Two ACL (Firewall) Questions
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Trying to figure out a couple of things about the ER605v2 / Omada Firewall setup:
1. Gateway vs. Switch vs. EAP ACL's
Going to Site Settings -> Network Security -> ACL, I see three tabs/sections.
Looks to me like most stuff I'm used to while setting up a stateful firewall, I'd do most stuff in the Gateway ACL tab/section.
But it seems I can also add layer 3 rules in the Switch ACL section (I was expecting mostly layer 2 stuff).
I guess If you're mostly running Omada switches, then the benefit would be that the filtering/processing is offloaded/moved closer to the user (as in handled by Switch CPU's instead of at the router)?
(Also not sure when I would benefit from putting rules in the EAP ACL section.)
Since my current (lab) setup has a mix of different switches, I guess I should just stick with *Gateway ACL* rules?
2. Site Settings -> Profiles -> Groups
As for adding groups, it seems I can specify IPv4 and IPV6 subnets. I guess I have to add multiple /32 entries for individual address if the addresses doesn't all match a fitting subnet, since there seems to be no IP range option.
But is there a way to add more dynamic rules, using DNS to resolve IP addresses?
(In another firewalll brand, I'm used to having a whitelist, where I add/define the FQDN of multiple Dynamic DNS hosts. And they're resolved to IP addresses using DNS.)
Yes, more trying to understand the logic behind dividing into these ACL sections.
So, offloading processing to the switches (if they're Omada switches) might be one.
I guess I could also achieve more fine grained control. To do that, I'd have to know rules for precedence. Like if Switch ACL rules would override Gateway ACL rules (and EAP rules overriding Switch rules) ... 