ACL priority in Omada SDN with Omada Router, Omada Switch and EAP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACL priority in Omada SDN with Omada Router, Omada Switch and EAP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ACL priority in Omada SDN with Omada Router, Omada Switch and EAP
ACL priority in Omada SDN with Omada Router, Omada Switch and EAP
2023-02-28 12:37:30 - last edited 2023-03-14 02:55:54
Hardware Version:
Firmware Version:

Hi all,

 

I'm confused about the priority of the ACL rules and how they would work.

 

My setup is a ER7206 connected to a SG2218 and EAP245 wifi points.

So I have the possibility to make Gateway-ACL rules, Switch-ACL and EAP-ACL.

 

If I setup Gateway and Switch ACL rules, when will they be triggered? I see 2 options

 

1) ACL rules are applied when they pass trough the device (Gateway or Switch)

  • In this case I would be missing staefull ACL's in the switch.
  • Would in case an switch ACL is triggered, would the gateway ACL still be used? Even if the packages are only handled in the switch?

 

2) ACL rules are managed trough the Omada Controler. All ACL rules are applied to all packages regardless where they show up (EAP, Switch, gateway)

  • In this case are Gateway rule first, followed by Switch and finaly EAP?

 

And last question, where can I find the native rules for ACL that are inside the TP equipment.

 

Trying to setup a VLAN isolation for IoT and guests but with Airplay possibilities to TV (on IoT Vlan) for guests and local users.

 

Thanks for helping me understand ACL better.

 

 

  2      
  2      
#1
Options
3 Reply
Re:ACL priority in Omada SDN with Omada Router, Omada Switch and EAP
2023-03-09 14:32:47

  @Pinnemans Is there realy nobody that would know this? Or would somebody know where to find anything around this?

 

  0  
  0  
#2
Options
Re:ACL priority in Omada SDN with Omada Router, Omada Switch and EAP
2023-03-13 19:45:34

 I have started to play around with the rules.

Created a Test-VLAN connected that to my other lapton and ping to my LAN.

No rule Ping works (adjusted firewall rule of the target to allow the ping from local IP's)

 

Gateway ACL Deny Test-VLAN to LAN  : ping work

So This only works if it passes the gateway.When the switch is able to handle this all is handled there.

 

Switch ACL Deny Test-VLAN to LAN no more ping

 

Switch ACL Deny Test-VLAN to MAC address of LAN device: Ping works

So it seems Switch ACL do not handle MAC groups (why you can select them is beyond me)

Tried MAC-MAC group deny rule also without effect.

 

So MAC groups only work on EAP rules (used it for an IoT device with an unsecured WLAN that only accepts that MAC address.

 

Not sure how to use the statefull LAN-LAN gateway ACL on my LAN. This seems more for LAN-WAN or WAN in traffic or for VPN connections.

 

Hopefully this is helpfull for others.

 

 

  0  
  0  
#3
Options
Re:ACL priority in Omada SDN with Omada Router, Omada Switch and EAP
2023-03-14 02:14:40 - last edited 2023-03-14 02:14:54

Hello @Pinnemans 

 

Pinnemans wrote

If I setup Gateway and Switch ACL rules, when will they be triggered? I see 2 options

 

1) ACL rules are applied when they pass trough the device (Gateway or Switch)

  • In this case I would be missing staefull ACL's in the switch.
  • Would in case an switch ACL is triggered, would the gateway ACL still be used? Even if the packages are only handled in the switch?

 

Yes, ACL rules are applied when they pass through the device (Gateway, Switch, or EAP).

The stateful ACL only exists in the gateway, not in the switch. In other words, there is no stateful ACL in the switch at all.

If a switch ACL is triggered, the gateway ACL would still be used as long as the packets traverse the gateway.

 

And last question, where can I find the native rules for ACL that are inside the TP equipment.

 

Trying to setup a VLAN isolation for IoT and guests but with Airplay possibilities to TV (on IoT Vlan) for guests and local users.

 

The default behavior (native rule) is to permit all.

 

For your demand for allowing only some clients on vlan1 to access specific ports/clients on vlan2, I'm afraid that it might be impossible in Controller mode for the time being (hope it be possible soon). But it could be achieved when your Omada Router works in Standalone mode: create IP Groups for the specific clients on vlan1 and vlan2 separately (say group1 and group2), then create Gateway Block ACL with ALL direction to block access from !group1 to !group2.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  3  
  3  
#4
Options