This guide will show you how to create fine-grained access control between networks on different sites when all linked togther in either site-to-site VPNs or SD-WAN

 

Prerequisites:

2+ Omada-Gateway based sites, Controller, VPNs or SD-WAN between sites already established and the Omada controller is fully connected to all gateways.  All gateways need to be on 5.15 adapted firmware or later to allow the "! IP_GROUP" (NOT ip_group) type of ACL.

 

 

The problem:

When establishing site-to-site VPNs or SD-WAN each site has full access to all the networks on all the other sites which are included in the tunnel.  Without ACLs in place, this could potentially allow communication between different networks at different sites that you dont want to allow.  This guide will show you how to control this.

 

This Example:

 

- Management LAN at each site - 192.168.0.0/24 and 172.20.0.0/24

- Technical LAN at each site - 192.168.2.0/24 and 172.20.2.0/24

- Office LAN at each site - 192.168.4.0/24 and 172.20.4.0/24

 

Goal:

- Allow the management LANs at each site to freely communicate to maintain full omada control

- Allow the Technical LAN at each site to communicate with each othe but not the management or office lans

- Allow the Office LAN at each site to communicate with each other but not the management or technical lans

 

How to configure:

We will be using stateful gateway ACLs on the WAN IN direction at each site to control access between all the lans.  

 

Step One

Create 3 IP groups at each site

 

Group 1- "VPN_Management" - This includes the management lans of all sites

Members - 192.168.0.0/24, 172.20.0.0/24

 

Group 2 - "VPN_Technical" - This includes the technical lans of all sites

Members - 192.168.2.0/24, 172.20.2.0/24

 

Group 3 - "VPN_Office" - This includes the office lans of all sites

Members - 192.168.4.0/24, 172.20.4.0/24

 

Step Two

Create the gateway ACLs in the following format, one for each IP group.  Create them at all sites where you want the rules to take effect

 

Deny > WAN IN > Protocol All

"!VPN_Management" > "VPN_MANAGEMENT"

"!VPN_Technical" > "VPN_Technical"

"!VPN_Office" > "VPN_Office"

 

 

How this works:

Since the ACLs are set as NOT_IP_Group > IP_Group is disallows anything that IS NOT in the ip group from accessing anything inside the same ip group, so, we dont need to make multiple IP groups for all the individual lans, we can use one group for each side of the rule.  Because we have all the LANs from all sites in the same category inside the same group, it allows all sites to communicate without having to generate multiple rules withing the scope of that group.  With the flexibility of the new style ! (NOT) rule it also means we dont have to set any explicit ALLOW rules which can open your network up to IP spoofing.  The firewall will continue to drop everything that isnt specifically in the rule list.