Omada Switch ACLs for established state

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Omada Switch ACLs for established state

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Omada Switch ACLs for established state
Omada Switch ACLs for established state
2021-02-16 11:13:50
Model: OC200  
Hardware Version:
Firmware Version:

Hi there,

 

just started my Omada SDN Setup. The main parts are:

* Controller OC200 v1.0 (Firmware 1.7.3 Build 20201119 Rel.63433, Controller Version 4.2.8)
* Gateway TL-R605 v1.0 (Firmware 1.0.0)
* Switch TL-SG2008P v1.0 (Firmware 1.0.0)

I wonder how to configure the following (pretty common I guess) setup:

* VLAN 1 as main VLAN
* VLAN 2 as IoT VLAN

1. I want to deny traffic from VLAN 2 to VLAN 1 (this worked pretty easy by adding a switch ACL rule for that)
2. I still want to allow (initiated) traffic from VLAN 1 to VLAN 2 so that I can for example access my IP camera

 

But for this to work I need something that is normally referred to as a firewall rule, that allows established connections from VLAN 2 to VLAN 1. How can this be done? I cannot find it in Omada. I also try to set it up by running all the devices in standalone mode, be even there I could not find a way to create an ACL rule that matches on established connection.

 

Any help would be appreciated.

Christian

  11      
  11      
#1
Options
38 Reply
Re:Omada Switch ACLs for established state
2021-02-16 16:44:24

@thekwasti 

 

If your camera are on a specific Port range you could createan IP Port group to ALLOW those ports then apply it via a Switch ACL, set this as a higher priority than the block VLAN and that should work

 

For example i have a IOT VLAN that is totally blocked from my main VLAN, however i also have cameras on that IOT so can access via ports 4455 and 4456 those specific IPs used for the cameras..  

 

That help?

 

  2  
  2  
#2
Options
Re:Omada Switch ACLs for established state
2021-02-16 17:43:18

@Philbert Thanks for the reply. That would work of course, but I don't think it is a good solution. Esp. IP cameras never have to be allowed to initiate connections themself (except for NTP for time sync).


I even tried to run both, the switch as well as the gateway in standalone mode, and even there it is not possible. I just really wonder, how a router in the business tier does not allow a simple firewall rule based on the established state.

 

Probably I will just step away from the whole omada ecosystem and get something like an edgeswitch (I already have an edgerouter running). The centralized management is super nice, but if fundamentals are just not available, then it does not really help. :(

  4  
  4  
#3
Options
Re:Omada Switch ACLs for established state
2021-05-08 22:08:34
I have to second this. I can setup any 2 random physical home routers and get this functionality by default. Omada needs provide this functionality across VLANs; it's a severe oversight.
  3  
  3  
#4
Options
Re:Omada Switch ACLs for established state
2021-06-26 10:52:49

Thank god I saw this forum post. That doesn't sound good.

Are there any news regarding this topic? This is a total knock out for our plans to migrate to Omada. Even Unifi offers this functionality.

Without that, a additional firewall is required and I don't see a reason for using a Omada gateway.

  4  
  4  
#5
Options
Re:Omada Switch ACLs for established state
2021-07-16 22:43:08
@ksx I'm jealous you found this post. I was running the EAP225s and a PoE 1500G switch with an ER-X router, and it was working as expected. I found the EdgeOS to be more complicated than I wanted to deal with (and I didn't want the expense of a full ubiquiti network to get their central management), but I have found the limitations of the Omada system to be extremely frustrating.
OC200, 2x SG-TL3428, T1500G-10MPS, 3x EAP225, Firewalla Gold (replaced ER-605)
  1  
  1  
#6
Options
Re:Omada Switch ACLs for established state
2021-10-13 04:00:20 - last edited 2021-10-13 04:11:01

Are there any updates about this? This feature is a dealbreaker for me because it would make it a pain to configure an IoT network, block devices from that network to initiate connections but allowing replies (e.g. connecting to a TV or a Chromecast from a smartphone).

 

I guess this would have to be processed in the gateway because it's basically stateful rule between VLANs, but since Unifi gateways allow this I thought it was going to be present in Omada.

  2  
  2  
#7
Options
Re:Omada Switch ACLs for established state
2021-11-23 09:58:34

 

Hi,

 

I am new user of the omada ecosystem (router, switch, ap) and I was very unpleasantly surprised that this feature is missing. All reviews I managed to go through said this system is a 1-1 copy of unifi features but sadly it is not. 

 

This is very needed for clean home network segmentation (secure lan vs IoT devices), please add this to your roadmap. 

  3  
  3  
#8
Options
Re:Omada Switch ACLs for established state
2021-12-22 23:26:49

@thekwasti 

+1 for this.

 

This and mDNS are two big things missing.

  0  
  0  
#9
Options
Re:Omada Switch ACLs for established state
2021-12-29 21:27:25

I came here hoping to see that this issue had been fixed, just to find out that nothing has been done to address this issue.

 

Mabye 2022 will be the year Omada can become competative.

 

I would have not bought into this echo system knowing this up front.  

 

 

  1  
  1  
#10
Options
Re:Omada Switch ACLs for established state
2021-12-29 21:51:25
I think I may have got it working - block the subnet by denying IP port group -any outgoing connections. Obviously have the rules for any IP addresses you want to access before this rule.
  0  
  0  
#11
Options

Information

Helpful: 11

Views: 10144

Replies: 38