Two ACL (Firewall) Questions

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Two ACL (Firewall) Questions

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Two ACL (Firewall) Questions
Two ACL (Firewall) Questions
2023-06-23 19:52:20
Tags: #Gateway ACL #Groups
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.2

Trying to figure out a couple of things about the ER605v2 / Omada Firewall setup:

 

1. Gateway vs. Switch vs. EAP ACL's

Going to Site Settings -> Network Security -> ACL, I see three tabs/sections.
Looks to me like most stuff I'm used to while setting up a stateful firewall, I'd do most stuff in the Gateway ACL tab/section.
But it seems I can also add layer 3 rules in the Switch ACL section (I was expecting mostly layer 2 stuff).

I guess If you're mostly running Omada switches, then the benefit would be that the filtering/processing is offloaded/moved closer to the user (as in handled by Switch CPU's instead of at the router)?
(Also not sure when I would benefit from putting rules in the EAP ACL section.)

 

Since my current (lab) setup has a mix of different switches, I guess I should just stick with *Gateway ACL* rules?

 

2. Site Settings -> Profiles -> Groups

As for adding groups, it seems I can specify IPv4 and IPV6 subnets. I guess I have to add multiple /32 entries for individual address if the addresses doesn't all match a fitting subnet, since there seems to be no IP range option.

 

But is there a way to add more dynamic rules, using DNS to resolve IP addresses?
(In another firewalll brand, I'm used to having a whitelist, where I add/define the FQDN of multiple Dynamic DNS hosts. And they're resolved to IP addresses using DNS.)

  0      
  0      
#1
Options
3 Reply
Re:Two ACL (Firewall) Questions
2023-06-26 07:17:59

  @flips01 

 

As I know, now ER605 latest firmware has supported setting the port PVID for the router, which means you can also employ the multiple subnets though you haven't a switch.

And I thought the gateway ACL can meet your needs.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:Two ACL (Firewall) Questions
2023-06-26 11:37:05

Yes, more trying to understand the logic behind dividing into these ACL sections.

So, offloading processing to the switches (if they're Omada switches) might be one.

I guess I could also achieve more fine grained control. To do that, I'd have to know rules for precedence. Like if Switch ACL rules would override Gateway ACL rules (and EAP rules overriding Switch rules) ... angel

  0  
  0  
#3
Options
Re:Two ACL (Firewall) Questions
2023-06-27 01:39:53

  @flips01 

 

From my knowledge, the Gateway ACL is mainly used to restrict the LAN-WAN side data. But the Switch ACL can only restrict the LAN-LAN ACL, and you can find that the LAN-LAN direction is also supported in gateway ACL  now(it didn't support it before on the controller) so that we can also set gateway ACL to achieve the inter-VLAN routing though we don't have a switch in the network.

 

But EAP ACL is mainly used to restrict wireless data.

Just striving to develop myself while helping others.
  0  
  0  
#4
Options