Unable to block traffic between VLANs on ER7206

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Unable to block traffic between VLANs on ER7206

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Unable to block traffic between VLANs on ER7206
Unable to block traffic between VLANs on ER7206
2022-01-14 19:59:58 - last edited 2022-01-17 19:29:22

Model: ER7206 (TL-ER7206)

Hardware Version: V1.0

Firmware Version: 1.1.1

 

What is the correct procedure to seggragate VLAN's so that they're not able to talk to each but still have internet access? I've tried creating Switch ACL's , Gateway ACL's and even EAP ACL's with the Deny Policy selected but they seem to have no effect at all.

 

I have VLAN1 which is my home network and I've created a VLAN10. I then change my laptop's ethernet adapter to VLAN ID 10 and I get the correct ip, dns from DHCP (10.0.10.0/24). Internet works but I can access everything on my VLAN1 (192.168.2.0/24) network and vice versa. I'd like to be able to make it so that VLAN10 cannot talk to VLAN1 but that VLAN1 can talk to VLAN10. How can I do this?

 

In the ACL I've tried selecting VLAN10 as the source and VLAN1 as destination with both Port and VLAN ACL binding but no matter what options I choose both networks can always ping each other.

 

I have the ER7206 connected to a Cisco SG350X-48 switch on a Trunked port and the laptop which also runs the Controller software is connected to another trunked port configured for tagged vlan 10. I've also created a LAN Profile on the ER7206 and tagged VLAN10 with LAN as the Native Network (also tried VLAN10 as the Native Network and have LAN tagged instead).

 

Any ideas how to block traffic between vlans?

  0      
  0      
#1
Options
1 Accepted Solution
Re:Unable to block traffic between VLANs on ER7206-Solution
2022-01-16 15:30:06 - last edited 2022-01-17 19:29:22

@yorkman you need an Omada switch to do this with switch ACLs. The VLAN traffic is crossing in the switch and never making it to the gateway.

 

I figured this one out the hard way,,,,

 

 

Recommended Solution
  1  
  1  
#2
Options
7 Reply
Re:Unable to block traffic between VLANs on ER7206-Solution
2022-01-16 15:30:06 - last edited 2022-01-17 19:29:22

@yorkman you need an Omada switch to do this with switch ACLs. The VLAN traffic is crossing in the switch and never making it to the gateway.

 

I figured this one out the hard way,,,,

 

 

Recommended Solution
  1  
  1  
#2
Options
Re:Unable to block traffic between VLANs on ER7206
2022-01-17 19:29:12

@HomeAdmin 

 

Thank you for that. I think you're right. I do have a Cisco SG350X-48 switch but I've never had to use ACL's yet. It does appear to have ACL allow/deny capability for VLANs so I'll play with those settings as soon as I get a chance again.

  0  
  0  
#3
Options
Re:Unable to block traffic between VLANs on ER7206
2022-01-17 21:32:19

@yorkman same situation with tl-er605, that's very annoying.

  0  
  0  
#4
Options
Re:Unable to block traffic between VLANs on ER7206
2022-01-17 21:37:39

@S-K Yes. I just got the ER605 yesterday to troubleshoot this problem as well as why I was seeing SFP port is down message on ER7206. I think I was able to resolve the latter problem but not the unable to block vlan traffic issue.

 

If a switch is needed to do the job, why is TPLink including the ACL feature on these routers when it won't work? I guess it's because its ACL's are only for:

 

1) Gateway ACL

2) Switch ACL

3) EAP ACL

 

It seems like it's missing a VLAN ACL feature there!

 

 

  0  
  0  
#5
Options
Re:Unable to block traffic between VLANs on ER7206
2022-01-17 21:47:10
Gateway ACLs will work for traffic that traverses the gateways. I am using a gateway ACL to deny IP cameras internet. The actual VLAN traffic never reaches the gateway, it is handled in the switch. Hence the need for switch ACLs. I had the same problem as you. I bought an Omada SDN switch and now I can do all of the nice little things like allowing printer access on the core network from the guest VLAN using IP Port filters etc.
  0  
  0  
#6
Options
Re:Unable to block traffic between VLANs on ER7206
2022-04-01 15:37:00

  @yorkman, I ended up being in the same situation. I use ER7206 with VLANs, but the Omada Controller does not manage my switch. I was using the Software Controller to manage the router. When I defined the Switch ACLs, they didn't work. Because I only have the router, I thought I would set it up as a standalone device without the Omada Controller.

 

I defined ACLs that block inter-VLAN communication by configuring the router in standalone mode. I tested that, and it is indeed blocking the traffic that goes through the switch. My switch is connected to the router, and then clients connect to the switch. Defining the ACLs didn't go without issues. Initially, I tried blocking Network `A` to Network `!A`, but that broke DHCP, and clients were no longer getting IPs. I tried allowing DHCP, but that didn't work; I probably didn't configure something properly. I ended up defining IP Groups for the different VLANs by first defining IP address lists as below. Note: the router is outside the defined network ranges.

Below are screens found at Preferences > IP Group

ID Name IP Address Type IP Address Range IP Address/Mask Description
2 IP_ManagementPC IP Address/Mask *.*.*.10/32 *.*.*.10/32 Management Desktop
3 Infra_Client_IPs IP Address Range *.*.*.2-*.*.*.255 --- Infra Client IPs
4 Guest_Client_IPs IP Address Range *.*.*.2-*.*.*.255 --- Guest Client IPs
5 Work_Client_IPs IP Address Range *.*.*.2-*.*.*.255 --- Work Client IPs
6 Security_Client_IPs IP Address Range *.*.*.2-*.*.*.255 --- Security Client IPs

 

Then define the IP Group lists:

ID Group Name Address Name Description
3 Management_IP_Group IP_ManagementPC Management Desktop
4 G_Clients_Group Guest_Client_IPs Client IPs in Guest
5 I_Clients_Group Infra_Client_IPs Client IPs in Infra
6 W_Clients_Group Work_Client_IPs Client IPs in Work
7 S_Clients_Group Security_Client_IPs Client IPs in Security
8 Not_G_Clients_Group Infra_Client_IPs,Work_Client_IPs,Security_Client_IPs Client IPs outside Guest
9 Not_W_Clients_Group Infra_Client_IPs,Guest_Client_IPs,Security_Client_IPs Client IPs outside Work
10 Not_I_Clients_Group Guest_Client_IPs,Work_Client_IPs,Security_Client_IPs Client IPs outside Infra
11 Not_S_Clients_Group Infra_Client_IPs,Guest_Client_IPs,Work_Client_IPs Client IPs outside Security

 

Then go to Firewall > Access Control:

ID Name Source Destination Source Network Destination Network Policy Service Type Direction Effective Time
1 Allow_Management_to_All Management_IP_Group IPGROUP_ANY --- --- Allow ALL ALL Any
2 Block_Infra_to_others I_Clients_Group Not_I_Clients_Group --- --- Block ALL ALL Any
3 Block_Guest_to_others G_Clients_Group Not_G_Clients_Group --- --- Block ALL ALL Any
4 Block_Security_to_others S_Clients_Group Not_S_Clients_Group --- --- Block ALL ALL Any
5 Block_Work_to_others W_Clients_Group Not_W_Clients_Group --- --- Block ALL ALL Any

 

Congratulations, your inter-VLAN traffic is blocked, and you have a management console that sees all VLANs.

 

***Disclaimer***
I don't plan on monitoring this thread and providing further guidance. I am sharing my experience and what worked for me. Your situation probably has differences, and you will need to figure it out. I hope the above information is also helpful to you.

  0  
  0  
#7
Options
Re:Unable to block traffic between VLANs on ER7206
2022-06-11 21:32:27

  @marulya I wa hoping to do this on my ER605 but alas, FYI, this doesn't work. Intervlan is always on.

 

I'll be going with the DLink DSR-500 instead, I need the dual link, but this cheap $50 ER605 is incredibly painful to use.

  0  
  0  
#8
Options