@vsk1 

There are a couple of approaches you can try, but im not certain they would work as blocking 107 communicating with 100 would inherently conflit with any rule allowing 100 to communicate with 107 .Think about it, lets say you have device A on lan 107, and device B your laptop on lan 100.  You want to access Device A gui from device B, so you can send packets to it, but the return packets would get blocked so the interface would never load

I have tried something similar with LAN <> LAN ACLs and also using IP Groups and was unable to get it to work due to the above

  @GRL 

GRL wrote

  @vsk1 

 

There are a couple of approaches you can try, but im not certain they would work as blocking 107 communicating with 100 would inherently conflit with any rule allowing 100 to communicate with 107 .Think about it, lets say you have device A on lan 107, and device B your laptop on lan 100.  You want to access Device A gui from device B, so you can send packets to it, but the return packets would get blocked so the interface would never load

 

I have tried something similar with LAN <> LAN ACLs and also using IP Groups and was unable to get it to work due to the above

I am not an expert in firewall rules but what you are saying is incorrect based on my understanding.

IMHO you can create rules where 100 can talk to 107 but 107 cannot talk to 100 using inbound and outbound rules.

Can anybody else chime in? TP Link can you please chime in ?

  @vsk1 Thank you Virgo.

I have almost got mine working with my unmanaged switch and using firewall rules in my synology NAS which is accessible only from private network VLAN 100.

My Synology NAS has multi LAN INPUTS (One LAN is connected to VLAN ID 100 192.168.100.XXX another one to VLAN ID 107 192.168.107.XXX).

Firewall rules in synology are:

•  ALLOW all inbound traffic from 192.168.100.XXX to access synology  and
•  DENY all inbound traffic from 107 192.168.107.XXX (IoT)  in accessing synology 

The above rules helps synology to see all the IP cameras (IoT) but not vice versa.

Another question....

I would like to buy a controller OC200 but since I am not using VLANS (thought I have given VLAN ID's) will the controller get confused? Or

can the controller see things on both the subnets?

I am assuming if OC200 is connected to my main subnet  (VLAN ID 100 192.168.100.XXX  ) it should be able to see everything in VLAN ID 107 192.168.107.XXX - Am I correct?

Will this work? If this is the case, I should be able to configure and control any AP's connected to either subnet using the controller? Am I right?

Please chime in

  @vsk1 I am documenting my journey so far so that others can learn from it.

This is what I am trying to accomplish:

I did a setup similar to this youtube video. Define two VLANS

• VLAN1: 192.168.0.XXX (Range 192.168.0.50 to 192.168.0.100)

• VLAN2: 176.16.0.XXX (Range 176.16.0.50 to 176.16.0.100)
  LAN1 & LAN2

• Assign ports to VLAN1: For VLAN1 remove ports 4 & 5 but include and "UNTAG" ports 2 AND 3

• Assign ports to VLAN2: For VLAN2 remove ports 2 & 3 but include and "UNTAG" ports 4 AND 5

• Setup firewall rules LAN to LAN .. VLAN1 traffic can flow to VLAN2 but not vice versa and ensure both VLAN1 and VLAN2 can access the internet

I was able to create the above scenario in ER605 V2 but after some time it died!!!! I had to return the same. Why this died after working beautifully for 1 day is beyond me. Maybe my setup created lots of conflicts (which a newbie like me did not understand - not sure).

BTW, For me I do not like the controller OC200. I returned if after discovering that once used, the "individual" web interface of the router and AP are disabled!!! For my small network this is a overkill anyway.

To obtain the above functionality should I go ahead and buy another ER605 V2 or better off buying ER7206 as virgo pointed out in his post

"As far as I know, ER605 is not currently supported, ER7206 can be set up in standalone mode like this, see this：

How to implement VLAN unidirectional access through ACL configuration"