[BUG/Issue] EAP ACL not functioning between wireless connections on the same EAP. (653, 650, 225)
Hello,
After 4 full days of trying and encountering issues every time, it seems there is a bug in the EAPs when combined with EAP ACL rules.
Hardware setup:
- ER605 v2.0 (Firmware Version: 2.1.4 Build 20230727 Rel.40308)
- OC200 1.0 (Controller Version: 5.12.9) (Firmware Version: 1.26.3 Build 20230906 Rel.36269)
- TL-SG2008P v3.0 (Firmware Version: 3.0.5 Build 20230602 Rel.73473)
- TL-SG2008P v3.0 (Firmware Version 3.0.5 Build 20230602 Rel.73473)
- EAP225(EU) v3.0 ( 5.1.0 Build 20220926 Rel. 62456)
- EAP653(EU) v1.0 (1.0.9 Build 20230814 Rel. 36852)
- EAP650(EU) v1.0 (1.0.10 Build 20230814 Rel. 36852)
- EAP653(EU) v1.0 (1.0.9 Build 20230814 Rel. 36852)
My problem:
I want to connect my printers via Wi-Fi to an isolated VLAN. The printer should not be discoverable/usable in the isolated VLAN but should be accessible from another (trusted) VLAN. Unfortunately, this is not working with the "Guest Network" function in the WLAN settings because it makes the printer inaccessible from any other VLAN as well. That's why I'm trying to achieve this with ACL rules.
After much experimentation with Gateway ACL & Switch ACL, I finally realized that traffic between wireless devices doesn't pass through the Switch/Gateway (ACL) but is instead routed through the EAP to the other wireless client. Therefore, I attempted to make the other devices unreachable using EAP ACL rules. I succeeded with these ACL rules:
Furthermore, the rules for both Gateway ACL and Switch ACL are currently empty. The outcome of these rules when I connect with my iPhone to the "Isolated" WiFi network is this scan:
I was thrilled when I saw this! Finally, but then a few hours later, it stopped working altogether. I was going crazy! After a lot of investigation and trial and error, I discovered that my printer and/or I occasionally connect to a different access point (AP). When I tested that, I noticed an issue.
Because when I connect with my iPhone to the same EAP, to which the Canon printer is also connected, all EAP rules no longer "work". Then, suddenly, my result is this:
It appears there is an issue with ACL rules not being processed correctly for users in the same EAP. Is this expected behavior? If so, how can I prevent this from happening?
I have tried the following:
- This issue was present in the latest firmware as well as the beta firmware.
- I have tested each EAP separately, and each EAP exhibits this issue.
- The problem persists even after a restart.
- Even when I block the network in the Gateway/Switch ACL, the issue remains.
- I have also tried resetting everything to factory defaults, but the problem persists.
Additional question:
Furthermore, I am still looking for a way to block the "Bonjour" service using ACL. I want to ensure that Bonjour does not work in my Isolated VLAN but does work in the trusted VLAN where the printer can be found using mDNS. Does anyone have any tips for this?
Currently, the iPhone can discover the printer, but due to the other restrictions in place, it cannot print anything.
I hope you can assist me further. Even if it turns out to be a configuration error rather than a bug, I would appreciate guidance on how to resolve it.
I have also tried to provide as much useful information as possible without including unnecessary details. If anything is missing, please let me know, and I'll be happy to provide any additional information you need.
Thank you very much for your help and support!
@Hank21 Thank you very much! I've received the email and have already responded to a request for more information. I'm patiently awaiting further updates.
I wanted to mention that I really appreciate how seriously this is being taken. Thank you so much for that! I'll provide an update here when it becomes available. 
Hi @EricPerl @ikheetjeff @Nlem @runner89
So start with this, it is expected to be normal but the senior engineer did not give further explanation. I happened to be interested in the OSI model. Let's break this down from the OSI model.
Layer 2 and Layer 3. Right? You have configured the VLAN, so you have the VLAN ID for different SSIDs and that's what you showed to the SE.
I read through the whole dialogue and I was thinking the same thing as the SE. It's about layers 2 and 3.
ACL is effective only on the layer 3. Layer 2 is about the MAC address isolation. Which usually links ARP but ARP cannot be blocked for certainty.
OP said that he assumed that devices tested under the same VLAN should be isolated. This description is clearly wrong.
OP's reply did not mention what's been explained by the SE. That's very very very helpful information in explaining things on the forum here. He did not mention it and made it look like we sit back and do nothing. Yet, that's not the case. The SE has explained very clearly. Just simply ignored the fact that layer 2 and 3 matters in this whole thread.
Isolated the printer in its own VLAN, that's guest network. Or you have to configure many entries to stop this device from being accessed. There will not gonna be a single rule like when you set SRC "network A" to DST "network A" isolated.
Try the switch MAC group and start this from layer 2. But that'll be a ton of entries.
In case you don't know, they are different types. There is also a thing called MAC address table and it is used for switching locally in the VLAN(layer 2). AP and Switch can traffic on layer 2 when it is under the same subnet(VLAN or broadcast range you may call that.)
*VLAN interface(layer 3)* which is what you see as "Network" in the SRC/DST in ACL.
So, basically, the SE had a conversation with the OP explaining how OSI and ACL work. Basically meets what I learned about networking. Expected. And we don't think or conclude this is an issue/bug.
What you are looking for is the IMPv4 ACL which is available in the standalone switch. If interested, take a look at the User Guide of the standalone switch. It combines layer 1 2 and 3 together and forms a more versatile ACL.
Since this is clear and has been explained, I will not further reply to anyone's comments on this part. ACL did not have a specific guide because it has tons of variations and you cannot list all of them.
Our valuable forum member @death_metal(not gonna @ and rag him into this mire, you can look at the switch/router ACL config he posted) has several guides on this. What you should learn is the OSI model when you study the ACL configuration. These terms and knowledge matter in this conversation and ACL config down the road.
As I have directed you the way about this, you can search online for related information and keywords. Good luck on this journey.
