ER706W Gateway ACL, LAN->LAN, IP-Port
ER706W Gateway ACL, LAN->LAN, IP-Port
Its embarrassingly ridiculous that a business line of gateway still does not support yet such a basic essential feature as been requested multiple times as per this thread:https://community.tp-link.com/en/smart-home/forum/topic/651912
Can you guys be honest by actually telling the community if this is going to be implemented or not ? I am pretty sure there are many users that are hoping to know your plans as well before they decide to move on from omada or not.
I think your customers deserve transparency about the company's plan about such a basic ACL feature.
Me personally I built my network with omada platform completely regretting every moment I spend configuring ACLs to try to come up with ways to get around only having the gateway being the only thing capable of statful ACLs on the whole platform that can't do lan to lan ip/ip-port ALCs. Where the switches can do lan to lan ip/port ACLs but are stateless. What a major joke..
You guys pretty aware that this is far from ideal and would not be called "business" grade. What a let down.
I hope you excuse my tone but I have never felt deceived that much from a well reputable company.
thanks.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
If you have complaints regarding transparency or development progress, you can contact the management team through the sales-related sources.
Forum does not provide information about the development progress or details. Your request is aware by the team.
As the new rules were introduced this year, I, as a forum mod, don't have information regarding the information you've requested.
Thank you for your understanding.
- Copy Link
- Report Inappropriate Content
Way back in the old days (pre the last few months) when the TP-Link staff were actually allowed to discuss things, im sure i read that gateway ACL IP groups were coming in controller 5.16
Anyway - you can achieve what you want if you also have an omada switch
Use a gateway ACL to control the stateful inter-vlan communication on entire vlans, then use a switch ACL to give the fine granularity of IPs withing those VLANs
Lets say i want vlan 10 (10.0.10.X) to reach printer on vlan 20 (10.0.20.100), but nothing else, and only allow the communication to be initiated from vlan 10
Gateway ACL rules would be
Allow > Vlan 10 > Vlan 20
Deny > Vlan 20 > Vlan 10
Switch rules would be
Allow > 10.0.10.0/24 > 10.0.20.100
Deny > 10.0.10.0/24 > 10.0.20.0/24
- Copy Link
- Report Inappropriate Content
Thanks for your suggestion.
The problem gets way more complicated when you need return traffic passed as well. I face huge problems with reverse proxies for example since the stateless ACLs doesn't handle that. so I have to rely solely on the gateway to handle return traffic
As I said this may work for very simple ACLs. but you really can't firewall properly on this platform right now. as it is practically impossible to do vlan isolation properly and also allow certain traffic specially if you need return traffic handled.
- Copy Link
- Report Inappropriate Content
then you just allow two-way int he switch ACL so the stateful tracking on the gateway takes care and allows the return
- Copy Link
- Report Inappropriate Content
If the dev team is aware of the request, why the feature request was closed ? and why there are no updates about this?
- Copy Link
- Report Inappropriate Content
how? Allowing 2 way in the switch would defeat the purpose of isolating the VLAN to begin with. The problem is if you want to allow only certain VLAN communication for specific ip/port. if you wanna do that you can only do it on the switch not the gateway. so you will have to do your deny and allow on the swith ACLs since the gateway ACL triumphs the switch ACLS and only offers whole network/subnet ACLs and nothing ip/port based. What I found is that in certain situation depending on your overall ACL, you might get away with being able to have an allow rule both ways, but that defeats the purpose of trying to have a one way allow ACL only.
- Copy Link
- Report Inappropriate Content
that isnt really how it works. If the router, and not the switch SVIs are the gateway of the vlan, then the gateway ACLs will still act as the primary rule for the vlans. Switch rules will work behind them.
So, you can switch rule ipgroup <> ip group, and have the gateway rules allow one vlan to initiate communication (and inherently allow the return traffic because its stateful). Once that communication is passed through the gateway, the switch rule takes over and offers the fine-grain control.
Switch rules wont pass traffic from one vlan to another directly, even if a rule allows it, UNLESS you are using the switch interfaces as vlan gateways - in which case the ACL precedence is reversed.
Lets revisit my example
VLAN 10, 10.0.10.X /24
Printer 10.0.20.100 /32 on VLAN 20
Gateway rules, in this order
Allow - VLAN 10 > VLAN 20
Deny - VLAN 20 > VLAN 10
IP Group - Printer Access, members 10.0.10.0/24 & 10.0.20.100/32
Switch Rules
Allow - IP_Group Printer Access > IP_Group Printer_Access
Deny - VLAN 10 > VLAN 20
Having both the allowed source and the allowed destination in one IP group and putting it on both sides of a switch ACL allows that single rule to act bi-directionally.
With these rules in place, and the router interfaces acting as vlan gateways - the Gateway ACLs act "first match wins" first, and allows VLAN 10 to initiate, and then track connections to VLAN 20. Then, the switch rule takes over, and allows VLAN 10 to reach ONLY the printer on VLAN 20. Return traffic from the printer is allowed back bacuse of the switch riule, through the gateway and back to the originating client
However, because only the printer is included in the allow switch rule, nothing else in vlan 20 is reachable, AND, beacuse of the gateway rules, VLAN 20 cannot initiate communication to VLAN 10.
- Copy Link
- Report Inappropriate Content
Thanks and I appreciate your example and elaboration. As you said, and I apologize if I overlooked specifying that, but I use vlan interface on the switch, mainly because I don't use the omada DHCP. I have my own domain controllers and windows dhcp servers. And they will not work without having the switch vlan interfaces up.
- Copy Link
- Report Inappropriate Content
Ok, i dont get it. You are requesting IP groups in gateway ACLs - thats fine, i explained how to more-or-less achieve this as long as you are using the router vlan IPs as gateways for each vlan, but now you are saying you are actually using switch based routing? I mean thats fine, but then your request of IP groups in gateway ACLs wont do anything anyway - if you are using switch as gateway then switch ACLs will always act first and gateway ACLs pretty much are only useful for controlling WAN in/out traffic
- Copy Link
- Report Inappropriate Content
I didn't initially require a relay when i first set up my network becasue i didn't have a windows server DHCP. and I had to struggle with ACLs and try to get around it the same approach you listed, until later when i started having external DHCPs i had to enable VLAN interfaces on the switch to add a relay (at least to my understanding thats the only way to do it) on a specific VLAN (not all of them). So now i have management and the other vlan having VLAN interfaces on the switch enabled to add the relay. Rest of vlans don't have that. so I am right now using a combination of both scenarios (where gateway have primary control of ACLs on certain VLANs and Switch on others) and obviously it is very frustrating having to deal with stateless acls on one hand and also trying to make use of the stateful ones at the same time when applicable.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 650
Replies: 15
Voters 1
