Block WAN access for individual clients
Block WAN access for individual clients
I have several wireless cameras that I would like to connect to my EAP225 and be able to view them locally with my phone or other device, but I do not want them to be able to access the WAN for upload or download. What is the best way to do that with the omada controller?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I believe if you will assign static private IP addresses to these cameras, simply dont assign the gateway and DNS. Just have IP address and subnet mask and without gateway address set up on the cameras, these cameras cannot route to Internet.
- Copy Link
- Report Inappropriate Content
You can put the clients you want to block in an IP or mac group. If you use an IP group you need to reserve the IPs for the clients. Then implement an ACL at the switch or eap level to deny access from the group to the router's IP. The group members will still be able to get an IP address, but won't be able to access the internet.
- Copy Link
- Report Inappropriate Content
Thanks, I started to do this but got confused in setting up the rule. Correct me if I'm wrong, but I guess I should make a IP group that is just the IP of the router and deny access from the IP group that I will use to assign my fixed IPs to the clients I don't want to access WAN.
Right now I have my Network IP Range as 192.168.2.1 - 192.168.3.254 and the IP group that I want to block will be 19.2.168.3.x. But it requires my DHCP range include that which is in my IP group. How do I prevent the router from assigning a client to an IP inside my group's range in the future?
- Copy Link
- Report Inappropriate Content
Unless you have multiple subnets and you do want to access these cameras from a different subnet / vlan, why will you not try my method that will still allow cameras to talk to your NVR in the same subnet and without a gateway IP on the cameras (and you need static IPs for that), it will not let these cameras go to Internet.
The other method suggested will work perfectly but only if you have good understanding of how ACLs work and how to correctly apply them. I use thse features on Omada to create isolated Guest environment, allowing them to get to a radius server that hosts login splash page (that is on a management vlan), but then not allow access to anything else. Guest get IP address from a guest router like Mikrotik, which then tells the client to redirect to this radius server based login page. So in my case, I cannot simply use the built in Guest check box under SSID set up, but using the ACL / under network security / ACL / EAP ACL, it is able to meet my needs.
So try the easy way as I suggested and if it does not meet the needs, then try the other suggested method.
And to exclude these static IPs range, just edit the dhcp scope range under settings / wired networks / LAN, dhcp range.
- Copy Link
- Report Inappropriate Content
Correct, create one group with the clients you want to block 192.168.3.1/24 and one with just the router IP. Create a switch or EAP ACL to deny access from clients group to router group. When reserving IPs Omada requires it to be within the DHCP range. I believe they plan to fix this in a new release. To get around this you can widen the DHCP range, reserve the IPs, and then narrow the range so the clients are outside of the DHCP range.
- Copy Link
- Report Inappropriate Content
Thank you for the suggestion. This does sound like a fairly simple idea, unfortunately when you set up a fixed IP for a client the only thing you can choose is the IP. It does not ask for a subnet or default gateway like most routers.
I had almost discovered that work around of setting it within the DHCP range, setting the fixed, and putting it back. Thanks, for the help. I have them all successfully isolated.
- Copy Link
- Report Inappropriate Content
Maybe I am just a bit thick! I have 3 VLANs setup and I am propertly blocking/ segregating traffic between the VLANs as intended (e.g. kids and IOT seperated from my main PC/ devices).
I can't for the life of me block individual devices, groups of devices or specific VLANs from accessing the internet. I have been trying with one device to see if I can get it working and can't thus why I am asking for help! Here is the info on the one device:
Gateway - TL-R605 v1.0
Managed Switch - TL-SG2428P v1.0
The device in question is connected via ethernet cable to the switch with VLAN 10 and subnet 192.168.10.1/24. IP address internally is 192.168.10.213.
I tried creating 2 IP groups one with the subnet above and another for the router (192.168.1.1/24) with it denying from the device IP group to the router IP group but the device appears to be connecting to the internet. I also tried using a MAC group for the device in question and denying in the switch ACL rule from the AMC group to the router IP group. I also tried denying the VLAN to the router IP group.
I clearly am doing something wrong in the set-up/ info entry and would appreciate some help.
Thanks in advance,
- Copy Link
- Report Inappropriate Content
Try writing a Gateway deny ACL from your vlan or groups to destination IPGroup_any. This should work for vlans and ipgroups, but probably not for mac groups.
- Copy Link
- Report Inappropriate Content
@1207 I tried your suggestion and it didn't seem to do anything for the device in question.
Blocking a device or group of devices should be a pretty straight forward thing to do and it doesn't seem to work or be that easy in Omada. If someone has actually got this to work I would appreciate your help as I don't see a setting/ option that I am not selecting correctly.
Thanks,
- Copy Link
- Report Inappropriate Content
Not sure what is wrong, but I have several gateway ACL's blocking WAN access to vlans and ipgroups. You may want to post a screen shot of the your ACL.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 9866
Replies: 16
Voters 0
No one has voted for it yet.