Need Advice on how to correctly configure Omada Switch in stated scenario to achieve goals
NOTICE: This is a lengthy post. I do appologize in advance. I tried to keep it as short as possible and to the point while providing as much detail as possible. Hopefully someone can provide some helpful direction or pointers enabling me to complete or at least continue my ongoing Omada network setup and configuration. (see below for details).
I need guidance and or advice with configuring my Omada Switch … I am hopelessly lost as it turns out. What follows contains all of the information that I can share regarding what I am working to achieve, as well as what I have in terms or hardware etc and what I have and currently plan to do toward achieving the stated goals.
(a few additional words about why and background … but easily skipped if lack of interest ... prefaced and followed by TLDNR tags)
If any additional information not provided is needed for offering suggestions or advice … please just ask … I’ll gladly provide missing details or answer any questions and I will reply to all responders. Thank you!!!
What I have:
Omada hardware (and On-Prem SDC running on a dedicated Ethernet attached system):
| Model |
Device Version |
Firmware Version |
|---|---|---|
| EAP245 (US) |
3.0 |
5.2.0 Build 20240914 Rel. 59923 |
| ER605 |
2.0 |
2.2.6 Build 20240718 Rel.82712 |
| ES205GP |
1.0 |
1.0.2 Build 20250414 Rel.73097 |
| SDC ** |
5 |
5.15.20.17 |
** Future plans to transition from SDC to cloud controller or possibly Hardware controller, TBD.
Design Requirements:
WLAN -- 3x separate 802.11 Wifi networks each with its own private IPv4 network, SSID, Band requirements, and security considerations.
LAN – Consisting of network hardware and a single system directly connected to Switch via 100 Mbps Ethernet cable. Router, EAP and SDC all connected to single switch.
WAN -- Comcast ISP provided PpoE modem - 2x 1GigE ports, both connected to same ER605 and configured for load balancing with USB WAN port as failover.
Connectivity Goals:
WLAN 1 -- Main network = (WPA2-Enterprise) EAP-TLS Radius ... both 2.4 Ghz and 5.0 Ghz radios needed.
WLAN 2 -- IoT network = WPA2-Personal AES (because apparently PPSK with or without Radius is not compatible with anything, not sure why its even presented as a WLAN option). Only the 2.4 Ghz radio needed.
WLAN 3 -- Surveillance network = WPA2-Personal AES (PPSK not viable nor will devices support 802.1x / x509 certificates). Only the 2.4 Ghz radio is needed.
LAN -- Access to all WLAN devices of all WLAN networks (egress only, no ingress from any WLAN devices of any WLAN networks except those needed by SDC , Radius, and select IPs of Main WLAN to be allowed full ingress for admin access).
WAN -- No internal services or ports accessible from internet. No port forwarding, no open ports for inbound access for any reason. All unsolicited inbound packets are DROPPED without exception. No future plans to deviate from this directive. No provision for DMZ.
Main WLAN needs to have unfettered access to all member devices of Main network as well as both IoT and Surveillance networks. IoT WLAN devices restricted to only other IoT devices and internet (outbound only). Surveillance WLAN devices restricted to only other Surveillance devices and internet (outbound only, remote camera access achieved via Cloud service). LAN Ethernet connected SDC obviously needs access to everything everywhere however, WLAN network access to LAN on all but necessary SDC TCP/UDP ports should be restricted to the few defined IP addresses of the Main WLAN network for Admin access). Internet accessible allowed for all WLAN networks as well as from LAN. Radius provided by SDC or alternatively via FreeRadius server previously configured on same system hosting the SDC but which is currently not actively running.
<<<< TLDNR
Environmental Challenges:
Nearby adept hackers with near continuous (some automated) attempts to access network resources via MAC Spoofing, Evil Twin APs, Social Engineering, Malware via email and MMS. On many separate occasions successful attempts have netted them VPN capabilities via a myriad of ports, frequent stealing of network credentials, file data, text messages, access to surveillance equipment, audio devices, as well as to acquire information sufficient to commit ID theft, and other various annoyances and black hat style activities too varied and numerous to list in full here (though that pretty much covers the spectrum). (Note: FCC, FBI and local police have all been contacted and reports filed ... to date no action taken to curb or stop these activities which first began over two years ago; but, which continue to persist constituting a serious daily problem.)
However, the vast majority of their activities have since been mitigated by the recent procurement and ongoing deployment of the listed Omada hardware (began about a week ago). It was a forklift type upgrade to the network you might say, and Ive been putting it together and setting it up on my own continuously since, over the past week .... I feel as though I am getting closer, but it has not been without its challenges ... and the project is not yet complete. I may have bitten off a tiny bit more than a reasonable person should have, I'll admit ... It has been somewhat of a humbling experience thus far. However, I am fully resolved to getting this done. Failure simply isn't an option ... and besides, I am confident that with a few helpful pointers here and there I'll have this whole project squarely in my rear-view in no time flat. ahem .... but I digress ...
TLDNR >>>>>>
Network Topology:
Comcast ISP provided PPoE modem (Bridged Mode) with 2x 1 GigE ports for independant WAN connections to internet. ---> 2x GigE to single ER605 Router (load balanced) via its "WAN" and "WAN/LAN 1" ports. USB WAN port configured as Fallback in case of complete WAN failure.
The ER605 "WAN/LAN 2", "LAN 1", and "LAN 2" ports all configured for LAN use. Its "LAN 2" port connected to my ES205GP PoE Switch GigE "Port 1".
The EAP245 is serving as the only WLAN access point currently with plans for more at some future date, TBD. The EAP is connected to the ES205GP Switch via "Port 2" GigE Full Duplex. All WLANs are accessible via the EAP. All client WLAN devices of all three WLANs receive DHCP services from the ER605 Router.
SDC running on a dedicated system connected to the ES205GP Switch on "Port 3" at 100 Mbps Full Duplex (limitation of NIC).
The ES205GP Switches "Port 4" and "Port 5" are both currently Disabled.
Logical components:
Networks:
| Purpose |
Network (SSID) |
Type |
VLAN ID |
IPv4 Subnet |
|---|---|---|---|---|
| Main WLAN Network |
HN-Main |
Interface |
50 |
10.50.50.1/24 |
| IoT Network |
HN-Alt |
Interface |
99 |
192.168.99.1/24 |
| Surveillance |
HN-View |
Interface |
44 |
10.4.4.1/24 |
| Maintenance |
LAN |
Interface |
1 |
10.144.12.1/24 |
Switch Port Profiles:
| Port Profile |
Native Network (PVID) |
Egress Rule |
|
|---|---|---|---|
| Tagged Network |
Untagged Network |
||
| Main-Trunk |
LAN (PVID=1) |
HN-Main |
LAN |
| IoT-Trunk |
LAN (PVID=1) |
HN-Alt |
LAN |
| Surv-Trunk |
LAN (PVID=1) |
HN-View |
LAN |
| IoT |
HN-Alt (PVID=99) |
/ |
HN-Alt |
| Main |
HN-Main (PVID=50) |
/ |
HN-Main |
| Surveillance |
HN-View (PVID=44) |
/ |
HN-View |
Port Profile assignments:
A Work In Progress .... I am having a bit of an issue with the switch with regard to the assignment and configuration of correct network and port profile combinations and Networks as well as how to specify Tagged and Untagged, wether to use VLANs or Interfaces or some combination of the two .... its all extremely confusing to me. My experience and knowledge wander into the realm of networking but live primarily in the world of Systems and Infrastructure, Virtualization, Mass Storage, and Data Encryption as well as Imaging and File level Backup and Recovery solutions etc… Ad nauseum.
So far I have had little to no luck with getting any device of any WLAN / VLAN to successfully receive DHCP services from the ER605. This precedes any testing of internet access or needed inter-WLAN connectivity / access restrictions between the three WLANs and the LAN.
Additionally I am currently trying to figure out why the SDC is alerting to the presence of a network loop it detects between "Port 1" and "Port 4" of the ES205GP switch. "Port 4" is disabled, though at one point I had attempted to use it as a second physical connection to the ER605 ... I have since eliminated the use of "Port 4" and the cable connecting it to the ER605 via its "LAN 1" Port … it has been physically removed and gone for days. Only the ER605s "LAN 2" port is currently connected to the ES205GP Switch on its "Port 1" interface, yet the SDC still detects a loop condition mysteriously persisting without any physical connections which might possibly cause a loop.
This is pretty much where my knowledge, progress and good fortune stops ....
<<<<TLDNR
I have since come to understand that the ES205GP "Managed Switch" which I was quoted and purchased is in actuality a far cry less of a switch than what is required in order to achieve any of the designs stated goals. Specifically with regard to any solution involving WPA2-Enterprise WLAN with EAP-TLS Radius (for device authentication) as well as simple support for DHCP Relay... neither of which (come to find out) are supported by this switch; not to mention any of the other irritating limitations regarding missing or additional unsupported key features; the lack of which throw a number of unneeded wrenches into the design and stymie the ongoing implementation effort... did I mention that I'm still fairly upset about the switch? It was afterall recommended as part of THE solution of this exact design by TP-Link prior to purchase (via chat though … that’s where my brain must have stopped working for a brief moment. Who spends money based on recommendations made over a chat session?! Oh that’s right, I did.). And as it turns out, the switch was and continues to be a complete FAIL .... as this and pretty much ANY managed non-Layer 2/3 switch falls completely short of the mark for any number of reasons, some of which I’ve stated.
However, I do have immediate plans to replace the ES205GP with a Layer 2 Omada switch ASAP (the soonest I will be able to buy a replacement switch capable of addressing all of the ES205GPs short-comings is next month at the earliest). I highly doubt I'll be allowed to return this ES205GP mistake either ... Mostly because I no longer have the box that it came packaged in, yep I threw it away (I knew better, but here we are)... I don't see any other use for this thing either, it barely qualifies as a switch if I am being completely honest .... just a horrible device, I'd equate it to something only slightly more advanced than a PoE hub. And that’s a generous assessment. I am genuinely surprised that it is even part of the Omada line of products … all part of the learning process though, right? Whatever ends up replacing it will support 802.1x via Radius / x509 certificates as well as DHCP Relay at the barest of minimums. Very upsetting but I believe everyone will be happy to learn, I'm done complaining now.
TLDNR>>>>>
I really just need some good pointers on how to configure an Omada switch to accomplish what it is that I’m working to achieve. Once I have an appropriate switch capable of performing basic switch functions, of course ... so if you could, please just picture in your mind this design and topology as presented but instead of a ridiculous ES205GP device as part of the design .... substitute in its place an Omada Layer 2 switch …. obviously nothing over the top, but one that isn’t a total dog and that provides the necessary functionality for stated needs.
Thank you!
-The End
