@thekwasti I'm using the controller, so it's:

Settings > Netwrok Security > ACL > Switch ACL > "+ Create New Rule" > 

status: enable is checked

Policy = denied

Protocols = "All"

source = network or device you want to block

destination = "IP Group" and select "IPGroup_Any"

Is @DaBear s configuration really the solution?

Does this really provide the following advantages at the same time?:

- IoT to LAN no new connections can be established (e.g. TCP443 etc )

- LAN to IoT new connections can be opened

- IoT to LAN can respond only to this opened connection till it is closed

DaBears config sounds for me like closing everthing up and opening special ports like TCP443 again for both directions. So the IoT can e.g.. create new connections for 443. But IoT should't be able to open any connections on it's own.

But hopefully i misinterpreted the config :-)

  @KSX No, you interpreted it correctly. As long as there is no way to target the established and related traffic, either you can allow the creation of a connection from both ways or you can only send data without having a way to get a response (or a ACK for the matter)

So I've just really started my Omada journey and have come across this issue. Well, that and the mDNS one (which I've worked around using Avahi). How is this a complete product without these features? I literally can't lock down my IOT VLAN as it should be without hard coding a bunch of IP addresses into rule groups.

I really hope this gets fixed/implemented soon.

+1

I'm glad that I found this thread before I went all in with omada setup. This really is a must-have feature for this kind of product. Judging by the lack of response from tp link team on this thread, I'm assuing it is not going to be supported anytime soon.

Yes.  The lack of stateful firewall rules seems like an unreasonable omission for many use cases.

@Fae , @Hank21 Can you please chime in here? There is also a related feature request thread at https://community.tp-link.com/en/business/forum/topic/501934

As you can see from these threads, it is a dealbreaker for many, including me. In fact, many people expected this feature to be present from the get-go in products that support vlan, and rightfully so.

Does tp-link have any plan to include this feature? If yes, is there anyway to prioritize this feature?

  @thekwasti I actually don't think that the TL-R605 is fit for handling a statefull firewall and keep an acceptable throughput.

I have my omada hardware for a year now and got tired of waiting for TP-Link to be tired of ignoring this request. I invested into a mini computer able to run PFSense and finally reached my goal of correctly separating my vlans and even more. Now that I have it working and that I have see the wire range of features PFSense offers, I strongly doubt that TPLink can offer even a small part of those features with the TL-R605. At least at this rate.

My TL-R605 is now retired and for sale ;)