Omada Controller 3.1.4 (Windows) has been released.

Re:Omada Controller 3.1.4 (Windows) has been released.
2019-06-19 15:42:51

Hello just want to check for 

. Guest Network

We change SSID Isolation as the Guest Network. With the Guest Network enabled, the devices connected in the same SSID of the same AP cannot communicate with each other, and guest network will block clients from reaching any private IP subnet.

 

If i need the guest network to access one private ip for example 10.1.1.1 is there anyway to add it ?

0
0
#14
Options
Re:Re:Omada Controller 3.1.4 (Windows) has been released.
2019-06-20 02:17:16

Hello,

 

After we enable guest network, we will not be able to access the private network.

If you want to achieve this, you can set Access Control to allow this subnet.

Access Control has a high priority than guest network.

 

0
0
#15
Options
Re: Omada Controller 3.1.4 (Windows) has been released.
2019-07-22 14:26:17

forrest wrote

After we enable guest network, we will not be able to access the private network.

If you want to achieve this, you can set Access Control to allow this subnet.

Access Control has a high priority than guest network.

 

Hello forrest,

 

Access Control allow rules don't help here. Block rules seem to have precedence over allow rules.

 

I have the following setup:

 

  • Two subnets, two firewall zones, one is the 192.168.12.0 subnet, the other is 192.168.16.0 subnet.
  • EAPs are in the 192.168.12.0 subnet, OC200 is in the 192.168.16.0 subnet.
  • Firewall permits communication between EAPs and OC200 by forwarding traffic.
  • Captive Portal runs on a router which is connected to both subnets (multi-homed host).

 

If I enable Guest Network, it blocks also access to private IPs. Allow rules to unblock the Captive Portal's IP 192.168.12.1 and OC200's IP 192.168.16.2 do not work after they have been blocked by Guest Network setting.

 

The only way I could allow clients access to the Captive Portal running at 192.168.12.1 and OC200 running at 192.168.16.2 is to create a block rule (!) for private IPs and to explicitely define the IPs 192.168.12.1 and 192.168.16.2 as exceptions to this block rule. Using this trick I can achieve Client Isolation using the Guest Network setting. Did cost me about a hour to find out how to grant access to the Captive Portal and to the OC200 when Guest Network is enabled!

 

Drawback of this solution is that I have to duplicate two simple firewall rules on the router to a counterintuitive block rule setting in Omada Controller with exceptions for the IPs in question.

 

PLEASE: give us back Client Isolation. For public hotspots I only need Client Isolation on an EAP. Layer 3 blocking is already done in my router where it belongs to - I do not want to have double rules to just be able to isolate WiFi clients.

 

It's o.k. to give non-IT people who don't use L3 ACLs on a router's firewall a simple way to set up a guest network using a single click, but it is not o.k. to take away client isolation settings in favour of the former. Both settings (ACLs to prevent L3 access and WiFi client isolation) are two different things, even if there is kind of a short-cut like Guest Network to enable both at once!

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
1
1
#17
Options
Re:Re: Omada Controller 3.1.4 (Windows) has been released.
2019-07-25 02:50:35

Hi @R1D2 ,

 

About your question, we had a test today. We set EAP in 192.168.1.1/24, OC200 in 192.168.2.1/24, then we enabled Guest Network in the SSID, the clients cannot access the OC200 (192.168.2.4), then we set Access Control for the SSId, and then we can ping the OC200 successfully. So we didn't reproduce your issue. We recommend you to have a test agian.

 

Captive Portal runs on a router which is connected to both subnets (multi-homed host).

We can set portal on the PC200 and the clients can authenticate successfully. You say the portal runs on a router, we don't understand it.

 

You mentioned the SSID Isolation, we will add this to our suggestion list, thank you for your feedback.

0
0
#18
Options
Re: Omada Controller 3.1.4 (Windows) has been released.
2019-07-28 14:44:31

Hello forrest,

 

thank you for your reply. Could it be that the effect depends on the firmware (EAP225-Outdoor)? I did test v1.0.0 (pre-installed), v1.3.0 and v1.5.0. They seem to have different semantics regarding ACLs. With version 1.0.5 it works so far.

 

Regarding Captive Portal: yes, we use our own Captive Portal software running on the router b/c we need detailed possibility of intervention due to legal regulations (german TMG law). The router can be any device, either our own x86-based hardware as shown below, but also any other router, even an Archer WiFi router or an UBNT EdgeRouter running our own firmware.

 

Following diagram outlines the most common topology, another one is the placement of OC200 in the WAN zone if the WAN zone is behind another router (e.g. from the ISP) instead of just a modem:

 

 

Firewall and ACLs are on the router. ACLs on EAPs are not needed in this topology. I really would appreciate if you could enable Client Isolation setting in Omada Controller again.

 

Thanks for your consideration! Much appreciated.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#19
Options