Omada Switch ACLs for established state
Hi there,
just started my Omada SDN Setup. The main parts are:
* Controller OC200 v1.0 (Firmware 1.7.3 Build 20201119 Rel.63433, Controller Version 4.2.8)
* Gateway TL-R605 v1.0 (Firmware 1.0.0)
* Switch TL-SG2008P v1.0 (Firmware 1.0.0)
I wonder how to configure the following (pretty common I guess) setup:
* VLAN 1 as main VLAN
* VLAN 2 as IoT VLAN
1. I want to deny traffic from VLAN 2 to VLAN 1 (this worked pretty easy by adding a switch ACL rule for that)
2. I still want to allow (initiated) traffic from VLAN 1 to VLAN 2 so that I can for example access my IP camera
But for this to work I need something that is normally referred to as a firewall rule, that allows established connections from VLAN 2 to VLAN 1. How can this be done? I cannot find it in Omada. I also try to set it up by running all the devices in standalone mode, be even there I could not find a way to create an ACL rule that matches on established connection.
Any help would be appreciated.
Christian
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
If your camera are on a specific Port range you could createan IP Port group to ALLOW those ports then apply it via a Switch ACL, set this as a higher priority than the block VLAN and that should work
For example i have a IOT VLAN that is totally blocked from my main VLAN, however i also have cameras on that IOT so can access via ports 4455 and 4456 those specific IPs used for the cameras..
That help?
- Copy Link
- Report Inappropriate Content
@Philbert Thanks for the reply. That would work of course, but I don't think it is a good solution. Esp. IP cameras never have to be allowed to initiate connections themself (except for NTP for time sync).
I even tried to run both, the switch as well as the gateway in standalone mode, and even there it is not possible. I just really wonder, how a router in the business tier does not allow a simple firewall rule based on the established state.
Probably I will just step away from the whole omada ecosystem and get something like an edgeswitch (I already have an edgerouter running). The centralized management is super nice, but if fundamentals are just not available, then it does not really help. :(
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Thank god I saw this forum post. That doesn't sound good.
Are there any news regarding this topic? This is a total knock out for our plans to migrate to Omada. Even Unifi offers this functionality.
Without that, a additional firewall is required and I don't see a reason for using a Omada gateway.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Are there any updates about this? This feature is a dealbreaker for me because it would make it a pain to configure an IoT network, block devices from that network to initiate connections but allowing replies (e.g. connecting to a TV or a Chromecast from a smartphone).
I guess this would have to be processed in the gateway because it's basically stateful rule between VLANs, but since Unifi gateways allow this I thought it was going to be present in Omada.
- Copy Link
- Report Inappropriate Content
Hi,
I am new user of the omada ecosystem (router, switch, ap) and I was very unpleasantly surprised that this feature is missing. All reviews I managed to go through said this system is a 1-1 copy of unifi features but sadly it is not.
This is very needed for clean home network segmentation (secure lan vs IoT devices), please add this to your roadmap.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
I came here hoping to see that this issue had been fixed, just to find out that nothing has been done to address this issue.
Mabye 2022 will be the year Omada can become competative.
I would have not bought into this echo system knowing this up front.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 11
Views: 12091
Replies: 38