Good day!

I'm reaching out as I have been trying to set-up VLANS for better security and to keep IOT devices isolated from the main network.

I have a TL-SG2008P version 3 switch. I'm assuming it probably has stateless acls rather than stateful acls, and am trying to set up the acls correctly.

I'm not the expert on the topic, please check my ACLs below and lemme know whether I should add a corresponding line for the return traffic for each of the rules below.

Let's say I have vlan20 (in the 192.168.20.1/24 range) and vlan 30 (in the 192.168.30.1/24 range).

I want vlan20 to get an IP from dhcp, to get access to dns server, to get access to internet, and to not be able to contact NOR be contacted by vlan30.

Interface: Vlan20 acl list in order:

1- ALLOW any ip on port 68 to access any ip on UDP port 67 (contacting dhcp server)

Will the DHCP server be able to reply?

2- ALLOW 192.168.20.1/24  access to DNS server on UDP port 53

Will the DNS server be able to reply?

3- DENY 192.168.20.1/24  access to 192.168.30.1/24

Do I need a rule to state the opposite such as DENY 192.168.30.1/24  access to 192.168.20.1/24?

4- ALLOW 192.168.20.1/24  access to router on port 80 and 443 to get internet

Will I receive the packets from internet after requesting?

5- DENY any ip access to any ip on any protocol

Which ACLs require an extra line for return traffic? I think what I can't understand is whether a reply to a request from A --> B  (B replying here) is accounted for separately from a request initiated by B --> A. So if the first is allowed, but the second is disallowed, is B still allowed to reply to a request made from A. Can't find the answer anywhere reallyy.

Hope this was clear and to the point, thanks a million!