Home

Forums

Stories

Knowledge Base

Business Community > Controllers > Unidirectional block + exception

< Controllers

Unidirectional block + exception

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Unidirectional block + exception

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

SecretlyBald

2025-03-06 22:01:55 - last edited 2025-03-07 08:44:33

Posts: 4

Helpful: 1

Solutions: 0

Stories: 0

Registered: 2025-03-06

Unidirectional block + exception

2025-03-06 22:01:55 - last edited 2025-03-07 08:44:33

Tags: #Controller #ACL

Hey, I am experimenting with the Omada controller to try and achieve the following scenario:

PERMIT traffic from Private -> Public
DENY traffic from Public -> Private
PERMIT traffic from Public -> 10.25.0.2 (host in Private, so this is would be an exception to 2.)

From what I can gather, I cannot implement all those rules simultaneously. I can get bidirectional block + exception with Switch ACLs by using a PERMIT rule from Public to
IP_GROUP[10.25.0.2], but this will block traffic **bidirectionally**.

Or I can get unidirectional block by using Gateway ACLs, however, I cannot add an exception as the IP_GROUP functionality is not available in LAN-LAN rules, only LAN-WAN... Any workaround to this?

1 Accepted Solution

Vincent-TP

2025-03-07 08:44:30 - last edited 2025-03-07 08:44:33

Posts: 3650

Helpful: 358

Solutions: 1231

Stories: 0

Registered: 2024-06-22

Re:Unidirectional block + exception-Solution

2025-03-07 08:44:30 - last edited 2025-03-07 08:44:33

Hi @SecretlyBald

To achieve unidirectional VLAN access (point 1&2) , you need an Omada gateway.

For detailed steps, please refer to User’s Application Scenario Ⅵ: Unidirectional VLAN access in Controller in the following faq:

How to set up Access Control of TP-Link Omada Router in Standalone and Controller

To achieve point 3, please refer to step 2-4 in the following post:

How to allow guest network to access specific device on the main network by configuring EAP ACL?

Wish you a happy life and smooth network usage! >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<

Recommended Solution

3 Reply

SecretlyBald

LV1

2025-03-06 23:40:13

Posts: 4

Helpful: 1

Solutions: 0

Stories: 0

Registered: 2025-03-06

Re:Unidirectional block + exception

2025-03-06 23:40:13

I think I have found a similar issue here: https://community.tp-link.com/en/business/forum/topic/672230

If so, any timeline on when it would be released? This seems like a pretty obviously lacking feature...

Vincent-TP

2025-03-07 08:44:30 - last edited 2025-03-07 08:44:33

Posts: 3650

Helpful: 358

Solutions: 1231

Stories: 0

Registered: 2024-06-22

Re:Unidirectional block + exception-Solution

2025-03-07 08:44:30 - last edited 2025-03-07 08:44:33

Hi @SecretlyBald

To achieve unidirectional VLAN access (point 1&2) , you need an Omada gateway.

For detailed steps, please refer to User’s Application Scenario Ⅵ: Unidirectional VLAN access in Controller in the following faq:

How to set up Access Control of TP-Link Omada Router in Standalone and Controller

To achieve point 3, please refer to step 2-4 in the following post:

How to allow guest network to access specific device on the main network by configuring EAP ACL?

Wish you a happy life and smooth network usage! >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<

Recommended Solution

SecretlyBald

LV1

2025-03-07 14:16:18 - last edited 2025-03-07 14:19:12

Posts: 4

Helpful: 1

Solutions: 0

Stories: 0

Registered: 2025-03-06

Re:Unidirectional block + exception

2025-03-07 14:16:18 - last edited 2025-03-07 14:19:12

@Vincent-TP Thank you, but the goal is to achieve all of the conditions on the same 2 networks. As such, let's say there are two networks: Public (10.50.0.0) and Private (10.25.0.0) and one particular host in Private (10.25.0.2)

I want:

- PERMIT all unidirectional traffic from Private to Public

- DENY all unidirectional traffic from Public to Private, except for when destination IP is 10.25.0.2

If my current understanding is correct, this is not achieable with the current firmware, correct?

The reason for this is that currently:

- Switch ACLs are the go-to when one wants to allow a particular exception in subnet block. This would work, however, the block is bidirectional.

- Gateway ACLs allow for unidirectional blocks (stateful), however, I cannot use IP_GROUPs in these ACLs (when doing LAN-LAN, IP_GROUPs are available in LAN-WAN, but that does not help me)

Vincent-TP wrote

Hi @SecretlyBald

To achieve unidirectional VLAN access (point 1&2) , you need an Omada gateway.

For detailed steps, please refer to User’s Application Scenario Ⅵ: Unidirectional VLAN access in Controller in the following faq:

How to set up Access Control of TP-Link Omada Router in Standalone and Controller

To achieve point 3, please refer to step 2-4 in the following post:

How to allow guest network to access specific device on the main network by configuring EAP ACL?

Unidirectional block + exception

Unidirectional block + exception

Information

Voters 0

Tags