Omada Cloud Inbound ACL setup

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Omada Cloud Inbound ACL setup

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Omada Cloud Inbound ACL setup
Omada Cloud Inbound ACL setup
2023-12-11 23:15:10
Model: ER8411  
Hardware Version: V1
Firmware Version: 1.1.1.1

I'm trying to secure my network and I'd like to do a couple of things:

 

1. Limit inbound traffic at the gateway to ONLY omada cloud and my OpenVPN client

I know there is a list of ports that Omada uses but that list is what it using inside the network (switch level ACL I believe) and I just want to allow the necessary ports for the cloud controller and mobile app to work (Gateway ACL from WAN=>LAN IN ?), not every single port omada uses (like discovery). The OpenVPN is a known port so that is easy (default). I just need to know the minimum requirements for cloud/app communication and OpenVPN inbound to my network and block everything else.

 

2. Limit users to only being able to use the gateway as the DNS server as I employ a DNS filter system and want to prevent them from setting their own DNS records (e.g. 8.8.8.8). It would be great if I could set it up that if they make a port 53 request to an IP different than the gateway it also redirected that to the gateway for the answer. This would prevent anything from breaking for a user with custom DNS server but still force my DNS filtering to work.

 

I have watched a few videos on ACLs but rarely does anyone deal with WAN to LAN ACL (gateway) - it's all about preventing LAN/VLAN interactions.

 

Thanks for any input!

  0      
  0      
#1
Options
2 Reply
Re:Omada Cloud Inbound ACL setup
2023-12-12 02:28:54

Hi @OrangeStreet 

Thanks for posting in our business forum.

OrangeStreet wrote

I'm trying to secure my network and I'd like to do a couple of things:

 

1. Limit inbound traffic at the gateway to ONLY omada cloud and my OpenVPN client

I know there is a list of ports that Omada uses but that list is what it using inside the network (switch level ACL I believe) and I just want to allow the necessary ports for the cloud controller and mobile app to work (Gateway ACL from WAN=>LAN IN ?), not every single port omada uses (like discovery). The OpenVPN is a known port so that is easy (default). I just need to know the minimum requirements for cloud/app communication and OpenVPN inbound to my network and block everything else.

The highlight part, you can try it yourself. I don't hold the same opinion on this.


Search Omada Domain Names and Omada Controller Ports, you should find two FAQ articles. That would be your references.

 

I don't think this plan would work well based on my knowledge and experience.

 

OrangeStreet wrote

2. Limit users to only being able to use the gateway as the DNS server as I employ a DNS filter system and want to prevent them from setting their own DNS records (e.g. 8.8.8.8). It would be great if I could set it up that if they make a port 53 request to an IP different than the gateway it also redirected that to the gateway for the answer. This would prevent anything from breaking for a user with custom DNS server but still force my DNS filtering to work.

 

I have watched a few videos on ACLs but rarely does anyone deal with WAN to LAN ACL (gateway) - it's all about preventing LAN/VLAN interactions.

 

Thanks for any input!

So, even if you have a static IP for everyone, they can still change the DNS server to their own.

If they use DoH, it is using 443. DoT is 853. Both TCP. It can be masked and would be hard for you to block it as DoH is using 443.

You might need to set up a rule of block to blacklist all the DoH domains. This gotta be manual. No way to work around this and you need to update this frequently.

About the DoT, 853, you can simply block the port.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:Omada Cloud Inbound ACL setup
2023-12-12 15:43:34

  @Clive_A 

 

I have run an external PEN test on my public IP to find that all inbound connections from the Internet are blocked - which is a correct setting for a firewall by default. This proves to me that there is no requirement to have ports enabled from the Internet (WAN) to the internal network for the Omada cloud. It shows that the controller reaches out from internal to external to connect to the Omada cloud which allows the connectivity (via 3-way handshake) as I'm not blocking outbound connections. So the answer to question 1 is: No ports need be allowed from the WAN for the omada controller to work. HOWEVER, you would need to allow the ports for the connectivity within the LAN for APs, discovery and management portal at a firewall located in front of the controller (NOT the WAN side) - this might be IPTables or Windows Firewall as an example.

 

I have also found a video online that shows how to use ACLs to restrict DNS which will work for me. Thanks

  0  
  0  
#3
Options