Omada Switch ACLs for established state

Omada Switch ACLs for established state

Re:Omada Switch ACLs for established state
2022-07-01 19:53:57

 

tekneon wrote

  @thekwasti I actually don't think that the TL-R605 is fit for handling a statefull firewall and keep an acceptable throughput.

 

I have my omada hardware for a year now and got tired of waiting for TP-Link to be tired of ignoring this request. I invested into a mini computer able to run PFSense and finally reached my goal of correctly separating my vlans and even more. Now that I have it working and that I have see the wire range of features PFSense offers, I strongly doubt that TPLink can offer even a small part of those features with the TL-R605. At least at this rate.

 

 

@tekneon It is quite possibly a hardware limitation.  Although, it must already have a stateful firewall running on the wan ports.

 

I think it would be unreasonable expectation for a $60 device to support the full range of features that a software firewall running on a PC can offer.  Also, when dealing with remote always-on installations a software firewall isn't always the best solution.  Mini-PCs have this habit of failing when run 24/7.  Especially when the climate conditions aren't ideal.

 

That being said, only supporting stateless ACLs between LAN segments seems like a pretty deal-breaking limitation.

 

 

  0  
  0  
#22
Options
Re:Omada Switch ACLs for established state
2022-08-30 20:36:30

Is this already on the development roadmap? Would be really nice to hear something back from TP-Link at least to know whether it's worth the wait or should we switch... as can be seen from this and the mentioned thread this is quite the dealbreaker not just for home users, this makes it unusable for businesses even more so.

  0  
  0  
#23
Options
Re:Omada Switch ACLs for established state
2022-08-30 20:55:43

  @jzakarias 

 

Cant find the post now (unfortunately) but I had seen on Reddit that one of the users was in contact with TP Link support, apparently this is due in a firewall and VLAN changes very soon..

 

I cant remember if it was v5 or v6 controller but they indicated that support said "due soon".  My gut feeling is v6 controller might bring this, perhaps that is just hope!

 

 

  1  
  1  
#24
Options
Re:Omada Switch ACLs for established state
2022-09-01 10:14:59

  @Philbert I found it or something similar, for others' future reference:

r/TPLink_Omada/comments/wwrg14/er605_is_incapable_of_doing_unidirectional_vlan/

We have consulted our senior engineer about this, and we would improve the SPI firewall function in the next firmware.

  0  
  0  
#25
Options
Re:Omada Switch ACLs for established state
2022-09-11 19:36:46

Is it possible to get the established/related ACL by replacing ER605 with a device running OPNSense, while keeping all other Omada devices?

  0  
  0  
#26
Options
Re:Omada Switch ACLs for established state
2022-09-11 19:49:08

  @WesWalker 

WesWalker wrote

Is it possible to get the established/related ACL by replacing ER605 with a device running OPNSense, while keeping all other Omada devices?

 

Yes.  You will need to transfer the config for dhcp and the network to the opnsense as well.

 

In this scenario, the omada controller will still show all your devices(because the switches and waps will see them) and manage your wireless config.

  1  
  1  
#27
Options
Re:Omada Switch ACLs for established state
a week ago

I can confirm this is now working after recent update. 

  3  
  3  
#28
Options
Re:Omada Switch ACLs for established state
a week ago
Great news! Which gateway & FW version is this?
  0  
  0  
#29
Options
Re:Omada Switch ACLs for established state
a week ago

  @thekwasti 

 

Router ER-7206 version 1.2.3 Build 20221104 Rel.41500

 

OC200 controller

Version:5.6.4

Build: 1.20.1 Build 20220921 Rel.35880

  0  
  0  
#30
Options
Re:Omada Switch ACLs for established state
a week ago

  @chrisro how have you managed to combine gateway and switch ACLs. I have blocked intervlan communication on the switch level and adding ACL for existing state for intervlan communication doesn't bring desired effect. My setting are as follows:

 

Gateway ACL:

LAN->LAN

permit 

all protocols

Network->Network

IOT->Main

States Type: Auto

 

Switch ACL:

deny

all protocols

Network->Network

IOT->Main

ACL binding: All ports

 

Did I miss something?

  0  
  0  
#31
Options