Use IP Group in Lan-Lan ACL on Omada
Use IP Group in Lan-Lan ACL on Omada
I have inherited a TP Link Omada setup and am trying to setup segregation between VLANs. I've started by creating firewall rules to deny traffic between the different VLANs, however, I need to be able to allow certain management devices access to specific IPs on other VLANs, but when I try to create an ACL of type 'LAN-to-LAN' the only 'source' option is to choose a network, not an IP Group or a single IP.
So, my question is - how do I allow one or two specific devices on a VLAN access to either an entire VLAN, or access to another specific device?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
So how does one use Switch ACL to allow one IP to go through? I have a SG2008 switch
I created a Gateway ACL with Deny from IoT to Main
I then created a Switch ACL with Permit for IoT:IP/32 to Main:IP/32
I can't ping Main:IP from IoT:IP
Or would I need to nix the Gateway ACL and think of what devices I want from IoT to be able to communicate with Main (e.g., like my hubs) ... or just hope that LAN-LAN IP Groups are coming to the Gatway at some point....
- Copy Link
- Report Inappropriate Content
@GoodOmens I have a feeling that in order to achieve that you may need to do intra-vlan routing on the switch rather that on the gateway :(
- Copy Link
- Report Inappropriate Content
@theradioguy It seems my pleads were answered. Controller 6.1 just released has Gateway level IP Groups, ports etc. My above scenario works as intended - I can whitelist specific IoT VLAN IPs (and I guess ports if I wanted) to override the blanket IoT->Main deny.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2034
Replies: 13
Voters 0
No one has voted for it yet.