPConnection” o WANPPPConnection"

Si el SrcPortType es 0 (LAN) entonces ScrPortName es la conexión WAN sobre la que se quiere aplicar la regla.
ALL significa todos los puertos LAN. Si queremos alguno especifico:

InternetGatewayDevice.LANDevice.1.LANEthernetInterfaceConfig.x (x de 1 a 4)

Si el SrcPortType es 1 (SSID) entonces ScrPortName es la conexión WAN sobre la que se quiere aplicar la regla.
ALL significa todas los SSID. Si queremos alguno especifico, entonces:

InternetGatewayDevice.LANDevice.1.WLANConfiguration.x (x de 1 a 8)

InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.1.SrcIp 1

el Rango se pone en formato x.x.x.x/xx

InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.1.ServicePort 1 Acá se listan los protocolos que quiero seleccionar: TELNET,HTTP,FTP,ICMP,SAMBA. Se usa para una regla por tipo de aplicación predefinido. --------------------------------------------------------------------------- InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.1.SrcMac 1 --------------------------------------------------------------------------- InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.1.ServiceProto 1 Este se usa cuando de define directamente por tipo de paquete (no por aplicación): TCP/UDP,TCP,UDP,ICMP,ICMPv6 --------------------------------------------------------------------------- InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.1.ServiceProtoPort 1 Puerto a usar para el tipo de paquete: ej. 3050 --------------------------------------------------------------------------- InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.1.Priority 1

PRIORITY= VALOR ENTRE 1 y 1024

InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.1.Mode 1

MODE=1 Prohibit
MODE=0 Permit

InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.1.DynamicWanServiceType 1 --------------------------------------------------------------------------- ---------------------------------------------------------------------------

Still haven’t figured out the other subnodes:
InternetGatewayDevice.X_HW_Security.WANSrcWhiteList. subnodes

InternetGatewayDevice.X_HW_Security.WANSrcWhiteList.WANSrcWhiteListEnable
InternetGatewayDevice.X_HW_Security.WANSrcWhiteList.WANSrcWhiteListNumberOfEntries
InternetGatewayDevice.X_HW_Security.WANSrcWhiteList.List.
InternetGatewayDevice.X_HW_Security.WANSrcWhiteList.List.1.SrcIPPrefix

InternetGatewayDevice.X_HW_Security.AclServices. subnodes

InternetGatewayDevice.X_HW_Security.AclServices.WanAccess.
InternetGatewayDevice.X_HW_Security.AclServices.WanAccess.1.Enable
InternetGatewayDevice.X_HW_Security.AclServices.WanAccess.1.Protocol
InternetGatewayDevice.X_HW_Security.AclServices.WanAccess.1.WanName
InternetGatewayDevice.X_HW_Security.AclServices.WanAccess.1.SrcIPPrefix

Topic		Replies	Views
Pushing specific parameters value	10	2393	October 9, 2023
How to set access control list on Huawei	5	3125	March 3, 2023
ACL list in Routers RODACOM (Huawei in disguise)	2	540	September 15, 2023
Setting up wifi password on Huawei CPE	11	6147	May 1, 2024
What parameter is this in TP-Link Archer AC1200?	2	638	November 9, 2021

Huawei ACL parameter meaning

These two also don’t know what they are for: InternetGatewayDevice.X_HW_Security.WANSrcWhiteList.WANSrcWhiteListEnable = 1 InternetGatewayDevice.X_HW_Security.WANSrcWhiteList.List.x.SrcIPPrefix = (Network to be used)

Then I have these two that I don’t know what they actually do on an ACL Rule: InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.x.DynamicWanServiceType InternetGatewayDevice.X_HW_Security.AclServices.AccessControl.List.x.SrcMac

Sorry for the delay response. I have no Contact inside Huawei to get this support. I am just testing back and forth. I could figure out these parameters (there are some spanish on it, lazy to translate, sorry :o) ):