Omada Switch ACLs for established state
Hi there,
just started my Omada SDN Setup. The main parts are:
* Controller OC200 v1.0 (Firmware 1.7.3 Build 20201119 Rel.63433, Controller Version 4.2.8)
* Gateway TL-R605 v1.0 (Firmware 1.0.0)
* Switch TL-SG2008P v1.0 (Firmware 1.0.0)
I wonder how to configure the following (pretty common I guess) setup:
* VLAN 1 as main VLAN
* VLAN 2 as IoT VLAN
1. I want to deny traffic from VLAN 2 to VLAN 1 (this worked pretty easy by adding a switch ACL rule for that)
2. I still want to allow (initiated) traffic from VLAN 1 to VLAN 2 so that I can for example access my IP camera
But for this to work I need something that is normally referred to as a firewall rule, that allows established connections from VLAN 2 to VLAN 1. How can this be done? I cannot find it in Omada. I also try to set it up by running all the devices in standalone mode, be even there I could not find a way to create an ACL rule that matches on established connection.
Any help would be appreciated.
Christian
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@thekwasti I'm using the controller, so it's:
Settings > Netwrok Security > ACL > Switch ACL > "+ Create New Rule" >
status: enable is checked
Policy = denied
Protocols = "All"
source = network or device you want to block
destination = "IP Group" and select "IPGroup_Any"
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Is @DaBear s configuration really the solution?
Does this really provide the following advantages at the same time?:
- IoT to LAN no new connections can be established (e.g. TCP443 etc )
- LAN to IoT new connections can be opened
- IoT to LAN can respond only to this opened connection till it is closed
DaBears config sounds for me like closing everthing up and opening special ports like TCP443 again for both directions. So the IoT can e.g.. create new connections for 443. But IoT should't be able to open any connections on it's own.
But hopefully i misinterpreted the config :-)
- Copy Link
- Report Inappropriate Content
@KSX No, you interpreted it correctly. As long as there is no way to target the established and related traffic, either you can allow the creation of a connection from both ways or you can only send data without having a way to get a response (or a ACK for the matter)
- Copy Link
- Report Inappropriate Content
So I've just really started my Omada journey and have come across this issue. Well, that and the mDNS one (which I've worked around using Avahi). How is this a complete product without these features? I literally can't lock down my IOT VLAN as it should be without hard coding a bunch of IP addresses into rule groups.
I really hope this gets fixed/implemented soon.
- Copy Link
- Report Inappropriate Content
+1
I'm glad that I found this thread before I went all in with omada setup. This really is a must-have feature for this kind of product. Judging by the lack of response from tp link team on this thread, I'm assuing it is not going to be supported anytime soon.
- Copy Link
- Report Inappropriate Content
Yes. The lack of stateful firewall rules seems like an unreasonable omission for many use cases.
- Copy Link
- Report Inappropriate Content
@Fae , @Hank21 Can you please chime in here? There is also a related feature request thread at https://community.tp-link.com/en/business/forum/topic/501934
As you can see from these threads, it is a dealbreaker for many, including me. In fact, many people expected this feature to be present from the get-go in products that support vlan, and rightfully so.
Does tp-link have any plan to include this feature? If yes, is there anyway to prioritize this feature?
- Copy Link
- Report Inappropriate Content
@thekwasti I actually don't think that the TL-R605 is fit for handling a statefull firewall and keep an acceptable throughput.
I have my omada hardware for a year now and got tired of waiting for TP-Link to be tired of ignoring this request. I invested into a mini computer able to run PFSense and finally reached my goal of correctly separating my vlans and even more. Now that I have it working and that I have see the wire range of features PFSense offers, I strongly doubt that TPLink can offer even a small part of those features with the TL-R605. At least at this rate.
My TL-R605 is now retired and for sale ;)
- Copy Link
- Report Inappropriate Content
Information
Helpful: 11
Views: 12496
Replies: 38