Two ACL (Firewall) Questions
Trying to figure out a couple of things about the ER605v2 / Omada Firewall setup:
1. Gateway vs. Switch vs. EAP ACL's
Going to Site Settings -> Network Security -> ACL, I see three tabs/sections.
Looks to me like most stuff I'm used to while setting up a stateful firewall, I'd do most stuff in the Gateway ACL tab/section.
But it seems I can also add layer 3 rules in the Switch ACL section (I was expecting mostly layer 2 stuff).
I guess If you're mostly running Omada switches, then the benefit would be that the filtering/processing is offloaded/moved closer to the user (as in handled by Switch CPU's instead of at the router)?
(Also not sure when I would benefit from putting rules in the EAP ACL section.)
Since my current (lab) setup has a mix of different switches, I guess I should just stick with *Gateway ACL* rules?
2. Site Settings -> Profiles -> Groups
As for adding groups, it seems I can specify IPv4 and IPV6 subnets. I guess I have to add multiple /32 entries for individual address if the addresses doesn't all match a fitting subnet, since there seems to be no IP range option.
But is there a way to add more dynamic rules, using DNS to resolve IP addresses?
(In another firewalll brand, I'm used to having a whitelist, where I add/define the FQDN of multiple Dynamic DNS hosts. And they're resolved to IP addresses using DNS.)