Wireguard VPN - allowing access to every VLAN
Has anyone been able to properly setup any ACL's for their omada wireguard vpn config's so it will not route and allow access to all the vlans in your networks? Documentation is close to meh at best for cloud omada configurations. To get to my current working configuration now I pulled info from various sources and walkthroughs none omada related and it is all running together due to the amount of different information that does and doesn't apply to omada. It seems no matter where or how I try to create an ACL I can get to any and every single one of my vlans.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Daggett
Thanks for posting in our business forum.
Has anyone been able to properly setup any ACL's for their omada wireguard vpn config's so it will not route and allow access to all the vlans in your networks? Documentation is close to meh at best for cloud omada configurations.
The Omada Controller cloud equals the basic none-cloud one. The only difference was the adoption. Most other features are the same.
Daggett wrote
It seems no matter where or how I try to create an ACL I can get to any and every single one of my vlans.
Can you post your configuration here so that I can verify your ACL? Are you using Gateway ACL?
What other devices do you have? Switch?
- Copy Link
- Report Inappropriate Content
I have tried ACL's at every level Gateway, Switch, and EAP. At this point in time it looks to be only wired clients connected to the switch that I am able to access when connected externally with Wireguard. As for the TP Link documentation for setting up wireguard I will have to look at it again but the way it said to set up wireguard did not work for me using the hardware controller at the time which is why I looked elsewhere. Currently the config I have works minus the access accross all vlans on the with the devices plugged into the switch.
- Copy Link
- Report Inappropriate Content
Hi @Daggett
What did you put in here? Your whole LAN network?
In your ACL setup, have you tried to include the Local IP Address in your Wireguard to the ACL of "Deny"?
Your goal is to exclude Wireguard clients to access all of your VLANs. But I don't see any of the ACL you created to fit that.
- Copy Link
- Report Inappropriate Content
192.168.0.XXX is the Wireguard
10.100.100.XXX is the LAN
I had created ACL rules that didn't work and before the start of this thread were deleted from the Switch and Gateway to save myself from later confusion. It should be noted the wireless clients connected to the AP's as of currently I cannot reach through the vpn on physically connected clients via ethernet to the switch.
The gateway/switch ACL used the IPGroup (for Wiregaurd) to Network (for local vlans) that blocked all traffic to all internal vlans with the reverse rule checked and it still allowed access to everything. I had manually created the IPGroup with the range Wireguard is using since there is no local LAN/VLAN under the wired networks lan tab since that breaks the vpn for me.
- Copy Link
- Report Inappropriate Content
1. I recreated all the ACL policies I originally deleted and the policies still didn't work.
2. I then pulled my v1 er605 off the shelf and put it in place of the v2 and the acl rules worked.
3. Removed the v2 er605 from my tplink account and factory defaulted it.
4. Upon re-adding it back to my account and putting it back as my primary router the acl rules started working properly with it.
The only difference I made to the wireguard group from my original setup was to specify the range using /24 vs /32 so I wouldn't have to individually re-add/specify the clients in the range for wireguard that I use. All the wireguard ACL's I use reference that group for wireguard at the switch and eap level.
- Copy Link
- Report Inappropriate Content
I have same or similar problem.
On the client side I need to set 0.0.0.0/0 as allowed IP addresses so that all traffic goes through the tunnel. And is hidden to the hotspot infrastructure.
However, on the Server side (Omada gateway) I am not able to create any rule that would block WG Client to access all LANs and VLANs (complete internal network).
I need to have one client have access only to internet and one specific VLAN and nothing else. Is this possible? Or do we need to wait for the ER605 updated firmware?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 1650
Replies: 6
Voters 0
No one has voted for it yet.