ER605 V1 1.2.2 BETA - Two issues
Hello !
Encountered two issues with this beta.
1. When setting up Stateful ACL for IoT network, to disallow IoT clients from reaching LANs (more than one), this causes router to go in to reboot loop and being disconnected from omada controller (Omada Hardware Controller V5.9.32 @ OC200)
Setting up only one network in target networks causes no such problem.
2. When Stateful ACL is set up to disallow IoT -> LAN connection, and there is a DNS server hosted in LAN, it is not possible to allow such connection anymore using switch ACL, this does not work:
Dear engineers/programmers, please think about a way on how to make this work (this should be pretty standard I think):
- IoT devices can't connect to secure LAN by default however IoT devices can access DNS server (or other defined IP/Port group) hosted in secure LAN
- Secure VLAN devices can access IoT VLAN and IoT VLAN devices can reply to them
- IoT VLAN devices mDNS broadcasts are sent to secure LAN
- (Optional?) IoT VLAN devices can't talk to each other
EDIT:
I managed to get most of the above requirements working, just had to put my DNS server in to IoT VLAN as well and protect it using FW on my server instead of relying on inconsistent ACL rules.
My setup as of now consists of:
1. Gateway ACL rule to deny IoT network -> LAN network traffic (stateful ACL)
2. Switch ACL rule to deny IoT network -> IoT IP:Port group (all ports)
3. EAP ACL rule to deny IoT network -> IoT IP:Port group (all ports)
Trying to use network -> network in switch/eap ACL just broke entire IoT network, even when using any allow rules for GW/DNS server.
Trying to use network -> IP group had literally no effect.
Therefore using network -> IP-Port group was the only way to stop traffic between IoT clients.
My DNS server now has an IP in IoT network but for some reason is not blocked by above ACL, though when trying to access other IoT devices this no longer works, so although from logical and technical aspect it makes no sense, with above setup I got what I wanted to achieve.
Thanks for an update, but still, there is no way on how to do following with Gateway ACL:
IoT Network -> Deny -> Secure LAN network (e.g. 10.10.10.1/24)
IoT Network -> Permit -> Secure LAN DNS Server (IP-Port group, e.g. 10.10.10.2:53)
The only "Direction" allowing to use IP-Port Group as target is [WAN] IN, which clearly doesn't have any effect to permit this traffic.
This does NOT work (Meaning IoT clients can't access DNS server in secure VLAN, which is desired)
Also, maybe a new bug ?
IPV6 was suddently 'enabled?' for two VLANs after the upgrade, even though in the config of both networks it's set to none
@Hank21 No I always disable ipv6 in every configuration and it was never enabled prior to this upgrade.
And yes clients can get ipv6 addresses it seems
@Hank21 that's exactly the point, ipv6 is set to none and yet, the router is assigning ipv6 addresses since last update, this was not happening before, the router is giving out ipv6 also in standalone mode with ipv6 disabled.
^ only one DHCP server detected.
"As for the ACL issue, it doesn't support setting IP-Group when you set LAN-LAN ACL, thanks for your feedback."
Does this mean it will get implemented as a feature soon ? Because without this the LAN-LAN ACL rules are pretty limited.
@pduchnovsky Hey, I was facing the same reboot loop.
Until I first added this rule 
Following this the device went into configuring and readoption. Once it got connected I was able to add all ACL rules, with IoT denying every other network and others.
You must wait once Rule 1 for LAN => ALL is set, and the router is configured and connected again, before adding further rules.
Could you try this and see if it solves the issue?
P.S. I am running all of these ACLs without any issues at the moment.
