Multiple VLAN Networks missing on ACL rules

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Multiple VLAN Networks missing on ACL rules

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Multiple VLAN Networks missing on ACL rules
Multiple VLAN Networks missing on ACL rules
2023-04-16 23:47:43
Model: OC200  
Hardware Version: V2
Firmware Version: 5.9.32

I've created a network with multiple VLAN ID's. However, when I'm trying to create an ACL rule to prevent other VLAN's to communicate with my new VLAN's.

 

Network: Test

Purpose: Interface

VLAN Type: Multiple VLAN

VLAN: 5-6

 

On the profiles of ports I can select which VLAN is tagged and untagged. Also the VLAN's from the Multiple VLAN networks will appear as "Test (5)" and "Test (6)". So I can control which VLAN is allowed to communicate through that port. 

 

On Network Security -> ACL -> Gateway ACL. I can set a restriction of the network "Test" to a selected Network. Though, I cannot restrict access based on the VLAN. 

On Network Security -> ACL - > Switch ACL. I can select a VLAN as binding type. Which means I could restrict access to specific networks I thought. But the network "Test" is missing from the list of networks. Even if I chose to bind the ACL to all Ports instead of VLAN's. Same problem goes for the EAP ACL. 

 

My intention:

 - IoT devices in an VLAN using wired and wireless methods.

 - These IoT devices may not communicate with other VLAN's

 - A VLAN in the same IP range as the IoT devices due to some technical reasons where a group of devices are connected on. And access to other VLANs

 - A VLAN in the same IP range as the IoT devices due to some technical reasons where a group of devices are connected on. And with restricted access to other VLAN's

 - Wireless VLAN distribution using PPSK

Security Advisor in the Netherlands. Main interest in Omada products for CCTV networks.
  0      
  0      
#1
Options
4 Reply
Re:Multiple VLAN Networks missing on ACL rules
2023-04-17 02:37:19

  @HandokoF 

"A VLAN in the same IP range as the IoT devices due to some technical reasons where a group of devices are connected on. And access to other VLANs"

-Does that mean you want 802.1q VLAN to separate the IoT network and main network, but you still want all VLANs in the same IP subnet?

 

If so, you need a profile that has main LAN as “native” network, and IoT VLAN as Untag network. 

 

Then do the Switch ACL settings, to deny the IoT IP group to the main network IP Group. You can not find them on the network list because the "network" only refer to VLAN interface(means network in different subnets). 

 

 

 

  0  
  0  
#2
Options
Re:Multiple VLAN Networks missing on ACL rules
2023-04-17 12:48:21

  @Somnus I understand what you're saying. But a nee feature in the Omada SDN is to create a network with multiple VLAN's. And these networks are missing in the list of networks at the ACL's. I will create IP groups with these subnets now but binding the rule at the VLAN so that VLAN 5 in the subnet can access everything and VLAN 6 not. But it's still a bug in my opinion. 

Security Advisor in the Netherlands. Main interest in Omada products for CCTV networks.
  0  
  0  
#3
Options
Re:Multiple VLAN Networks missing on ACL rules and other parts
2023-04-26 12:15:13 - last edited 2023-04-26 12:17:56

Update: I've tried to add my multi VLAN Network to the mDNS repeater networks. Sadly also this isn;t possible. My Multi VLAN LAN Network isn't recognised as Network by the Omada Controller. 

 

@Hank21 or @Fae is it possible to come with an fix?

 

Complete list

 

 

 

Security Advisor in the Netherlands. Main interest in Omada products for CCTV networks.
  0  
  0  
#4
Options
Re:Multiple VLAN Networks missing on ACL rules
2023-04-27 04:59:02 - last edited 2023-04-27 04:59:16

Hello @HandokoF 

 

Thank you for your valuable feedback.

 

The Network "test" is created at the LAN Network of the Gateway, the VLANs added in the multiple VLAN "test" is not a "network" for the gateway, so the specific VLAN will not shown in the network list in the gateway ACL.

 

As for the network "test" is missing from the network list of the Switch ACL and EAP ACL, I'm wondering that whether you really need to configure it there? As I know, the Multiple VLAN is mainly added for the scenarios of Multi Dwelling Units (MDUs) to help easily achieve isolation among multiple "resident", based on this, I may think that configuring further ACL or mDNS on the multiple VLAN network is a bit strange. If you need the inter-VLAN communication, adding a single VLAN might be a better practice.

 

If you think it is necessary to add the multiple VLAN networks in the network list of the Switch ACL, EAP ACL, and mDNS, please feel free to let us know. It will be much appreciated if you can provide some reasons including the actual usage scenarios for our further evaluation. Thanks!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#6
Options