ACL on Omada with EAP245 and ER605
Hello,
I'm using the software Omada Controller on a Raspberry Pi with EAP245's and an ER605 Router - all adopted in Omada.
I need to prevent Internet Access for a few devices from 6PM to 8AM. I have tried using ACL to do this but it prevents the entire network from accessing the Internet.
Can someone guide me on how to do this? I think the problem lies in the IP group - it asks for a subnet and I'm not sure what I need to enter here. I would just like to block a few IP's / MAC Addresses.
Thanks.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
You have some choices, but let's say you have 3 teenagers you want to get some sleep. You can either corral them into a small block of IP's and then operate on that, or you can add them as individual hosts (either way, you want to have a DHCP reservation for the MAC addresses of those devices or this won't work permanently)
Adding 3 users to a Profile:
or if you statically assigned them IP addresses in the controller in a contiguous block, say 192.168.1.243, 192.168.1.244 and 192.168.1.245 you can treat this block as a small subnet like this:
what this does is apply a filter so that all IP addresses from 192.168.1.240 through 192.168.1.247 are managed at once.
then you simply Apply your newly createrd Profile->Group to your ACL rule.
Now teenagers being teenagers, the very first thing they will do is statically configure their devices to a different unmanaged IP in the same subnet and circumvent all your good work. So what you really want to do is operate on their MAC addresses (unique to the hardware and much harder to change)
Same basic idea but now you add the MACs to the Profile instead of the IPs. You can get the MAC corresponding to the client from the 'Clients' page on your controller.
- Copy Link
- Report Inappropriate Content
You have some choices, but let's say you have 3 teenagers you want to get some sleep. You can either corral them into a small block of IP's and then operate on that, or you can add them as individual hosts (either way, you want to have a DHCP reservation for the MAC addresses of those devices or this won't work permanently)
Adding 3 users to a Profile:
or if you statically assigned them IP addresses in the controller in a contiguous block, say 192.168.1.243, 192.168.1.244 and 192.168.1.245 you can treat this block as a small subnet like this:
what this does is apply a filter so that all IP addresses from 192.168.1.240 through 192.168.1.247 are managed at once.
then you simply Apply your newly createrd Profile->Group to your ACL rule.
Now teenagers being teenagers, the very first thing they will do is statically configure their devices to a different unmanaged IP in the same subnet and circumvent all your good work. So what you really want to do is operate on their MAC addresses (unique to the hardware and much harder to change)
Same basic idea but now you add the MACs to the Profile instead of the IPs. You can get the MAC corresponding to the client from the 'Clients' page on your controller.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@msb1 my pleasure :)
Google CIDR for details, but basically it represents the subnet mask of the subnet in question. An ipv4 subnet mask is made of 4 bytes, each with 8 bits, so 32 in total.
You may be familiar with a subnet mask of say 255.255.255.0? Well that's a /24....because the first 24 bits are ones, for example:
11111111.11111111.11111111.00000000
The /29 I used in my example is the same as a 255.255.255.240 because only the last 3 bits are zeroes.
A unique host ip is defined as a network of 255.255.255.255 or /32.
HTH
- Copy Link
- Report Inappropriate Content
Perfect, cheers.
Option 1 seems to work. I have bound the MAC for the devices with IP's and used the IP's in the rule.
There seems to be no way to use MAC addresses for ACL for Gateways. This option for some reason only shows for Switches and I'm not using one.
- Copy Link
- Report Inappropriate Content
Yes, the current Gateway ACLs are quite limited in my experience. I had to buy and add a switch just to isolate two VLANs from each other as the gateway was incapable of doing it in Controller mode.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 597
Replies: 5
Voters 0
No one has voted for it yet.