Omada Switch ACLs for established state
Hi there,
just started my Omada SDN Setup. The main parts are:
* Controller OC200 v1.0 (Firmware 1.7.3 Build 20201119 Rel.63433, Controller Version 4.2.8)
* Gateway TL-R605 v1.0 (Firmware 1.0.0)
* Switch TL-SG2008P v1.0 (Firmware 1.0.0)
I wonder how to configure the following (pretty common I guess) setup:
* VLAN 1 as main VLAN
* VLAN 2 as IoT VLAN
1. I want to deny traffic from VLAN 2 to VLAN 1 (this worked pretty easy by adding a switch ACL rule for that)
2. I still want to allow (initiated) traffic from VLAN 1 to VLAN 2 so that I can for example access my IP camera
But for this to work I need something that is normally referred to as a firewall rule, that allows established connections from VLAN 2 to VLAN 1. How can this be done? I cannot find it in Omada. I also try to set it up by running all the devices in standalone mode, be even there I could not find a way to create an ACL rule that matches on established connection.
Any help would be appreciated.
Christian
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Switch and EAP ACLs don't have the features for preserving states. It's only on Gateway which means if you block traffic on EAP or switch and your device is directly connected to either eap or switch your request won't even reach the gateway. At least that's how I understand it.
You would need to have rules on Gateway lvl
Permit secured_network -> IoT_network (match related/established state)
Deny IoT -> Other networks
It's also worth turning on the mDns feature which allows easily discover cast devices on IoT networks like Chromecast or Google Home etc. Without this enabled you won't see the cast option even though you might have the correct ACL settings
- Copy Link
- Report Inappropriate Content
@chrisro I suspected something like that but still wasn't sure. Just thought that SDN is smart enough to figure that out by itself. Thanks a lot for advice. Have reworked my ACLs on the switch side and it works now as expected
- Copy Link
- Report Inappropriate Content
@chrisro - how did you get the states options? I haven't been able to find them anywhere and have trawled the internet with no success. I have the same screen but no state options. I'm using an ER605 with the controller software installed on a Raspberry Pi, I presume that as it's software defined then it doesn't make much of a difference.
- Copy Link
- Report Inappropriate Content
@Mr_Tom_S It's not released for the ER605 yet.
- Copy Link
- Report Inappropriate Content
@supermarkert - thank you, at least I'm not going mad! Do you know when/if it's being released on the ER605, is it on the ER7206? I had presumed that being software defined that it would be available on both.
- Copy Link
- Report Inappropriate Content
@Mr_Tom_S It appears to have been released for the ER7206, according to previous posts within this very topic.
- Copy Link
- Report Inappropriate Content
I just found this thread much to my dismay after spending good money on Omada Router, Switch and EAP
I cannot believe there is not native functionality to allow established connections but deny connections initiated from vlans .. it beggars belief.
Wish I could send this all back now.
- Copy Link
- Report Inappropriate Content
I'm running a V2.0 ER-605 with Firmware Version: 2.1.0 Build 20221230 Rel.55248.
The ER-7206 functionality noted in post #28 by @chrisro is available in the ER-605. Was added in the latest firmware update.
It would be great to hear what others think about application of this new functionality.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 11
Views: 12358
Replies: 38