ACL between VLANs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACL between VLANs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ACL between VLANs
ACL between VLANs
2022-04-03 15:22:37
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version:

VLAN1 is the system vlan.

VLAN4 is an IoT vlan.

VLAN99 is a guest vlan. 

 

I want:

-all three to access the internet

-vlan99 only able to access the internet. No other vlans can access it or vice-versa. 
-vlan1 to initiate a link to vlan4 but vlan4 cannot initiate a link to any vlan. (I believe this requires SPI which I think this router has). 
 

programed ACLs:

1.  Allow vlan1 to vlan4

2.  Deny vlan4 to vlan1

3.  Deny vlan99 to all

 

Problem:

With this setup, vlan4 and vlan99 do not connect to the internet. 

  0      
  0      
#1
Options
3 Reply
Re:ACL between VLANs
2022-04-04 08:56:09

  @DannyZ 

ACL should not be "deny all". There is an option "all network/IP" which includes 0.0.0.0/0.0.0.0. If you deny this, you'll be losing all the connection.

You can set Deny VLAN 99 to VLAN 1 and 44. Don't make it deny everything. 

What other devices do you use in this network? If you are talking about VLAN 4 and 99 is not working, do you set up multi-SSID right? 

https://www.tp-link.com/us/support/faq/3091/

  0  
  0  
#2
Options
Re:ACL between VLANs
2022-04-04 15:47:13

  @John1234 

Sorry, I should have been clearer on the ACLs I set. I did set the rules to apply to each specific "network" exactly as described in the link you sent. I did not use any "IP" restrictions in the ACL entries. 
 

So traffic from network "vlan99" (guest) is denied to network "vlan1" (primary network). "All" protocols are denied which is consistent with the link you sent. 
 

To me this makes common sense and matches the FAQ scenario provided by TP-Link as well as your feedback but still does not allow vlan99 to connect to the internet. 
 

The gateway/router is on vlan1. Could that have anything to do with this issue?  Do I need to create some sort of static route to the internet since the guest network may not be able to communicate?

  0  
  0  
#3
Options
Re:ACL between VLANs
2022-04-05 04:32:00 - last edited 2022-04-05 04:35:01

  @DannyZ 

If you got the VLAN right but still cannot get INTERNET. I think it has something to do with your VLAN. How do you set the VLAN(to port) profile on your switch? 

Do you just get a computer connected to the port and get a matching VLAN or? 

So, since you mention IOT, it's more like WiFi AP. Right? For AP, you don't have to set anything or modify any ports on the switch. Instead, you just go and set up your WLAN and make that SSID match with the VLAN ID. Will this work for you? When I do my VLAN for WiFi, I don't set anything because the Omada can do a lot for you on its own. You just pay attention to the WLAN part. 

If you intend to use a device(like a switch) to the Omada router/switch, you need to set the port profile on the switch. If you want to make it a trunk port, you set the profile to "All". If you want a dedicated VLAN for a specific port, you use a certain VLAN profile for the port. 

 

 

There is no need to use any static routing. First, check your IP, do you get IPs from the VLAN 4 and 99? I think it's more like an issue with the VLAN interface instead of ACL.

 

 

PS

What is the version of your controller and ER7206? Are they up to date? I think you first need to make sure the configs are right before setting up the ACL. 

  0  
  0  
#4
Options