Omada Gateway (ER8411) Applying NAT to Inter-VLAN Traffic After Firmware Update
Hi all,
I'm hoping someone can help me with a frustrating issue that appeared after a firmware update. I've already opened a ticket with TP-Link, but I'm hoping the community might have a faster solution.
My Setup:
-
Gateway: TP-Link Omada ER8411 (Upgraded from 1.3.1 to 1.3.2, now downgraded back to 1.3.1).
-
Controller: Omada OC200
-
Client Network: VLAN 10 (
192.168.0.0/24) -
Server Network: VLAN 50 (
10.10.5.0/24) -
Reverse Proxy: Nginx Proxy Manager on VLAN 50, with ACLs to only allow access from local subnets.
The Problem:
Since upgrading the gateway firmware, all traffic routed between my VLANs is being subjected to Source NAT (SNAT).
For example, when a client on 192.168.0.30 tries to access a service on VLAN 50, my reverse proxy no longer sees the client's true local IP. Instead, it sees my public WAN IP address, causing my local-only ACLs to block the request with a 403 Forbidden.
Here's the NPM log showing the public IP:
[04/Aug/2025:13:32:50 +0000] - 403 GET https omada.mydomain.com "/favicon.ico" [Client my.public.ip.address] ...
This started immediately after the firmware update. Downgrading the firmware did not fix it, suggesting a persistent configuration change pushed by the controller.
My Diagnosis:
The gateway is applying a hidden, default Masquerade policy to all routed traffic, including local inter-VLAN traffic. The Omada Controller UI appears to have no obvious way to disable this behavior.
What I've Already Tried:
-
Confirmed DNS is correct. My internal DNS resolves local services to their correct private IPs on the
10.10.5.0/24network. -
Checked Firewall ACLs. I have a
LAN > LANPermitrule for traffic between these two VLANs. I've checked the advanced settings for this rule, and there is no option to disable NAT. -
Checked NAT Settings. The
Settings -> Transmission -> NATsection only shows my Port Forwarding (DNAT) rules. There are no visible Outbound/Source NAT rules, and no apparent way to create an exception rule. -
Ruled out client issues. The problem is confirmed with
curlfrom the command line and occurs across multiple devices.
My Question:
Has anyone with a similar Omada setup run into this? Is there a hidden setting, CLI command, or a specific controller/firmware combination that fixes the inability to control NAT on inter-VLAN traffic?
Thank you!
I'm not sure I understand the reasoning behind your line of questioning, I posted the nginx logs in my previous answer to your questions, which tells that the site portainer . mydomain . com gave a 403 forbidden when accessed through a public IP address, which is the expected behavior.
The problem is nginx sees my public, ISP supplied, IP address even though the request comes from a vlan within my own network.
Below is the access list I use in NPM to prevent access to URLs I don't want accessible from outside my network. The redacted IP address is my public, ISP provided IP address that I've had to add as a temporary workaround, until I can figure out the root cause of why a request coming from the 192.168.0.0/24 network gets re-written as coming from the public internet when crossing vlans.
