[BUG/Issue] EAP ACL not functioning between wireless connections on the same EAP. (653, 650, 225)
Hello,
After 4 full days of trying and encountering issues every time, it seems there is a bug in the EAPs when combined with EAP ACL rules.
Hardware setup:
- ER605 v2.0 (Firmware Version: 2.1.4 Build 20230727 Rel.40308)
- OC200 1.0 (Controller Version: 5.12.9) (Firmware Version: 1.26.3 Build 20230906 Rel.36269)
- TL-SG2008P v3.0 (Firmware Version: 3.0.5 Build 20230602 Rel.73473)
- TL-SG2008P v3.0 (Firmware Version 3.0.5 Build 20230602 Rel.73473)
- EAP225(EU) v3.0 ( 5.1.0 Build 20220926 Rel. 62456)
- EAP653(EU) v1.0 (1.0.9 Build 20230814 Rel. 36852)
- EAP650(EU) v1.0 (1.0.10 Build 20230814 Rel. 36852)
- EAP653(EU) v1.0 (1.0.9 Build 20230814 Rel. 36852)
My problem:
I want to connect my printers via Wi-Fi to an isolated VLAN. The printer should not be discoverable/usable in the isolated VLAN but should be accessible from another (trusted) VLAN. Unfortunately, this is not working with the "Guest Network" function in the WLAN settings because it makes the printer inaccessible from any other VLAN as well. That's why I'm trying to achieve this with ACL rules.
After much experimentation with Gateway ACL & Switch ACL, I finally realized that traffic between wireless devices doesn't pass through the Switch/Gateway (ACL) but is instead routed through the EAP to the other wireless client. Therefore, I attempted to make the other devices unreachable using EAP ACL rules. I succeeded with these ACL rules:
Furthermore, the rules for both Gateway ACL and Switch ACL are currently empty. The outcome of these rules when I connect with my iPhone to the "Isolated" WiFi network is this scan:
I was thrilled when I saw this! Finally, but then a few hours later, it stopped working altogether. I was going crazy! After a lot of investigation and trial and error, I discovered that my printer and/or I occasionally connect to a different access point (AP). When I tested that, I noticed an issue.
Because when I connect with my iPhone to the same EAP, to which the Canon printer is also connected, all EAP rules no longer "work". Then, suddenly, my result is this:
It appears there is an issue with ACL rules not being processed correctly for users in the same EAP. Is this expected behavior? If so, how can I prevent this from happening?
I have tried the following:
- This issue was present in the latest firmware as well as the beta firmware.
- I have tested each EAP separately, and each EAP exhibits this issue.
- The problem persists even after a restart.
- Even when I block the network in the Gateway/Switch ACL, the issue remains.
- I have also tried resetting everything to factory defaults, but the problem persists.
Additional question:
Furthermore, I am still looking for a way to block the "Bonjour" service using ACL. I want to ensure that Bonjour does not work in my Isolated VLAN but does work in the trusted VLAN where the printer can be found using mDNS. Does anyone have any tips for this?
Currently, the iPhone can discover the printer, but due to the other restrictions in place, it cannot print anything.
I hope you can assist me further. Even if it turns out to be a configuration error rather than a bug, I would appreciate guidance on how to resolve it.
I have also tried to provide as much useful information as possible without including unnecessary details. If anything is missing, please let me know, and I'll be happy to provide any additional information you need.
Thank you very much for your help and support!
@Hank21 Thank you very much! I've received the email and have already responded to a request for more information. I'm patiently awaiting further updates.
I wanted to mention that I really appreciate how seriously this is being taken. Thank you so much for that! I'll provide an update here when it becomes available. 
