Business Community > Gateways > Use IP Group in Lan-Lan ACL on Omada
< Gateways

Use IP Group in Lan-Lan ACL on Omada

Use IP Group in Lan-Lan ACL on Omada

Use IP Group in Lan-Lan ACL on Omada
Use IP Group in Lan-Lan ACL on Omada
2024-12-11 02:37:50 - last edited 2024-12-12 01:30:09
Tags: #Firewall #VLAN & Multi-Networks

I have inherited a TP Link Omada setup and am trying to setup segregation between VLANs.  I've started by creating firewall rules to deny traffic between the different VLANs, however, I need to be able to allow certain management devices access to specific IPs on other VLANs, but when I try to create an ACL of type 'LAN-to-LAN' the only 'source' option is to choose a network, not an IP Group or a single IP.

 

So, my question is - how do I allow one or two specific devices on a VLAN access to either an entire VLAN, or access to another specific device?

  0      
 
  0      
 
#1
Options
2 Accepted Solutions
Re:Use IP Group in Lan-Lan ACL on Omada-Solution
2024-12-11 17:32:39 - last edited 2024-12-12 01:30:09

  @theradioguy 

 

the short answer is that you can't, you can manage it with switch ACL if you have Omada Switch connected to the router, easy managed switch does not have ACL

 

 

Recommended Solution
  1  
  1  
#2
Options
Re:Use IP Group in Lan-Lan ACL on Omada-Solution
2025-06-01 21:56:01 - last edited 2025-06-03 01:27:42

  @invadia 

 

In the lastest batches of router firmwares (with controller 5.15 adaptations) there is a new option in DNS proxy - it enables a forceful ovverride of ALL dns requests to the LANs you specify to go to the dns address you specify

 

 

I believe you can set the DNS address to anything you want, even an internal IP, then have the clients DNS set to the router IP for each vlan, and the proxy will take effect

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300
Recommended Solution
  1  
  1  
#7
Options
6 Reply
Re:Use IP Group in Lan-Lan ACL on Omada-Solution
2024-12-11 17:32:39 - last edited 2024-12-12 01:30:09

  @theradioguy 

 

the short answer is that you can't, you can manage it with switch ACL if you have Omada Switch connected to the router, easy managed switch does not have ACL

 

 

Recommended Solution
  1  
  1  
#2
Options
Re:Use IP Group in Lan-Lan ACL on Omada
2024-12-13 16:37:56
Wow, it's shocking to me that such a basic feature isn't implemented in Omada, any idea if they're planning on supporting this in the future? How would I be able to accomplish the same thing with a switch ACL? And is there any solution for a wireless client?
  0  
  0  
#3
Options
Re:Use IP Group in Lan-Lan ACL on Omada
2024-12-13 18:00:27

  @theradioguy 

 

yes i agree that it is a significant problem when router acl lacks this option. it will probably come but i don't know when. emergency solution is to use switch acl or eap acl. it works but is not optimal

 

  0  
  0  
#4
Options
Re:Use IP Group in Lan-Lan ACL on Omada
2025-05-31 05:26:15

  @theradioguy  it's such a shame .. i want to use a single adguard dns server for all vlans but as  im not allowing any type of communication between vlans in gateway acl i cant , i had to create an adguard server for each vlan .. , its annoying to use swtich acl specially if you have lots of devices in each vlan ..   i hope they add this feature asap ... it is a basic feature to have.. block the whole traffic but except to that specific IP group .  

  0  
  0  
#5
Options
Re:Use IP Group in Lan-Lan ACL on Omada
2025-05-31 05:53:21

  @invadia 

 

Yes, it's unfortunate that groups aren't in place in LAN-LAN yet, rumors say that it will come in the 5.16.x version, but it could easily take another year, in the meantime you can create your own VLAN that you have the Adguard server in, then you block all networks except the VLAN that the Adguard server is in.

 

in this VLAN you can also have other shared resources

 

 

  0  
  0  
#6
Options
Re:Use IP Group in Lan-Lan ACL on Omada-Solution
2025-06-01 21:56:01 - last edited 2025-06-03 01:27:42

  @invadia 

 

In the lastest batches of router firmwares (with controller 5.15 adaptations) there is a new option in DNS proxy - it enables a forceful ovverride of ALL dns requests to the LANs you specify to go to the dns address you specify

 

 

I believe you can set the DNS address to anything you want, even an internal IP, then have the clients DNS set to the router IP for each vlan, and the proxy will take effect

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300
Recommended Solution
  1  
  1  
#7
Options

Information

Helpful: 0

Views: 1131

Replies: 6

Tags

Firewall VLAN & Multi-Networks
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.