Business Community > Controllers > Issue with IPGroup ACL
< Controllers

Issue with IPGroup ACL

12

Issue with IPGroup ACL

Issue with IPGroup ACL
Issue with IPGroup ACL
2024-07-18 20:02:44 - last edited 2024-07-23 01:46:16
Tags: #ACL

Hi All,

 

I have more issues with Omada ACLs between IP Groups.

I have one common VLAN for all public devices (192.168.0.1/24), which needs internet connection on wired and on wireless network. The problem is, that I have to isolate from the internet a certain group of IPs of this VLAN in a certain period of time.

These IPs are all provided by fixed DHCP, grouped into a subset of the whole big VLAN, ie: 192.168.0.224/28, and containing wired and wireless IPs mixed. Lets call the group "Teens"

First I created a gateway ACL as follows,

direction: LAN -> WAN

policy: deny

Protocols: all

Time range: enabled (ie the referenced timeslot is every day between 16:00 and 22:00)

Source Rule Type: IP Group (ie: Teens)

Destination Rule Type: IP Group (ie: IPGroup_Any)

 

It is working in the defined time range, BUT I have noticed, that when the rule is getting enabled or disabled at start and end schedule, ALL other connected devices of the big VLAN is loosing the internet connectivity for few seconds. This is a big problem for all other IPs/devices in the VLAN. Still wondering, how this could happen? This is the issue no 1.

 

As next I tried to narrow down, and separate the IP ranges within the big VLAN, therefore created another group for the WAN router/gateway IP (192.168.0.1), called "Gateway" assuming, that if I would deny the connection between the group "Teens" and the group "Gateway", then no internet connection would work.

This was the ACL config

direction: LAN -> WAN

policy: deny

Protocols: all

Time range: enabled (ie the referenced timeslot is every day between 16:00 and 22:00)

Source Rule Type: IP Group (ie: Teens)

Destination Rule Type: IP Group (ie: Gateway)

This is not working at all. Even if I remove the Time range, and set the deny rule enabled, all these devices can access the internet through the gateway. This is the issue no 2.

 

This behaviour is the very same on router ER7212PC and ER605 

Anyone faced the same issues?

If not, what do I wrong?

 

Thanks for any response in advance!

gZoma

 

 

 

 

  0      
 
  0      
 
#1
Options
2 Accepted Solutions
Re:Issue with IPGroup ACL-Solution
2024-07-23 01:46:10 - last edited 2024-08-29 02:44:44

  @gZoma 

V5.14.26.1 is the firmware for the controller, not the ER605 itself. If the hardware version is Version 2, please update the firmware to the latest version. This issue has been resolved in the latest firmware. The present firmware for the ER7212PC has this issue, which will be fixed in a future firmware release.
 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#4
Options
Re:Issue with IPGroup ACL-Solution
2024-08-29 02:31:19 - last edited 2024-08-29 02:46:40

  @gZoma 

I confirmed with the R&D department that the ER7212PC V1.2.0 does not yet include the remedy to this issue. Please wait for the next firmware release. This is an issue that we will address. This problem has already been resolved with the latest firmware on our ER605 V2.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#15
Options
13 Reply
Re:Issue with IPGroup ACL
2024-07-19 05:55:07

  @gZoma 

Your first configuration is correct; do not set the second configuration. Could you tell me the firmware version of your Omada gateway? Are these the latest? If not, please upgrade them to the latest firmware.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Issue with IPGroup ACL
2024-07-19 08:32:28

  @Hank21 

thanks for the prompt response!

on ER7212PC it runs on 5.8.38 (1.1.4 Build 20240423 Rel.85682), on ER605 it is running on 5.14.26.1

both are the latest, at least nothing comes in as possible update.

The ER605 was used in the last two years at least and the same problem has occured with all versions. I replaced it with 7212 recently, which has older version, same issue.

 

Any other idea?

 

gZoma

 

  0  
  0  
#3
Options
Re:Issue with IPGroup ACL-Solution
2024-07-23 01:46:10 - last edited 2024-08-29 02:44:44

  @gZoma 

V5.14.26.1 is the firmware for the controller, not the ER605 itself. If the hardware version is Version 2, please update the firmware to the latest version. This issue has been resolved in the latest firmware. The present firmware for the ER7212PC has this issue, which will be fixed in a future firmware release.
 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#4
Options
Re:Issue with IPGroup ACL
2024-07-23 18:17:26

  @Hank21 

sorry for the confusion, the ER605 is only V1, running on firmware 1.3.1. and the ER7212PC is as well "only" V1.0, running on 1.1.4

But this is definintely a good news, that this missbehaviour is known and is/will be fixed for certain products.

Do You have any estimation, when the new firmware for ER7212PC v1 can be expected?

Furthermore is there any plan for remediation for ER605v1 too?

 

many thanks in advance & regards

gZoma

  0  
  0  
#5
Options
Re:Issue with IPGroup ACL
2024-07-24 01:31:49 - last edited 2024-07-24 01:33:21

  @gZoma 

We have release beta for ER7212PC available on this page. The firmware will soon be available on the official website.

At this time, there are no plans to release new firmware for the ER605 V1.

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#6
Options
Re:Issue with IPGroup ACL
2024-07-27 08:10:10

  @Hank21

Thank You very much for the confirmation! The link, what You provided, does not work for me, but found another link here Assume, it is about the same.

Usually I do NOT install any beta firmware, had enough issues with the official releases in the past. So, do You have any information, by when this release will go as official?

 

On the other hand, somehow I expected, that ER605v1 wont be supported in that depth anymore, that was one of the reason, that replaced with ER7212. Still there might be lot of users, who has the same issue with that device. Would be good, if the support plan for that product could be changed.

 

regards

gZoma

 

  1  
  1  
#7
Options
Re:Issue with IPGroup ACL
2024-07-30 08:43:19

  @gZoma 

You can now download the ER7212PC firmware from this link:Firmware Download

It may not have been uploaded to your regional website; however, you can try downloading it from our global website.

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#8
Options
Re:Issue with IPGroup ACL
2024-08-01 13:20:06

 @Hank21,

I have installed the 1.2.0 firmware and the first impression is very good. I need some more time to test it fully, but its promising :)

Thanks You very much for the help!

 

regards

gZoma

  1  
  1  
#9
Options
Re:Issue with IPGroup ACL
2024-08-24 07:16:41

 @Hank21 

sorry for the late update, but it took some time to test it carefully.

So, it seems, the core issue is still there even after installing the 1.2.0 firmware to the router.

When the scheduled ACL comes to enable/disable schedule time, the devices in the same VLAN, but out of the defined IPGroup of the ACL are loosing the connectivityto internet for some seconds. All of them is reconnecting as per their individual setting, but still, they are disconnected for some time. Wireless devices take more time to reconnect, LAN connected devices quicker.

Any other advise to remediate it?

 

regards

gZoma

  0  
  0  
#10
Options
Re:Issue with IPGroup ACL
2024-08-26 01:43:30

  @gZoma 

Are you saying the problem persists and the phenomenon is the same as before?
What exactly does this mean?" All of them is reconnecting as per their individual setting, but still, they are disconnected for some time”.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#11
Options
12

Information

Helpful: 0

Views: 689

Replies: 13

Tags

ACL
Related Articles
ER7206 Gateway ACL LAN-LAN IPGroup
1926 20
EAP ACL vs. Switch ACL
2581 0
Omada ACL configuration
1169 0
ACL on Omada with EAP245 and ER605
590 0
ACL Rule to get access from LAN to VLAN
253 0
 Firewall ACL Rules. How to choose a IP-Port Group along with IP group source and destination.
1303 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.