Hello,

For my internship I'm setting up 2 3com L3 switches. The model of these switches is 4800G (from HP, they fused to H3C) and I'm using the latest firmware.

I'm trying to get reflexive ACL's working. What I'm trying to do is to limit users to internet traffic. They may not be able to access other network resources (it's a Guest LAN).
However, to offer them internet access, I also have to offer them DNS and DHCP. These protocols work using UDP.

My clients can contact the servers and the servers respond correctly (tested using wireshark). Sadly enough, my ACL's block the answers from the clients.

I know I could just allow traffic from the servers to the clients and it doesn't bother me to do so. However, I'm using a simular setup to create a DMZ where I need to do the same.

In the next ACL, tcp connections are working as they should (when they are estabilished, they are allowed).
UDP and ICMP traffic does not work.
I've read many things about reflexive ACL's and I thought this should do the trick. Sadly enough it does not :-(

My manual doesn't mention reflective ACL's.

My ACL (with fake IP's) for my guest VLAN is:
acl number 3000 name internet_only
description Internet access + dhcp + dns for guests
step 20
rule 10 permit tcp estabilished
rule 20 permit udp reflective destination 192.168.0.1 0 destination-port eq 53
rule 21 permit tcp destination 192.168.0.1 0 destination-port eq 53
rule 40 permit udp reflective destination 192.168.1 0 destination-port eq 68
rule 41 permit tcp destination 192.168.0.1 0 destination-port eq 68
rule 60 deny ip destination 192.168.0.0 0.0.255.255
rule 80 permit ip
rule 10 comment allow estabilished tcp connections
rule 20 comment DNS
rule 21 comment DNS
rule 40 comment DHCP
rule 41 comment DHCP
rule 60 comment block access to internal network
rule 80 comment allow other (internet) traffic
I hope anyone can help my out