Hi @StephaneDupont 

Thanks for posting in our business forum.

Do you have a switch in your network?

Do you use Omada Controller?

If you are using the Controller mode, you should use the Switch ACL as it supports IP Group ACL. If you are in standalone mode, use the ACL on the router and configure the IP Group in the Source and Destination.

If you don't have a switch but using the controller mode, the feature has been placed in the roadmap. ETA V5.16.X.

Hi @StephaneDupont 

Thanks for posting in our business forum.

StephaneDupont wrote

  @Clive_A Thank you for your answer. Yes, my switches are all Omada switches and I'm using the OC300 hardware controller.

 

So, if I understand correctly,

 

1. to prevent my IOT VLAN to access other VLANs, I should have a Switch ACL rule (source and destination "network") that denies access to other VLANs

 

2. ... and then I add another rule also as a Switch ACL rule like this:

  Policy: permit

  Source: type network, IOT VLAN

  Destination: type IP group, and I set here my Home Assistant server IP with a /32 mask

 

Is it correct?

 

Also:

 

- How does precedence work here? What should be the first rule? 1. or 2. ?

 

- For these 2 rules, should the binding type be "Ports" or "VLAN"?

 

Thank you.

With the SW ACL, you would have more versatile ACL config as you have the IP-Port. Currently, the GW ACL does not support LAN-LAN IP-Port. Scheduled to V5.15.X update.

If you want to have a single A to B, but the rest of A cannot reach B, you need to create the Deny and Allow rules.

Allow an A to B,

Block A to B.

You can use the label and tag to filter out the guide we have:

Try one is a collection of fan-made SW ACL guides:

https://community.tp-link.com/en/business/forum/3?labelIds=8738,8744&tagId=7194

Hope they can help you with the setup.