Home

Forums

Stories

Knowledge Base

Business Community > Gateways > Question on Network Isolation

< Gateways

Question on Network Isolation

jra11500

2025-07-16 10:09:34 - last edited 2025-07-18 01:41:19

Posts: 481

Helpful: 179

Solutions: 35

Stories: 2

Registered: 2022-12-20

Question on Network Isolation

2025-07-16 10:09:34 - last edited 2025-07-18 01:41:19

Tags: #VLAN & Multi-Networks #Firewall

Model: ER706W

Hardware Version: V1

Firmware Version: 1.1.3 Build 20240830 Rel.54942(4555)

The ER706W hardware version is actually v1.20. I have a question on isolating networks with the latest firmware (1.2.0 Build 20250428). I do not have the latest firmware installed because of a boot problem of which the dev team is still working on.

In the latest firmware, there is an option for isolating the individual networks. My question is this: "Does this network isolation option take priority over any firewall/ACL rules?" I ask this because I have migrated from using Synology routers where the network isolation option takes absolute priority over any firewall rules. Therefore any VLAN to VLAN communications must have the network isolation option disabled if firewall rules are to be used.

Is this the case with Omada routers? I just want to know what takes priority over what, i.e. Network Isolation over ACLs --or-- ACLs over Network Isolation.

1x ER7406 1x OC300 4x SG2008 1x EAP610 3x EAP650-Desktop

1 Accepted Solution

Clive_A

2025-07-18 01:26:15 - last edited 2025-07-18 01:41:19

Posts: 8362

Helpful: 4338

Solutions: 2191

Stories: 0

Registered: 2023-06-09

Re:Question on Network Isolation-Solution

2025-07-18 01:26:15 - last edited 2025-07-18 01:41:19

@jra11500

ACL got higher priority.

Recommended Solution

jra11500

LV4

2025-07-18 07:04:56

Posts: 481

Helpful: 179

Solutions: 35

Stories: 2

Registered: 2022-12-20

Re:Question on Network Isolation

2025-07-18 07:04:56

@Clive_A

Thank-you for the information. I would recommend this info be included in any future updates to published documentation.

1x ER7406 1x OC300 4x SG2008 1x EAP610 3x EAP650-Desktop

Antoni777

LV1

Sunday

Posts: 12

Helpful: 3

Solutions: 0

Stories: 0

Registered: 2022-04-03

Re:Question on Network Isolation

Sunday

@Clive_A

I have to revive this. As your answer is not working for my setup.

I want to be able to do 2 things. Share a dns server across VLANs and a printer.

I tried the switch ACLs and don't seem to have any effect on neither of them.

If i remove the VLANs from isolation then i can ping them and connect to them, but that is too risky (wide open).

So i added 1 set of ACLs (in and reverse) to deny everything else besides the DNS and printer and nothing works. The DNS and printer rule was higher than these two rules.

Maybe i'm missing something but everything was working fine until i upgraded to the latest controller firmware (

1.31.11 Build 20251128 Rel.58518).

Also the other ACLs were giving me an error of too many ACLs active.

I do have 2 switches but one is a primary (TL-SG3428MP) and the other a backup (SG3218XP-M2)

V/r

Toni

jra11500

LV4

Sunday

Posts: 481

Helpful: 179

Solutions: 35

Stories: 2

Registered: 2022-12-20

Re:Question on Network Isolation

Sunday

@Antoni777

I would recommend you include a topology map and perhaps a screenshot of your ACLs. They will help others to more clearly understand your issue.

I personally don’t like switch ACLs because they are stateless and usually require return rules and (as in your case) don’t seem to always work as expected. In a similar situation as yours (except my server is a DHCP server instead of a DNS server), my solution was to create two additional and non-isolated VLANs (with a /30 subnet mask) for the server and the printer. They are the only clients (along with the gateway interface) on their respective VLANs. I then created two gateway rules to allow the isolated VLANs to communicate with them.

The latest controller firmware (with v6.1) is expected to be released very soon and IP groups and IP-Port groups have been implemented in gateway ACLs which will make things much easier for some configurations.

1x ER7406 1x OC300 4x SG2008 1x EAP610 3x EAP650-Desktop

Antoni777

LV1

Yesterday

Posts: 12

Helpful: 3

Solutions: 0

Stories: 0

Registered: 2022-04-03

Re:Question on Network Isolation

Yesterday

@jra11500

Interesting perspective and Idea, Thanks. I will try that. What i did to solve the issue with the DNS server (Ubuntu) was, I created virtual interfaces for each one of the VLANS and assigned a static IP to each one of them along with different MAC addresses. I still researching how to make a print server work, DNS had higher priority for me. Another issue I encounter was that the IP-Port group had a limit for IPs (maybe too low). I have about 8 VLANs. I use this ACL to block connections to the gateway portal and SSH for each of the VLANs. I will update my post tomorrow with a screenshot of the topology and ACL rules.

V/r

Toni

Question on Network Isolation

Question on Network Isolation

Information

Voters 0

Tags