Business Community > Gateways > OC200 and ER8411 vlan to device ACL
< Gateways

OC200 and ER8411 vlan to device ACL

OC200 and ER8411 vlan to device ACL

OC200 and ER8411 vlan to device ACL
OC200 and ER8411 vlan to device ACL
Yesterday - last edited 15 hours ago
Model: ER8411  
Hardware Version:
Firmware Version: 1.3.2

Hi there. 
 

I have an Omada setup with an OC200 with a ER8411 as the gateway. 


Sorry if this has been covered before, I'm guessing it may have been, but I'm trying to get my IoT vlan to communicate with a single device on my main vlan. 
 

I have set up and ACL to deny all traffic from the IoT vlan, and above this rule I've added an ACL to allow IoT to traffic to access a single device (Home assistant NUC), via an IPGroup (192.xx.xx.xx/32) which sits in my main vlan. The only way I can do this is to use a LAN->WAN rule, which I'm guessing isn't correct as it doesn't seem to work. 
 

When trying to create a LAN->LAN rule, I am unable to select IP Group as the destination, and so can't specify what the IoT vlan can access at a single ip level. 


I should note, that I am unable to ping anything on my main vlan from the IoT, and when I disable the "deny all" ACL it allow pings, so the ACLs are working, just not the specific one to allow IoT access to one device on the main vlan. 
 

Am I missing something obvious here? Surely there's a way to only allow access from a vlan to one specific device on a different vlan?

 

 Many thanks

 

 gary

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:OC200 and ER8411 vlan to device ACL-Solution
18 hours ago - last edited 15 hours ago

  @gskips 

 

Currently you can only achieve this with Switch ACLs which allow LAN<>LAN IP Groups but you have to have a full Omada l2+ / L3 switch to do this (minimum is SG2008 model)

 

They only other way right now is to create a third vlan for the one device you want access to and from, put that device on that vlan, then you can create the necessary gateway rules

Recommended Solution
  0  
  0  
#2
Options
5 Reply
Re:OC200 and ER8411 vlan to device ACL-Solution
18 hours ago - last edited 15 hours ago

  @gskips 

 

Currently you can only achieve this with Switch ACLs which allow LAN<>LAN IP Groups but you have to have a full Omada l2+ / L3 switch to do this (minimum is SG2008 model)

 

They only other way right now is to create a third vlan for the one device you want access to and from, put that device on that vlan, then you can create the necessary gateway rules

Recommended Solution
  0  
  0  
#2
Options
Re:OC200 and ER8411 vlan to device ACL
18 hours ago

  @GRL 

 

Hi,  thanks for your reply. 
 

Ahh ok, being a little new to this setup, from what you are saying, if everything is though the same switch, a switch ACL will work for this?

 

I currently have the ER8411, with a SG2016P, and 2x

SG2008P attached to ports on the ER8411. My Home Assistant NUC is also attached to a port in the ER8411 (just as it's physically close to it!). The Gateway ACL doesn't seem to have any affect. But are you saying that if the Home Assiatant NUC is on a port on the SG2016P the switch ACL should work? (Or if I was to get another SG2008 plugged into a port in the ER8411, as my 2016 is full)

 

am I causing issues using the LAN ports on the ER8411, should I just use that for WAN and downlinks to the switches?


Many thanks again,

 

Cheers

Gary

  0  
  0  
#3
Options
Re:OC200 and ER8411 vlan to device ACL
18 hours ago

  @gskips 

 

Your switches support Switch ACL, that is definitely the way to go for the rules you want

 

Remember ACL rules work top down in a "first match wins" so you want the allow rule above the rules that block.

 

Also note switch rules are not stateful so you will have to inherently have an allow rule for both directions

  1  
  1  
#4
Options
Re:OC200 and ER8411 vlan to device ACL
18 hours ago

  @GRL 

 

Great, thank you!

 

so I should remove anything other than switches from my ER8411, and then use switch ACLs, which should now work?

 

And just to confirm, good practice is just to use the ports in the ER8411 as downlinks to any switches I have on the network and not other devices?

 

thanks

 

  0  
  0  
#5
Options
Re:OC200 and ER8411 vlan to device ACL
18 hours ago

  @gskips 

 

Switch rules can only work on traffic that goes through them.  In general most networks will have a central switch and everything spreads out from that.  Its not a requirement, but it tends to be the default design for good reason

  0  
  0  
#6
Options

Information

Helpful: 0

Views: 49

Replies: 5

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.