@Clive_A Can you please elaborate on how to use an Omada Gateway like ER605 as transparent bridge behind an Internet facing router like OPNSense ?!? Simply diabling the NAT is not all that is necessary - for those of us who want to use a TP-Link GW with Omada but not as main router and without double NAT!

Thx in advance!

  @Spanky66 

Spanky66 wrote

  @Clive_A Can you please elaborate on how to use an Omada Gateway like ER605 as transparent bridge behind an Internet facing router like OPNSense ?!? Simply diabling the NAT is not all that is necessary - for those of us who want to use a TP-Link GW with Omada but not as main router and without double NAT!

 

Thx in advance!

I don't have a setup or bench for that. 

Disable NAT was requested by users from the EU who wanted to avoid the double NAT. And it is what they asked for in the scenario. We only test the disabling of NAT, and if it is working, that's all we can do. 

You can consult with the users who voted in that request post. 

  @Clive_A I was actually one of the originators of the request for this feature.  Unifi has done this way before Omada - and it's for people who want to use the full Omada range of devices - including the gateways but prefer a different Internet facing router.  Most "professional" routers have the ability to be put into a "transparent bridge" mode - which disables NAT and allows the device to be behind a different router / firewall like OPNSense (which can also be used as a transparent bridge https://www.youtube.com/watch?v=evMvznjf9Kk )

I use Omada with several EAP access points and L3 switches - and without a TP-Link gateway like an ER6505 - certain features or functions don't work (like DPI, IDS, etc) - I have a ER605, but my main firewall is OPNSense - yet I still want to use the ER605 - instead of having a paperweight ;-)

So the question again remains:  How can an Omada user integrate a ER Gateway like ER605 into the SDN environment but as a transparent bridge device - meaning traffic flows through it - but it's not the primary Internet facing router and there is no double NAT ??

Naturally, we are seeking "best practice" advice on how to technically integrate the ER Gateways without losing functionality - but NOT as primary Internet GW.  This is definitely technically possible, and seeing that Unifi has achieved this successfully, it should be possible with Omada.

Thx in advance -

  @Spanky66 

Spanky66 wrote

  @Clive_A I was actually one of the originators of the request for this feature.  Unifi has done this way before Omada - and it's for people who want to use the full Omada range of devices - including the gateways but prefer a different Internet facing router.  Most "professional" routers have the ability to be put into a "transparent bridge" mode - which disables NAT and allows the device to be behind a different router / firewall like OPNSense (which can also be used as a transparent bridge https://www.youtube.com/watch?v=evMvznjf9Kk )

 

I use Omada with several EAP access points and L3 switches - and without a TP-Link gateway like an ER6505 - certain features or functions don't work (like DPI, IDS, etc) - I have a ER605, but my main firewall is OPNSense - yet I still want to use the ER605 - instead of having a paperweight ;-)

 

So the question again remains:  How can an Omada user integrate a ER Gateway like ER605 into the SDN environment but as a transparent bridge device - meaning traffic flows through it - but it's not the primary Internet facing router and there is no double NAT ??

 

Naturally, we are seeking "best practice" advice on how to technically integrate the ER Gateways without losing functionality - but NOT as primary Internet GW.  This is definitely technically possible, and seeing that Unifi has achieved this successfully, it should be possible with Omada.

 

Thx in advance -

 

It simply disables the translation. After that, routing may be needed, as I read discussion from others. I am not sure their wording of 'transparent bridge mode' would be equivalent to a disabling NAT. No one mentioned this during the request time or implementation. 

We don't have much insight into this matter and this type of application scenario. It was merely a request fulfillment from the dev team as that disable NAT request people asked for.

Sorry that I don't have further information or help on this. The doc we have now is this setup guide without a scenario as we don't have such an application. Like the discussion before, where I joined the discussion with you and others, we actually don't know why this is a must for a router, as we never intended this product to be used in that case. This was once rejected before by the dev, if you paid attention to this request. 

  @Clive_A Thx for your prompt response and understood.  In the debate regarding Omada vs Unifi, your response supports many comments to the effect that TP_Link is very slow to respond to end user's feature requests and feedback.  The original request was made over THREE years ago:  https://community.tp-link.com/en/business/forum/topic/599954

"We don't have much insight into this matter and this type of application scenario. It was merely a request fulfillment from the dev team as that disable NAT request people asked for." - This use case is not uncommon, and all we are asking for is to work with us . . .set up a test bench and give us a solution which encourages people to purchase Omada products and devices.  A little bit of research shows that the lower end router devices like the ER605 are not considered in high regard and many put a more technically flexible and robust firewall router device in front facing the internet.  

Only TP-Link knows their products best - so if the answer is "we don't support any other configuration other than our own devices" - doesn't send a good message.  Most environments use multi vendor networking devices - so it's a matter of working together to solve this technical challenge.

I've been running my environment for some time with the OPNSense router as gateway, and using Omada SDN for the switches and APs - although certain functionality is lost because I can't use the ER605 I have.

It can't be that the only argument for buying TP-Link is that they are cheaper than Unifi ????

Thanks anyway and have a great day.

  @Spanky66 

Spanky66 wrote

  @Clive_A Thx for your prompt response and understood.  In the debate regarding Omada vs Unifi, your response supports many comments to the effect that TP_Link is very slow to respond to end user's feature requests and feedback.  The original request was made over THREE years ago:  https://community.tp-link.com/en/business/forum/topic/599954

 

"We don't have much insight into this matter and this type of application scenario. It was merely a request fulfillment from the dev team as that disable NAT request people asked for." - This use case is not uncommon, and all we are asking for is to work with us . . .set up a test bench and give us a solution which encourages people to purchase Omada products and devices.  A little bit of research shows that the lower end router devices like the ER605 are not considered in high regard and many put a more technically flexible and robust firewall router device in front facing the internet.  

 

Only TP-Link knows their products best - so if the answer is "we don't support any other configuration other than our own devices" - doesn't send a good message.  Most environments use multi vendor networking devices - so it's a matter of working together to solve this technical challenge.

 

I've been running my environment for some time with the OPNSense router as gateway, and using Omada SDN for the switches and APs - although certain functionality is lost because I can't use the ER605 I have.

 

It can't be that the only argument for buying TP-Link is that they are cheaper than Unifi ????

 

Thanks anyway and have a great day.

 

 

I will see what the dev or doc team can do with this, as I might have a hard time getting my current test bench resources relocated. 

Or you can create a test bench for us and work with our team. Post the details and your current trouble in a new post, and we can discuss this later. 

  @Clive_A I'm happy to work with your team to figure this out - it benefits more than just me.  I suggest we get in direct contact as this forum is not the most efficient means to communicate and coodinate technical testing.  I have many contacts with TP-Link peolpe here in Germany - so let me know who can work with me - my profile has my e-mail address! 

Thx

  @Spanky66 

Spanky66 wrote

  @Clive_A I'm happy to work with your team to figure this out - it benefits more than just me.  I suggest we get in direct contact as this forum is not the most efficient means to communicate and coodinate technical testing.  I have many contacts with TP-Link peolpe here in Germany - so let me know who can work with me - my profile has my e-mail address! 

 

Thx

 

 

Oh, if you can work with the local support team, that also works.

The TPDE is not the same team as dev/doc/forum. I recall they have local support for EU countries. Their team can also work with your situation now. 

I only work with our dev and test team. As I don't have the test bench and a time zone issue, we are not able to work with you.

I will inform them about the current situation and see if they can publish anything regarding this through the doc team. That'll generate an FAQ instead of a CG on the forum. 90% of the guides on the forum are made by me instead of the doc team. We have different jobs.  Their job is to receive the feedback from the market and write all kinds of docs. 

  @Clive_A I only mentioned my contacts with Germany support team because if other issues I had (more hardware related) as FYI - That's a good example how written text can quickly be misunderstood 🤷🏼 That's why I suggest a direct contact like using Teams or Zoom 😁 Just need a network engineer type who understands the topic and acts as SPOC (single point of contact) with me for the testing and communication with the devs 🖖🏽

I believe it's faster and more efficient working directly with the Dev & Test team as this is purely a software and configuration issue 🤔 dealing directly with the Dev & Test team is more direct and with facilitate faster results 👍🏻

  @Spanky66 

Spanky66 wrote

  @Clive_A I only mentioned my contacts with Germany support team because if other issues I had (more hardware related) as FYI - That's a good example how written text can quickly be misunderstood 🤷🏼 That's why I suggest a direct contact like using Teams or Zoom 😁 Just need a network engineer type who understands the topic and acts as SPOC (single point of contact) with me for the testing and communication with the devs 🖖🏽

 

I believe it's faster and more efficient working directly with the Dev & Test team as this is purely a software and configuration issue 🤔 dealing directly with the Dev & Test team is more direct and with facilitate faster results 👍🏻

Like I said, you should provide details and a diagram.

In my test bench, I did a quick and simple test.

ER707-M2: 192.168.10.0/24

WAN is set to static mode: 192.168.112.100

Upstream router: 192.168.112.0/24

Disabled NAT enabled on ER707, which means 10.0/24 is now available on the WAN, which is 192.168.112.0/24

You need to add a static route to the upstream device or router. 

route add 192.168.10.0 mask 255.255.255.0 192.168.112.100

Then the 10.0/24 is accessible from the WAN. 

Like I said, that requires a routing. Just try to print your own route and see learn the mechanism. You could use this as an example to fix the problem in your network.