ACL denying all - All but one device have no internet

ACL denying all - All but one device have no internet

ACL denying all - All but one device have no internet
ACL denying all - All but one device have no internet
2024-07-18 17:57:43
Hardware Version:
Firmware Version:

Hello all,

 

I am currently trying getting my head around ACLs and how to set them up.
Currently I have my home Network divided into 3 VLANs: Management, Daily Use, Guest

 

My Setup:

- Omada SW Controller: 5.13.30.8

- Router: ER605 v1.0  Firmware: 1.3.1

- Switch: SG3428 v2.30 Firmware: 2.30.0

- 3x EAP653(EU) v1.0 Firmware: 1.0.14

 

For my test I've added an additional Lan Network  "Test_23" as VLAN 40 with Wifi.

DHCP range is 192.168.40.xxx


I have added the following bidirectional switch ACL:

Type: Network

Policy: Deny

Protocols: All

Source: All Networks  / Test

Destination: Test        /  All Networks

My expectation:

This should block all communication between Test_23 and other VLANs as well as Internet access and communication between devies.

Observed:
- Phone 1 (192.168.40.10)  immediatley looses internet access but can ping Phone 2

- Phone 2 (192.168.40.11)  retains internet access and can ping Phone 2

I have tested multiple configurations, also with my other Vlans and if I have such ACLs Phone 2 alwys has internet access even if all other devices do not.

Furthermore I thought that this rule would block inter VLAN communication but I am wrong there too.
There must be something I don't see there and a nudge in the right direction would be very appreciated.

  0      
  0      
#1
Options
5 Reply
Re:ACL denying all - All but one device have no internet
2024-07-19 06:50:43

  @Conondrum 

You can turn on gust network for the SSID if you do not want clients connecting to the same VLAN40 SSID to talk to each other. In addition, could you share the screenshot of the Switch ACL configuration?Furthermore, have you set up Gateway ACLs? One way to prevent communication between VLANs is to use Gateway ACL configuration. Devices would often not be blocked from accessing the internet by Switch ACL. Please check to see whether you have blocked its connection to the router if, after setting up the switch ACL, it is still unable to access the internet. Please confirm that phones 1 and 2 are connected to the same EAP as well.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:ACL denying all - All but one device have no internet
2024-07-21 16:27:52

  @Hank21 

Thanks for your reply, my point is that I expected the phones not to have internet.
I am surprised that phone 1 always has a working internet connection even though all other devices do not (as expected).

Furthermore I do not have any Gateway or EAP ACLs active.

My two configured ACLs:

  0  
  0  
#3
Options
Re:ACL denying all - All but one device have no internet
2024-07-22 02:29:31 - last edited 2024-07-22 02:30:22

  @Conondrum 

Could you please let me review your Internet topology and point out where your internet source is located? Also, for phone2, please try a private mac address.

Use private Wi-Fi addresses on iPhone, iPad, iPod touch, and Apple Watch

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options
Re:ACL denying all - All but one device have no internet
2024-07-22 19:22:30

  @Hank21 

 

Hi, My Topology looks as follows:

- LTE Router (until fiber is available) set to static IP 192.168.1.1

->connected to WAN Port of the TP Link Router.



For the test both Android Phones are using private (random) Mac addresses.

  0  
  0  
#5
Options
Re:ACL denying all - All but one device have no internet
2024-07-23 02:02:57

  @Conondrum 

Thank you so much for taking the time to post the issue on TP-Link community!

To better assist you, I've created a support ticket via your registered email address, and escalated it to our support engineer to look into the issue. The ticket ID is TKID240765367, please check your email box and ensure the support email is well received. Thanks!

Once the issue is addressed or resolved, welcome to update this topic thread with your solution to help others who may encounter the same issue as you did.

Many thanks for your great cooperation and patience!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#6
Options