@NeilR_M currently around 200 but still growths.

@NeilR_M  We are in the same situation, but we are also running into significant limitations with the IP group cap, which I believe is currently limited to 16.

On the MAC side, we operate 6 SSIDs and roughly 20 VLANs. Some of these rely on blocklists and others on allowlists for device access, so the 8 MAC group limit makes it difficult to implement the protections we need. We reach the group limits very quickly.

For IP groups, we organize machines into functional classes for firewall configuration on our other appliances. Examples include DMZ web servers, clients permitted to use mail relays, and other service-based groupings. In total we have about 85 of these groups. Firewall rules reference these groups instead of individual IPs, which makes management much easier because we only need to update group membership when hosts are swapped, added, or removed.

It’s difficult to believe this is due to a hardware limitation. Our previous lab environment used a commodity EdgeRouter-X, which supported more firewall rules and group objects than the Omada controller currently allows. Because of these constraints, our ER8411 is currently functioning only as a router, and we had to deploy a separate appliance to handle firewalling and other policy controls.