ER605 V2 : 2 LAN Setup connected to "unmanaged" switch - Firewall rules

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER605 V2 : 2 LAN Setup connected to "unmanaged" switch - Firewall rules

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER605 V2 : 2 LAN Setup connected to "unmanaged" switch - Firewall rules
ER605 V2 : 2 LAN Setup connected to "unmanaged" switch - Firewall rules
2022-10-16 03:03:36
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version:

Hey there,

 

This is what I am planning to do.....

 

VLAN100 192.168.100.XXX

VLAN->Ports

            1. Remove (uncheck checkbox) ports 4 and 5

            2. Include (check checkbox) Ports 2 and 3 and dropdown is UNTAG

Hence for VLAN100 ports 4 and 5 do not work and ports 2 and 3 are untagged (note: I am not using VLAN though I do tag them as VLAN100)

 

VLAN107 192.168.107.XXX

VLAN->Ports

            1. Remove (uncheck checkbox) ports 2 and 3

            2. Include (check checkbox) Ports 4 and 5 and dropdown is UNTAG

Hence for VLAN107 ports 2 and 3 do not work and ports 4 and 5 are untagged (note: I am not using VLAN though I do tag them as VLAN107)

 

The above configuration will help me as follows: 

  1. UNMANAGED switch connected to ports 2 or 3 will receive address in the 192.168.100.XXX range
  2. UNMANAGED switch connected to ports 4 or 5 will receive address in the 192.168.107.XXX range

 

I am doing this because I do not want to buy managed switches and would like to reuse my existing unmanaged switches.

 

Now my questions:

How do I setup firewall rules such that 

  1. Allow 192.168.100.XXX traffic to 192.168.107.XXX and allow access the internet
  2. Block 192.168.107.XXX traffic to 192.168.100.XXX and allow access the internet

 

I do have the OMADA controller as well. Can I establish the above rules in my ER605 switch? If so, can you please show me the screen shots how I can accomplish this.

 

Thank you

 

 

 

  0      
  0      
#1
Options
6 Reply
Re:ER605 V2 : 2 LAN Setup connected to "unmanaged" switch - Firewall rules
2022-10-16 09:32:24

  @vsk1 

 

There are a couple of approaches you can try, but im not certain they would work as blocking 107 communicating with 100 would inherently conflit with any rule allowing 100 to communicate with 107 .Think about it, lets say you have device A on lan 107, and device B your laptop on lan 100.  You want to access Device A gui from device B, so you can send packets to it, but the return packets would get blocked so the interface would never load

 

I have tried something similar with LAN <> LAN ACLs and also using IP Groups and was unable to get it to work due to the above

  0  
  0  
#2
Options
Re:ER605 V2 : 2 LAN Setup connected to "unmanaged" switch - Firewall rules
2022-10-16 20:04:10

  @GRL 

GRL wrote

  @vsk1 

 

There are a couple of approaches you can try, but im not certain they would work as blocking 107 communicating with 100 would inherently conflit with any rule allowing 100 to communicate with 107 .Think about it, lets say you have device A on lan 107, and device B your laptop on lan 100.  You want to access Device A gui from device B, so you can send packets to it, but the return packets would get blocked so the interface would never load

 

I have tried something similar with LAN <> LAN ACLs and also using IP Groups and was unable to get it to work due to the above

 

I am not an expert in firewall rules but what you are saying is incorrect based on my understanding.

 

IMHO you can create rules where 100 can talk to 107 but 107 cannot talk to 100 using inbound and outbound rules.

 

Can anybody else chime in? TP Link can you please chime in ?

 

  0  
  0  
#3
Options
Re:ER605 V2 : 2 LAN Setup connected to "unmanaged" switch - Firewall rules
2022-10-18 07:12:50

  @vsk1 

 

As far as I know, ER605 is not currently supported, ER7206 can be set up in standalone mode like this, see this:

How to implement VLAN unidirectional access through ACL configuration

 

The good news is that the latest release of controller 5.6.3 now supports the setting of Stateful ACLs, but you'll need to wait for a firmware update for the Omada gateway that is compatible with controller 5.6.3.

Just striving to develop myself while helping others.
  0  
  0  
#4
Options
Re:ER605 V2 : 2 LAN Setup connected to "unmanaged" switch - Firewall rules
2022-10-18 20:53:18 - last edited 2022-10-18 21:59:06

  @vsk1 Thank you Virgo.

 

I have almost got mine working with my unmanaged switch and using firewall rules in my synology NAS which is accessible only from private network VLAN 100.

My Synology NAS has multi LAN INPUTS (One LAN is connected to VLAN ID 100 192.168.100.XXX another one to VLAN ID 107 192.168.107.XXX).

Firewall rules in synology are:

  •  ALLOW all inbound traffic from 192.168.100.XXX to access synology  and
  •  DENY all inbound traffic from 107 192.168.107.XXX (IoT)  in accessing synology 

The above rules helps synology to see all the IP cameras (IoT) but not vice versa.

 

Another question....

 

I would like to buy a controller OC200 but since I am not using VLANS (thought I have given VLAN ID's) will the controller get confused? Or

can the controller see things on both the subnets?

 

I am assuming if OC200 is connected to my main subnet  (VLAN ID 100 192.168.100.XXX  ) it should be able to see everything in VLAN ID 107 192.168.107.XXX - Am I correct?

Will this work? If this is the case, I should be able to configure and control any AP's connected to either subnet using the controller? Am I right?

 

Please chime in

 

  0  
  0  
#5
Options
Re:ER605 V2 : 2 LAN Setup connected to "unmanaged" switch - Firewall rules
2022-10-19 05:49:15

  @vsk1 

 

This is not a problem either.

You need to use the Discovery Utility, install this Utility on the EAP side and then use the Utility to tell the EAP where in the network it is located like the IP address of the EAP controller, and you can easily manage it.

You will understand the principle when you look at this:

How to manage EAPs in different subnets using Omada controller

Just striving to develop myself while helping others.
  0  
  0  
#6
Options
Re:ER605 V2 : 2 LAN Setup connected to "unmanaged" switch - Firewall rules
2022-10-22 16:32:41 - last edited 2022-10-22 17:55:00

  @vsk1 I am documenting my journey so far so that others can learn from it.

 

This is what I am trying to accomplish:

 

 

I did a setup similar to this youtube video. Define two VLANS

  • VLAN1: 192.168.0.XXX (Range 192.168.0.50 to 192.168.0.100)

  • VLAN2: 176.16.0.XXX (Range 176.16.0.50 to 176.16.0.100)
    LAN1 & LAN2

  • Assign ports to VLAN1: For VLAN1 remove ports 4 & 5 but include and "UNTAG" ports 2 AND 3

  • Assign ports to VLAN2: For VLAN2 remove ports 2 & 3 but include and "UNTAG" ports 4 AND 5

  • Setup firewall rules LAN to LAN .. VLAN1 traffic can flow to VLAN2 but not vice versa and ensure both VLAN1 and VLAN2 can access the internet

 

I was able to create the above scenario in ER605 V2 but after some time it died!!!! I had to return the same. Why this died after working beautifully for 1 day is beyond me. Maybe my setup created lots of conflicts (which a newbie like me did not understand - not sure).

 

BTW, For me I do not like the controller OC200. I returned if after discovering that once used, the "individual" web interface of the router and AP are disabled!!! For my small network this is a overkill anyway.

 

To obtain the above functionality should I go ahead and buy another ER605 V2 or better off buying ER7206 as virgo pointed out in his post

"As far as I know, ER605 is not currently supported, ER7206 can be set up in standalone mode like this, see this:

How to implement VLAN unidirectional access through ACL configuration"

 

  0  
  0  
#7
Options