Isolated VLAN Configuration for Omada

Isolated VLAN Configuration for Omada

Isolated VLAN Configuration for Omada
Isolated VLAN Configuration for Omada
2023-03-17 02:24:18 - last edited 2023-05-09 16:42:09

Hello All.

 

I have created a new version of the previous design I shared I shared. In this version, a new VLAN has been added (Isolated).

 

Use Case:

This Isolated VLAN is to complement the limitation of the "Guest" feature for Wireless, specifically, the end-device isolation (i.e. all wireless clients connected to Guest WiFi can't see each other). The Guest feature only works for Wireless Clients only so this Isolated VLAN do a similar thing: prevent other Wired Clients in the same VLAN to see each other (and also not see other Clients in other VLANs). The Isolated VLAN end devices must still be able to access the Internet.

 

I have listed all the ACLs needed below, along with the layout. If you want to see the ACL in Action, I have a video uploaded and you'll find the testing and demo at Part 4 of the video.

 

VLAN Info:

  • VLAN 1-Admin (192.168.1.x)- this is the Native/Default VLAN 1. Access to all VLAN, can get granular Access to IoT VLAN with VNC and SSH
  • VLAN 10-Home (192.168.10.x) - Access to all except Admin VLAN, granular access to IoT VLAN with VNC and SSH
  • VLAN 20-Guest (192.168.20.x)- Access to Internet only, no access to same-VLAN devices. Wireless ONLY
  • VLAN 30-Cameras (192.168.30.x)- Access to same-VLAN devices only, no Internet
  • VLAN 40-Isolated (192.168.40.x)- Access to Internet only, no access to same-VLAN devices. Wired ONLY
  • VLAN 90-IoT (192.168.90.x)- Access to same-VLAN devices with Internet, granular access to Home VLAN with DNS

 

Device List:

  • ER-7206 v1 / v1.2.3

  • OC-300 v5.7.6 / v1.14.7

  • SG-2210MP v1 / v1.0.7

  • EAP-235 v1 / v3.1.0

 

Note: DNS Server @ Home VLAN: 192.168.10.75

 

ACLs:

For Guests, make sure the Guest Network check box for Wifi is checked 

Gateway ACLs:

  1. Deny Home to Admin
    Direction: LAN > LAN
    Policy: Deny
    Protocols: All
    Source > Network > Home
    Destination > Network > Admin
     
  2. Deny Camera to Internet
    Direction: LAN > WAN
    Policy: Deny
    Protocols: All
    Source > Network > Camera
    Destination > IP Group > IPGroup_Any
     
  3. Deny Camera to All
    Direction: LAN > LAN
    Policy: Deny
    Protocols: All
    Source > Network > Camera
    Destination > Network > Admin
    Destination > Network > Home
    Destination > Network > Guest
    Destination > Network > IoT
    Destination > Network > Isolated

 

Switch ACLs:

  1. Permit VNC to IoT
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.90.1/24, Ports: 5800, 5900)
    Destination > Network > Home
     
  2. Permit SSH to IoT
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.90.1/24, Port: 22)
    Destination > Network > Home
     
  3. Permit DNS Port to Home
    Policy: Permit
    Protocols: All
    Source > Network > IoT
    Destination > IP Port Group > (Subnet 192.168.10.75/32, Port: 53)
     
  4. Deny IoT to All
    Policy: Deny
    Protocols: All
    Source > Network > IoT
    Destination > Network > Admin
    Destination > Network > Home
    Destination > Network > Guest
    Destination > Network > Camera
    Destination > Network > Isolated
     
  5. Permit Isolated To Net
    Policy: Permit
    Protocols: All
    Source > Network > Isolated
    Destination > IP Group > (Subnet 192.168.40.1/32)
     
  6. Permit Isolated To Net Reverse
    Policy: Permit
    Protocols: All
    Source > IP Group > (Subnet 192.168.40.1/32)
    Destination > Network > Isolated
     
  7. Deny Isolated To All and Itself
    Policy: Deny
    Protocols: All
    Source > Network > Isolated
    Destination > Network > Admin
    Destination > Network > Home
    Destination > Network > Guest
    Destination > Network > Camera
    Destination > Network > Isolated
     

 

  6      
  6      
#1
Options
6 Reply
Re:Isolated VLAN Configuration for Omada
2023-03-17 15:17:11

  @Death_Metal thanks for sharing this - it will be helpful in my learning about what is possible and helpful on my own network (although as an ER7212-PC + EAP user, I can't use Switch ACLs). Especially it's helpful that you seem to understand the current limitations of the Omada SDN, which some other tutorials online do not appear to.

 

2 questions:


1/ The "Isolated" VLAN that you defined for wired clients on subnet 192.168.40.x - I think that it applies all of the exact same restrictions as the guest network for WiFi clients on 192.168.20.x. Why not use a single subnet and set of ACLs for both the wired and wireless clients?

 

2/ Is there any special setting needed for IPv6 - for example, must it be turned off, or does it just work with this set of rules?

 



 

  0  
  0  
#2
Options
Re:Isolated VLAN Configuration for Omada
2023-03-19 18:33:05 - last edited 2023-03-21 11:34:39

RockPaper wrote

  @Death_Metal thanks for sharing this - it will be helpful in my learning about what is possible and helpful on my own network (although as an ER7212-PC + EAP user, I can't use Switch ACLs). Especially it's helpful that you seem to understand the current limitations of the Omada SDN, which some other tutorials online do not appear to.

 

2 questions:


1/ The "Isolated" VLAN that you defined for wired clients on subnet 192.168.40.x - I think that it applies all of the exact same restrictions as the guest network for WiFi clients on 192.168.20.x. Why not use a single subnet and set of ACLs for both the wired and wireless clients?

 

2/ Is there any special setting needed for IPv6 - for example, must it be turned off, or does it just work with this set of rules?

 



 

Hello  @RockPaper glad to know my post is helping.

  1. It can be done, but I also have several reasons to create a new VLAN:
    • Easier for me to demonstrate the similarity and difference
    • Clarity of VLAN and ACL, easier to troubleshoot by making these pieces separate and Description simpler
    • Biggest reason, the "isolation" ACL will impact some of the built-n Guest functionality such as Captive Portal Access which will be blocked by the ACL. I can and have done it in the past, but the video gets even longer :( and I doubt people really watch very long video. EAP ACL will be needed and it's just so much simpler to use the built-in Guest checkbox for Wireless clients
  2. I have not personally tested this in IPv6 settings, in the past, IPv6 was limited but I can't be sure now. If there is no technical limitation (i.e. a setting that can't be done in Omada), I don't see any issue. However, I can't really say at this time with 100% certainty.

 

To expand on item 1, what I did (and I have a video recorded already), was create an Isolated Wireless Network. When I get the chance, I'll upload it.

  2  
  2  
#3
Options
Re:Isolated VLAN Configuration for Omada
2023-09-10 23:33:37

  @Death_Metal 

Thank you for all of your posts you've made regarding VLAN setups and ACLs. I'm coming across a very ambiguous issue regarding a dedicated gaming server I am hosting on my network.
To put this bluntly, when the game comes to an end, the connection to the server will hang. However, if I disable the ACL rule I created to deny all access to my VLAN I am on, the game will run as intended.

I'm not looking for you to specify an answer to my issue, but I am looking for some guidance on what I can be checking:
-Are there specific logs I can look at regarding the time of the connection issue?

-Is it not necessary to deny all traffic for dedicate gaming servers?

-Is there a way I can define rules to create a DMZ network to host dedicated gaming servers on?

 

Thank you for taking the time to read.

  0  
  0  
#4
Options
Re:Isolated VLAN Configuration for Omada
2023-10-21 10:23:27
Thank you so much for sharing. This is exactly what I've been searching for. You've made it incredibly simple and easy to understand and follow. Again, thank you for this.
  0  
  0  
#5
Options
Re:Isolated VLAN Configuration for Omada
2023-10-23 17:18:37 - last edited 2023-10-23 17:19:41

Hey ss1gohan13 , sorry for late reply as I don't usually frequent the forums. I saw a notification from my email and saw your message. For your main post, it is possible that you made a Switch ACL and that server is expecting a "terminate" message/packet/signal (however it's called) and your server is not getting it. Try to check any documentation related to the network port it is using (i.e. Minecraft is using 25565) and allow bidrectional ACL traffic specific to that server's IP i.e. /32. As for other inquiries: - I am not aware of that. Maybe there is a settings under Logs but I have never seen that option. When I get the chance, I'll take a look and edit this post. - Only you can decide for that. I know you mentioned it's "dedicated" so assumption is it's not doing something else, but it will be your call. But whether you dedicate your server or not, if the hardware is not capable, then you'll have issue. Make sure your hardware meets the requirements. - For Port Forwarding, not ACL, yes you can define a DMZ.

  0  
  0  
#6
Options
Re:Isolated VLAN Configuration for Omada
2023-11-12 19:07:22 - last edited 2023-11-12 19:08:42

  @Death_Metal 

first: thank you for all your videos. I really learned from them how OMADA works and how the concept behind is done.

 

Second: I have two questions ;)

 

1. You use " Subnet 192.168.90.1/24" in several rules. What kind of addressing is this. Its an IP address and not a network address. In my point of view it should be "192.168.90.1/32" if you mean the host. Or "192.168.90.0/24" if you mean the subnet.

 

2. About this post and isolation. For me it didn't work.

I created a post what I was trying. Maybe you can help:

https://community.tp-link.com/en/business/forum/topic/640422

  0  
  0  
#7
Options