Switch ACL blocking acting bidirectionally instead of just one way
I have a network with 3 distinct IP Ranges. The first range I use for management, the second range I use for my families activites including wired and wireless device connections, video streamers, printers and the like. Because my family isn't very sophisticated, I isolated my personal computer and backup devices on a 3rd IP range. I want to access any address on the second IP range from my PC in the third IP range, but don't want any device on the 2nd range to be able to initiate a connection the third range.
Problem is that when I institute the switch ACL rule, it is blocking traffic in both directions, not just one. I am stumped and not a network specialist so am looking for guidance.
Network Topology (note all devices have been updated to most recent stable release).
Omada OC200 Controller
Router: ER7206 v1.0
Switch #1: TL-SG2008P v1.0
Switch #2: T1500G-10PS v2.0
Multiple TP-Link Omada AP's
My netowrks are configured as follows:
Network 1 --- Management Network
Configured as Interface
All wan and lan interface boxes checked.
VLAN ID 1
Gateway Subnet: 192.168.5.1/24
Gateway IP 192.168.5.1
Network IP Range 192.168.5.1 - 192.168.5.254
Network Subnet Mask 255.255.255.0
DHCP Server Enabled
Default Gateway Auto
Network 2: Household Network
Configured as Interface
All wan and lan interface boxes checked.
VLAN ID 100
Gateway Subnet: 192.168.100.1/24
Gateway IP 192.168.100.1
Network IP Range 192.168.100.1 - 192.168.100.254
Network Subnet Mask 255.255.255.0
DHCP Server Enabled
Default Gateway Auto
Network 3: MYNet
Configured as Interface
All wan and lan interface boxes checked.
VLAN ID 104
Gateway Subnet: 192.168.104.1/24
Gateway IP 192.168.104.1
Network IP Range 192.168.104.1 - 192.168.104.254
Network Subnet Mask 255.255.255.0
DHCP Server Enabled
Default Gateway Auto
My personal computer is connected to Switch #2: the T1500G-10PS v2.0 on port 1 with a Port Profile of MYNet (network 3)
Without any ACL rules applied, I can see all of Network 2 from Network 3 and vice-a-versa. When I apply the following ACL rule using the Omada Network Controller interface, I can no longer see devices on Network 2 from Network 3 nor Network 3 from Network 2. My intent is to see Network 2 from 3 but NOT network 3 from 2.
ACL Switch Rule:
Name: Protect MYNet
Policy: Deny
Protocols: ALL
EtherType: NOT Enabled
Bi-Directional: NOT Enabled
Rule (Source): Network = Household
Rule (Destination): Network = MYNet
Binding Type: Ports
Ports: All Ports
Any guidance as to where I have gone wrong would be appreciated ... and thanks.
P.S. A separate rule that I created to protect the Management network from the Household network functioned as intended.