ACL only enabling as bidirectional

ACL only enabling as bidirectional
ACL only enabling as bidirectional
2022-08-05 23:59:49 - last edited 2022-08-10 00:40:14
Hardware Version:
Firmware Version: 5.4.6

I've been in initial phases  of creating a very simple network.  I have a Core LAN and matching SSID and a IoT LAN and Matching SSID.

 

I wanted to create a very simple Switch ACL that blocks IoT from the Core, but still allows traffic the opposite direction (core to iot).  It doesn't seem to matter what I try (list below), when I enable my Block IoT rule, I lose all connectivity, bidirectionally, between the LANs.

 

I have:

Rebooted

Performed Factory Reset

Deleted all SSIDs and LANs and rebuilt from scratch

Created a "permit all" from my Core network to all other networks before and after the block rule

 

I am sure there is something I'm missing... but after my 5th time going over things I'm at a loss.  Below are write outs of my relevant configs

 

LANS:

CORE LAN - 10.0.0.0/24 - Interface (all LAN interfaces checked) - VLAN 1 (also tried changing to 2, in case 1 had management issue)

IoT LAN      10.0.100.0/24 - Interface (all LAN interfaces checked) - VLAN 100

 

WLAN

The Force - 2.4/5GHz, WPA-Personal - SSID Broadcast, VLAN 1 (also tried matching to 2 per above CORE LAN test)

IoT            - 2.4/5GHz, WPA-Personal - SSID Broadcast, VLAN 100

 

Access List - Switch ACL

Rule: Block IoT: Deny all protocols - Source Network - IoT       Destination Network - Core Lan

 

From what I know/have read and watched, this should allow my Core network to communicate with my IoT network, but the second I turn it on, my extended pings drop until I disable the rule.

 

Should I be doing this a different way?  What am I doing wrong?

  0      
  0      
#1
Options
2 Accepted Solutions
Re:ACL only enabling as bidirectional-Solution
2022-08-06 02:17:31 - last edited 2022-08-10 01:38:10

  @Hoova101 ACLs are stateless.  That means that when you block traffic from iot->lan and allow traffic from lan->iot, the return traffic gets blocked.

 

The Omada gateways don't have a stateful firewall between LAN segments.

 

Basically, you have to live with some kind of compromise.  Generally speaking, this means if you want to be able to access your iot devices from your LAN, you need to allow the return traffic on just those ports.  For example, if your hitting a webserver you need to allow traffic from iot:80/443->lan.  This is suboptimal in many cases but it is the only thing that is supported.

Recommended Solution
  4  
  4  
#2
Options
Re:ACL only enabling as bidirectional-Solution
2022-08-09 21:56:03 - last edited 2022-08-10 00:40:14

  @Hoova101 

Hoova101 wrote

  @Alex789 

That makes sense, but then what use is the source/destination and bi-directional components of the ACL creation?

 

bi-directional is useful with an allow rule because you can let the traffic through in both directions.

 

Source and destination still matter.  Lots of examples for this.  Here is a simple one.


allow port 80 b->a

block all b->a

allow all a->b

Recommended Solution
  1  
  1  
#5
Options
4 Reply
Re:ACL only enabling as bidirectional-Solution
2022-08-06 02:17:31 - last edited 2022-08-10 01:38:10

  @Hoova101 ACLs are stateless.  That means that when you block traffic from iot->lan and allow traffic from lan->iot, the return traffic gets blocked.

 

The Omada gateways don't have a stateful firewall between LAN segments.

 

Basically, you have to live with some kind of compromise.  Generally speaking, this means if you want to be able to access your iot devices from your LAN, you need to allow the return traffic on just those ports.  For example, if your hitting a webserver you need to allow traffic from iot:80/443->lan.  This is suboptimal in many cases but it is the only thing that is supported.

Recommended Solution
  4  
  4  
#2
Options
Re:ACL only enabling as bidirectional
2022-08-08 09:18:04

  @Hoova101 

 

Take a look:

How to implement VLAN unidirectional access through ACL configuration

 

But only for Standalone mode.

  1  
  1  
#3
Options
Re:ACL only enabling as bidirectional
2022-08-09 21:40:13 - last edited 2022-08-10 00:29:03

  @Alex789 

That makes sense, but then what use is the source/destination and bi-directional components of the ACL creation?

 

*edit*

I figured out how to make it work.  My main intention was to isolate IoT but allow communication between IoT and one service(Plex).  I created an IP Port Group for the service(Main LAN and port of service), then created a bidirectional ACL between IoT and that port group.  Then I added the deny below that to block all other traffic.

 

Works for now - would be a bigger headache if I have tons of misc servers/ports though.

 

Thanks for the replies!

  0  
  0  
#4
Options
Re:ACL only enabling as bidirectional-Solution
2022-08-09 21:56:03 - last edited 2022-08-10 00:40:14

  @Hoova101 

Hoova101 wrote

  @Alex789 

That makes sense, but then what use is the source/destination and bi-directional components of the ACL creation?

 

bi-directional is useful with an allow rule because you can let the traffic through in both directions.

 

Source and destination still matter.  Lots of examples for this.  Here is a simple one.


allow port 80 b->a

block all b->a

allow all a->b

Recommended Solution
  1  
  1  
#5
Options