Does the remote access on your CPE support ACLs? We use ACLs with our CPEs and leave the remote access always enabled.
Here is my ACLs provision script which handles SmartRG, Comtrend, Zyxel device model v2 and generic Broadcom based CPEs.
log('ACLs');
const now = Date.now();
let model = declare('VirtualParameters.Model', {value: 1}).value[0];
log('ACLs - Model', {model: model});
createAcls();
declare('Tags.HasACLs', null, {value: true});
return;
function createAcls() {
/*
* Clear all existing ACL rules. Because everything is done in one transaction,
* if there are no actual changes, then nothing will actually be removed by GenieACS
*/
declare('InternetGatewayDevice.X_SMARTRG_COM_MgmtAcl.*', {value: now, path: now});
declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.*', {value: now, path: now});
declare('InternetGatewayDevice.X_SMARTRG_COM_MgmtAcl.[]', null, {path: 0});
declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.IPAddressEntry.[]', null, {path: 0});
declare('InternetGatewayDevice.X_BROADCOM_COM_IPAddrAccCtrl.X_BROADCOM_COM_IPAddrAccCtrlListCfg.[]', null, {path: 0});
declare('Device.X_ZYXEL_RemoteManagement.TrustDomain.[]', null, {path: 0});
// Your IP addresses here...
[
{ip: '192.168.1.0', maskBits: 24, interface: 'lan', notes: 'Local LAN'},
{ip: '172.128.0.0', maskBits: 12, interface: 'wan', notes: 'Management network'},
{ip: '1.2.3.4', maskBits: 32, interface: 'wan', notes: 'Support Office'},
{ip: '4.3.2.1', maskBits: 28, interface: 'wan', notes: 'Some Servers'},
].forEach((acl) => {
log('ACLs - Adding mgmt acl', acl);
declare('InternetGatewayDevice.X_SMARTRG_COM_MgmtAcl.[SrcAddress:' + acl.ip + '/' + acl.maskBits + ']', {path: 1}, {path: 1});
//Comtrend
declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.IPAddressEntry.[ipaddr:' + acl.ip +
',Subnet:' + createNetmaskAddr(acl.maskBits) + ',Interface:' + acl.interface + ']', {path: 1}, {path: 1});
//SR555
declare('InternetGatewayDevice.X_BROADCOM_COM_IPAddrAccCtrl.X_BROADCOM_COM_IPAddrAccCtrlListCfg.[SourceIPAddress:' +
acl.ip + ',SourceNetMask:' + createNetmaskAddr(acl.maskBits) + ']', {path: 1}, {path: 1});
declare('Device.X_ZYXEL_RemoteManagement.TrustDomain.[IPAddress:' + acl.ip + ',SubnetMask:' + acl.maskBits + ',Enable:true]', {path: 1}, {path: 1});
});
//Enable the ACLs for the SR555ac and the Comtrend
declare('InternetGatewayDevice.X_BROADCOM_COM_IPAddrAccCtrl.Enable', {path: 1}, {value: true});
declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.Enable', {path: 1}, {value: true});
}
function createNetmaskAddr(bitCount) {
let mask = [];
for (let i = 0; i < 4; ++i) {
let n = Math.min(bitCount, 8);
mask.push(256 - Math.pow(2, 8 - n));
bitCount -= n;
}
return mask.join('.');
}