Business Community > Switches > Need help setting up ACLs
< Switches

Need help setting up ACLs

Need help setting up ACLs

Need help setting up ACLs
Need help setting up ACLs
Tuesday - last edited Yesterday
Tags: #ACL
Model: SG3218XP-M2   Omada Software Controller (Linux)   ER7412-M2  
Hardware Version:
Firmware Version: latest everywhere

Hi everyone,

I could use some guidance with ACLs. I need to implement them, but I’d like a review first so I don’t accidentally break my home network.

I have five VLANs—trusted, camera, IoT, guest, and work—and I’m considering the following gateway/switch ACL setup. My network is a full Omada setup with the SDN controller running on Proxmox, along with the gateway, switch, and EAPs:

 

Gateway ACLs:  
 ALLOW   FROM: VLAN 20   → TO: WAN TCP/UDP: 123  # NTP  
 DENY    FROM: VLAN 20   → TO: WAN  
 DENY    gateway web ui  
 ALLOW   FROM: VLAN 10   → TO: VLAN 20,30,50  
 DENY    FROM: VLAN 20   → TO: VLAN 10, 30, 40, 50  
 DENY    FROM: VLAN 30   → TO: VLAN 10, 20, 40, 50  
 DENY    FROM: VLAN 40   → TO: VLAN 10, 20, 30, 50  
 DENY    FROM: VLAN 50   → TO: VLAN 10, 20, 30, 40  
  
Switch ACLs  
 ALLOW VLAN 20,30,40,50  ↔ adguard-IP-Port (bi-dir)  
 ALLOW VLAN 20,30,40,50  ↔ NPM_IP-Port (bi-dir)  
 ALLOW HA_IP             ↔ NVR_IP (bi-dir)  
 ALLOW Wireguard_Net     ↔ VLAN 10 (bi-dir)  
 ALLOW Wireguard_Net     ↔ NVR_IP (bi-dir)  
 ALLOW Wireguard_Net     ↔ MacGroup_Shellies (bi-dir)  
 ALLOW MacGroup_Shellies ↔ mqtt_IP-Port (bi-dir)  
  
Legend:  
 Wireguard_Net     → 10.10.10.0/24 TCP/UDP  
 HA_IP             → 192.168.10.18 TCP/UDP  
 MacGroup_Shellies → all Shellies mac address TCP/UDP  
 NVR_IP            → 192.168.20.2 TCP/UDP  
 mqtt_IP-Port      → 192.168.10.20:1883 TCP  
 adguard-IP-Port   → 192.168.10.22:53 TCP/UDP  
 NPM-IP-Port       → 192.168.10.17:80,443 TCP

 

some notes:

  • most of the shellies are gen4 zigbee, some are wifi but using mqtt to a dedicated broker

  • wireguard_net is the net I've configured in the omada controller. I need to be able to check devices and services in the trusted vlan + shelly webui in case proxmox goes down

 

Is this setup correct or should I change something? AFAIK, the flow is EAP_ACLs -> Switch_ACLs -> Gateway_ACLs, that's why I've blocked them at the gateway level (also because it's stateful, so I can initiate connection from vlan10 but not from other vlans).

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Need help setting up ACLs-Solution
Yesterday - last edited Yesterday

  @CableWhisperer 

Thank you for your post. Although I’m not fully aware of your exact requirements, based on your current configuration, here are some suggestions—please consider whether they can be adopted.

- The existing rule “ALLOW FROM: VLAN10 → TO: VLAN20,30,50” will also permit VLAN10 → VLAN40 (guest) traffic. If strict isolation of the guest network is required, this needs to be tightened.

- An ACL for camera VLAN (20) → NVR is missing; please add it on the switch.

- For WireGuard access to the Shelly WebUI, it’s recommended to use an IP range or static DHCP reservations instead of a MAC-based group.

After applying these settings, you can add, remove, or adjust the relevant entries to verify whether they introduce any issues.

Recommended Solution
  0  
  0  
#2
Options
4 Reply
Re:Need help setting up ACLs-Solution
Yesterday - last edited Yesterday

  @CableWhisperer 

Thank you for your post. Although I’m not fully aware of your exact requirements, based on your current configuration, here are some suggestions—please consider whether they can be adopted.

- The existing rule “ALLOW FROM: VLAN10 → TO: VLAN20,30,50” will also permit VLAN10 → VLAN40 (guest) traffic. If strict isolation of the guest network is required, this needs to be tightened.

- An ACL for camera VLAN (20) → NVR is missing; please add it on the switch.

- For WireGuard access to the Shelly WebUI, it’s recommended to use an IP range or static DHCP reservations instead of a MAC-based group.

After applying these settings, you can add, remove, or adjust the relevant entries to verify whether they introduce any issues.

Recommended Solution
  0  
  0  
#2
Options
Re:Need help setting up ACLs
Yesterday

Thanks a lot for your answer. I think I'm getting more understanding of how ACLs work. So, by default everything is accessible in Omada.

If I apply the following ACLs:

 


Gateway ACLs:
 ALLOW   FROM: VLAN 20   → TO: WAN TCP/UDP: 123  # NTP
 DENY    FROM: VLAN 20   → TO: WAN
 DENY    gateway web ui
 DENY    FROM: VLAN 20   → TO: VLAN 10, 30, 40, 50
 DENY    FROM: VLAN 30   → TO: VLAN 10, 20, 30, 40, 50
 DENY    FROM: VLAN 40   → TO: VLAN 10, 20, 30, 50
 DENY    FROM: VLAN 50   → TO: VLAN 10, 20, 30, 40


Switch ACLs
 ALLOW VLAN 20,30,40,50  → adguard-IP-Port
 ALLOW VLAN 20,30,40,50  → NPM_IP-Port
 ALLOW NVR_IP             HA_IP
 ALLOW MacGroup_Shellies → mqtt_IP-Port

 ALLOW VLAN 30           → 192.168.30.1/32 (network access)


I should be able to obtain:

  • no internet access for VLAN 20 (cameras)
  • no gateway web ui access for all 
  • VLAN 10 can do everything
  • VLAN 30 has client isolation (devices can not talk to each others) but can still access internet
  • VLAN 20 cannot access any VLAN. Same for 30 40 and 50
  • VLAN 20, 30, 40 and 50 can access adguard and npm on VLAN 10
  • NVR on VLAN 20 can access HA on VLAN 10
  • Shelly can access mqtt broken on VLAN 10
  • wireguard (set up via controller) is able to access everything

 

  1. Is it correct? Or am I still missing something?
  2. why you say to not use the mac-group? I think it's a very nice way of grouping devices instead of adding fixed IPs.
  0  
  0  
#3
Options
Re:Need help setting up ACLs
18 hours ago

  @CableWhisperer 

By default, on Omada all VLANs can reach each other and every VLAN can reach the WAN.
Your current configuration is basically fine—go ahead and apply it, then double-check that each rule meets your needs.

MAC groups can only match on the “source MAC”; there’s no way to match on the “destination MAC,” so flexibility is limited.
• In some Layer-3 or inter-VLAN scenarios the MAC address may be rewritten, causing ACLs to stop working.
• Swapping NICs, changing USB Wi-Fi adapters, or cloning a MAC address will also break the policy.

  0  
  0  
#4
Options
Re:Need help setting up ACLs
13 hours ago

Unfortunately, those rules don't work. Or better, they mostly work.

I have changed them so that I have an IP-Group with all Shelly devices (vlan30) and then I'm doing:

 

  • Allow-Shellies-MQTT (source: ip-group shellies, dest ip-port-group mqtt-broker:1883)
  • Deny IoT-All (source: vlan30, dest: vlan 10, 20, 40, 50)

 

but when I try to reach the webui from any client on vlan10, I don't get a reply (of course, it's forbidden).

Now, I've tried to add a rule in the gateway ACL, but if I do there:

  • Allow VLAN10 - VLAN30
  • Deny VLAN30 - VLAN10

then the "Allow-Shellies-MQTT" rule on the switch will NOT work :(

 

How can I workaround the missing "ip-group" feature in the gateway acl?

  0  
  0  
#5
Options

Information

Helpful: 0

Views: 159

Replies: 4

Tags

ACL
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.