Omada software controller with TP-Link ER7206 router with unifi switches behind it.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Omada software controller with TP-Link ER7206 router with unifi switches behind it.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Omada software controller with TP-Link ER7206 router with unifi switches behind it.
Omada software controller with TP-Link ER7206 router with unifi switches behind it.
2023-05-11 17:44:10
Tags: #VLAN & Multi-Networks #Switch ACL
Model: ER7206 (TL-ER7206)  
Hardware Version: V5
Firmware Version:

I have a setup at a customer's site, where I have a cisco rv320 Router with 4 VLANS. Behind the router, I have Unifi switches, which as controlled by unifi controller. The VLANS created on the switches as in "VLAN only" mode, which means, the gateway (CiSCO Router) is the gateway along with DHCP server for those VLANS. I have disables inter vLAN routing on the router. So the VLANS are isolated. It works great. However, when I replaced the Cisco router with TP-Link ER7206 router along with Omada software controller, everything works as far as creation of VLANS. However, in switch ACL (Which is the LAN port of the TP-LINK router) the deny rules from source VLAN to Destination VLANS don't work. Every VLAN is able to reach every other VLANs. There is no isolation. Therefore the ACL don't work. How do I resolve this problem?

  0      
  0      
#1
Options
4 Reply
Re:Omada software controller with TP-Link ER7206 router with unifi switches behind it.
2023-05-11 18:32:08
Port ACLs have historically not worked on Omada routers, you needed an Omada switch in order to implement isolation ACLs between the VLANs. I thought a recent firmware update for the 7206 had allowed LAN-LAN ACLs though...lemme confirm.
<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#2
Options
Re:Omada software controller with TP-Link ER7206 router with unifi switches behind it.
2023-05-11 18:42:00

  @kumarullal 

 

most recent firmware is here:  https://community.tp-link.com/en/business/forum/topic/604258

 

I couldn't find anything in the 1.3.0 load above or the posted 1.2.3 or 1.2.1 loads that would make me think this had been fixed...hopefully someone else can jump in.

 

This older thread isn't looking good though

 

https://community.tp-link.com/en/business/forum/topic/538452

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#3
Options
Re:Omada software controller with TP-Link ER7206 router with unifi switches behind it.
2023-05-11 18:48:26

  @d0ugmac1 

I have seen many people have a combination of TP-Link router and unifi switches combination work for them.

I have tried something at my home, where I have Router and Switches both by TP-Link that are Omada compatible.

What I tried, was, instead of creating the ACL rule on the switch side, I created the rules on gateway. I selected LAN to LAN. Then I selected Deny rule for Source VLAN and assigned the VLANs in destination side. I could not only isolate VLANs that way, but also saw that the source and destionation rules work exactly it is supposed to. Which means, mif I deny IoT VLAN to the default VLAN, then IoT can not reach Default VLAN, but default VLAN can reach IoT. WHich is exactly what I wanted. If I create the same rule on switch side, then nither the Default or IoT VLAN can talk to each other.

So my question is, what is the difference in creating a rule on gateway vs switch?

Can I create the sale rule in gateway pertaining to switches? 

 

  0  
  0  
#4
Options
Re:Omada software controller with TP-Link ER7206 router with unifi switches behind it.
2023-05-11 19:03:04

  @kumarullal 

 

The Lan-Lan ACL is the required feature.  Previously it did not exist and you could only do WAN-LAN.  My routers still do not have LAN-LAN so I cannot help you further with config, but it is a workablel tool and you should be able to figure a way to implement what you need with it (ie bi-directional ACLs to fully block VLANa from VLANb)

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#5
Options