Hi @Daggett 

Thanks for posting in our business forum.

Has anyone been able to properly setup any ACL's for their omada wireguard vpn config's so it will not route and allow access to all the vlans in your networks?  Documentation is close to meh at best for cloud omada configurations.

The Omada Controller cloud equals the basic none-cloud one. The only difference was the adoption. Most other features are the same.

Daggett wrote

It seems no matter where or how I try to create an ACL I can get to any and every single one of my vlans.

Can you post your configuration here so that I can verify your ACL? Are you using Gateway ACL?

What other devices do you have? Switch?

  @Clive_A 

I have tried ACL's at every level Gateway, Switch, and EAP. At this point in time it looks to be only wired clients connected to the switch that I am able to access when connected externally with Wireguard. As for the TP Link documentation for setting up wireguard I will have to look at it again but the way it said to set up wireguard did not work for me using the hardware controller at the time which is why I looked elsewhere. Currently the config I have works minus the access accross all vlans on the with the devices plugged into the switch. 

Hi @Daggett 

What did you put in here? Your whole LAN network?

In your ACL setup, have you tried to include the Local IP Address in your Wireguard to the ACL of "Deny"?

Your goal is to exclude Wireguard clients to access all of your VLANs. But I don't see any of the ACL you created to fit that.

  @Clive_A 

192.168.0.XXX is the Wireguard

10.100.100.XXX is the LAN

I had created ACL rules that didn't work and before the start of this thread were deleted from the Switch and Gateway to save myself from later confusion. It should be noted the wireless clients connected to the AP's as of currently I cannot reach through the vpn on physically connected clients via ethernet to the switch. 

The gateway/switch ACL used the IPGroup (for Wiregaurd) to Network (for local vlans) that blocked all traffic to all internal vlans with the reverse rule checked and it still allowed access to everything. I had manually created the IPGroup with the range Wireguard is using since there is no local LAN/VLAN under the wired networks lan tab since that breaks the vpn for me.

1. I recreated all the ACL policies I originally deleted and the policies still didn't work.

2. I then pulled my v1 er605 off the shelf and put it in place of the v2 and the acl rules worked.

3. Removed the v2 er605 from my tplink account and factory defaulted it.

4. Upon re-adding it back to my account and putting it back as my primary router the acl rules started working properly with it. 

The only difference I made to the wireguard group from my original setup was to specify the range using /24 vs /32 so I wouldn't have to individually re-add/specify the clients in the range for wireguard that I use. All the wireguard ACL's I use reference that group for wireguard at the switch and eap level.