@yavin 

 

Def @Clive_A  could comment on the intervlan speed issue and the ACL limitations.

 

But have you tried entering the ACLs in stand-alone mode?  See if you get the same error?

 

Also comparing a PFsense box to a ER605 is apples and oranges.  More like an Apple to a Watermelon.  

  @KimcheeGUN 

 

Thanks for reply :)

 

Testing Er605 in Stand-alone mode ACLs at the moment. I´ll give feedback in this thread.

 

Don´t want to compare ER-605 with PF or Opn, but i need only an firewall with my need of standard rules and settings like block inter-vlan-routing, etc.

So, testing:

 

Testing Er605 in Stand-alone mode ACLs at the moment. I´ll give feedback in this thread.

 

In ER-605 Standalone mode i´m able to set rules above 10 ACL ID´s.

Hi @yavin 

Thanks for posting in our business forum.

IP combined is limited to 50 entries. In the ACL config of Omada Controller, if you select more than 1 source/destination, it creates multiple entries in the background.

So, now how many entries do you have in Switch ACL?

 

Regarding the following problems.

yavin wrote

other problems *1:

1. Omada GUI and Safari very slow 
2. no local DHCP-DNS registration for clients to resolve localy 
3. solution for GeoIP or Spamhaus DROP in FW-Rules 
4. inter-vlan-routing in 10G VLANs are capped @1G speed (tested with iperf3 between Linux, Macs, Windows underneath each other too)
5. ACL´s are capped i think to 10 in my case
6. and still some more smaller ones

1. Omada is optimized for Chrome kernel. We recommend you use Chrome kernel-based browser.

2. This has been reported to the dev for evaluation already. No ETA for implementation as other projects are under devlopement with higher priority.

3. GeoIP-based IP ACL has been implemented in the controller. 

4. Can you provide test methodology? Is it capped at around 940Mbps? This may be the limitation of the router as the VLAN interface is created on the router.

  @Clive_A 

 

Thanks for the reply.

 

I was able to successfully configure the intervlan rules all night yesterday with a reconfiguration after full router reset (ER605 v2 fw 2.1.2) for stateful ACLs. -> works !

 

After that ACL creation I settled up an IP-Port Group ACL (80, 443, 22 and 8080) for deny clients access to router GUI at gateway inside VLANs. -> works !

 

But after enabling this ACL rule I was not able to reach internet services. Looking around this problem it figures out that I enabled before set this GUI-ACL rule DNS-Proxy for CloudflareDNS and not able to reach DNS inside VLANs. So Disabled WebGUI rule and worked so far ->

 

May I get help or an solution for this topic ? Which Port is used by DNS-Proxy inside VLANs ?

 

 

Next step was to enable mDNS (HomeKit) for private VLAN and IoT VLAN. In stateful ACL rules private VLAN are able to reach IoT VLAN, but IoT VLAN shouldn’t reach private -> rule works as expected.

HomePods are in private, Hue, power outlets, etc. in IoT.

 

Enabled mDNS under services but I’m not able to get it running so far. Tested more settings in mDNS configuration without success.

 

Thought at this time to try out ER605 v2 forum beta firmware 2.1.4 (20230727) to resolve this problem but get disconnects in Omada OC200 device overview also getting ticks from LAN/VLAN outlets and mDNS also not running as expected -> i´ll waiting for an new stable firmware at this step (see forum threads for 2.1.4 ER605 v2 firmware)

 

 

So far from the „Reset-Configuration-Night“ :)

 

For answers in past replies:

 

1. work like a charm with Firefox under MacOS (master machine)
2. understanding and waiting for deployment
3. Really ? I think I’ve probably overlooked this in the OC200 overview so far. I would be grateful for a little food for thought :)
4. ->

 

Lan contruction is:

 

TC4400 Cable Modem -> WAN ER-605 v2 -> LAN from ER-605 v2 as trunk at Port 5 -> TL-SG3428X Port 1 (trunk from Router) ; OC200 TL-3428X Port2 -> CAT.7 clients all over TL-SG3428X -> old OPNsense SFP+ 10G DAC-cable TL-SG3428X Port24 (offline cause ER-605 v2 configuration) -> TL-SG3428X Port 28 DAC cable Uplink to TL-SX3008F Port 8 (trunk) -> Macs, Linux and Windows machines (all over 10G LC-LC fiber connected) at SX3008F Ports.

 

APs 2x EAP660HD per cat.7 at TL-SG3428X (poe-ejectors from TP-link in lane).

 

Correct VLAN assignment is given and is running perfectly.

 

 

Macs in same VLAN reaching iperf3 performance 9.8G -> check

 

Linux Server and Windows machines in different VLANs reaching iperf3 performance over inter-vlan-routing only ~1G (nearby your expected 980M) -> maybe Trunk downlink 1G to ER-605 v2 ?!?

 

Setting one of the Linux or Windows machines to same VLAN getting full 10G speed.

 

Checked crossover iperf3 client and inverse.

 

Tested to set switch VLAN interfaces for VLANs in OC200 at switch itself and set gateway to switch ip for testing same results.

 

With best regards

 

yavin

 

 

Hope for reply :)

 

P.S.: Backuped config, leave router ER-605 v2 in this config and productive back till resolving main cirumstances for my personality back OPNsense as transition ;)

Addendum: I found the settings for GeoIP in Profiles -> Groups -> Type: Location Group. My mistake, I overlooked it, sorry. So GeoIP check -> works!

Hi @yavin 

Thanks for posting in our business forum.

I suggest you create different topics for your issues. As I am reading multiple questions here.

mDNS, speed issue and DNS proxy(literally the DNS proxy)?

For the mDNS issue, you should create a different topic.

 

DNS proxy is not using any port. If it does, it should be 53. When DNS request reaches the router, it triggers 53. And the router is supposed to send the traffic to the destined server.

If you are talking about this DNS proxy, then the port is vanilla from their type.

 

 

 

Speed test issue is caused by the bottleneck of ER605 LAN port speed and its chipset.