Business Community > Controllers > Looking for help with VLANs and ACL for allowing limited traffic between VLANs
< Controllers

Looking for help with VLANs and ACL for allowing limited traffic between VLANs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Looking for help with VLANs and ACL for allowing limited traffic between VLANs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Looking for help with VLANs and ACL for allowing limited traffic between VLANs
Looking for help with VLANs and ACL for allowing limited traffic between VLANs
2021-02-27 15:35:45
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: V1

I'm trying to configure VLANs and ACL to allow clients on one VLAN to have access to my home assistant server on a different VLAN.  Here is my network setup

 

TL-605, TL-SG2008P, and EAP245, Omada controller software on PC

 

TL-SG2008P:

EAP245 (Port 1 - VLAN1 Native, VLAN 10, 20, 30 Tagged)

PC (Port 2 - VLAN1 Native)

Home Assistant (Port 3 - VLAN 30 Native)

TL-605 (Port 8 - All port profile)

 

VLANS are set up as Interfaces with DHCP enabled on separate subnets

 

With all ACL rules off, I can ping/connect to HA on VLAN 30 from my PC on VLAN 1 and from an iPad on VLAN 10

 

Relavent ACL rules (all other rules disabled):

"deny all protocols, source: network interface for VLAN 30 to destination: other network interfaces/VLANS" - This is at the bottom of the ACL stack.  With only this enabled I can't ping/connect to HA on any VLAN other than VLAN 30.

 

"Permit all protocols, source: network/VLAN 10 to destination: HA IP Group" - This is at the top of the stack.  When first enabled or moved in the ACL list, a couple of pings will be returned then the rest time out, and no connection to HA from any other VLAN.

 

I'm sure its something simple that I'm overlooking, but at this point I can see the forest for the trees. I've been following tutorials for setting this up, most commonly on a Unifi system.  Can anyone point me in the right direction with either my configuration, or with an online reference to accomplish this?

  0      
 
  0      
 
#1
Options
5 Reply
Re:Looking for help with VLANs and ACL for allowing limited traffic between VLANs
2021-03-01 15:43:04

@trimmkm 

 

Did you set up the switch ACL rules as "Bi-directional" when creating them, i.e. there is a rule "x" and a coresponding "x_reverse" in the list?

 

  0  
  0  
#2
Options
Re:Looking for help with VLANs and ACL for allowing limited traffic between VLANs
2021-03-02 01:31:32

@TEDC 

 

Thanks for the response.  Yes, I have used the bi-directional option to make this work.  I'm learning most of this as I go, so I'm relying a lot on what I find online.  I haven't been able to find much content online for using the Omada products in a smart home environment.  Based on what I've seen, I didn't think this option would be necessary.  Following a video on setting up the Omada system, the presenter creates a rule to allow all clients on a VLAN to access a switch on a management VLAN.  He didn't enable bi-directional rules, and appeared to have communications.  However, after reviewing the video again I realized he did not create a deny rule to block traffic originating on the management VLAN, therefore the ping requests could return.  

 

In the Unifi ecosystem there is a setting to enable "established and related" messages that I think allows communications across VLANs without creating static bi-directional rules.  I haven't found a similar setting in Omada.   

 

So, is the bi-directional setting the only way to allow two way traffic between VLANs? 

  0  
  0  
#3
Options
Re:Looking for help with VLANs and ACL for allowing limited traffic between VLANs
2021-03-15 14:44:37

@trimmkm I'm curious if you found an answer to this and what your final solution was as I'm trying to set up the same thing right now.

  0  
  0  
#4
Options
Re:Looking for help with VLANs and ACL for allowing limited traffic between VLANs
2021-03-15 22:35:05

@atvking 

 

I ended up creating bi-directional rules for things that needed access.  For those services that I deemed "nice to have" but not must have access, I gave up on them as I felt it would defeat the purpose of setting up VLANS. 

  1  
  1  
#5
Options
Re:Looking for help with VLANs and ACL for allowing limited traffic between VLANs
2021-03-16 03:33:37

@trimmkm Oh that's a bummer! I suspect we've been watching a lot of the same videos (Mactelecom Networks, The Hook Up). I was under the impression that the Omada stuff was as powerful/configurable as the Unifi stuff but at a better price. At this point I just really hope TP-Link adds the ability to configure an established-related rule in the future. That and the lack of an mDNS repeater/reflector are making me want to return the Omada stuff and just take the price hit on Unifi.

  1  
  1  
#6
Options

Information

Helpful: 0

Views: 3868

Replies: 5

Related Articles
ER605 ACL Setup - Help Please
549 0
Need help with VLANs for VOIP and IoT
880 0
Need help on Allowing only certain ports on Omada
611 0
 help with setup ACL for RDP
563 0
Looking for solutions in firmwares v1.2.0/v1.2.1 on TL-R605 v1 when using ACL rules with ! mark
5843 1
 ACL between VLANs
770 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.